From aef619e07046c7a035824dc0b1098a577b185cd5 Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 17:07:06 -0500
Subject: [PATCH 001/471] My changes

---
 sysmonconfig-export.xml | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e1be4a05..e26b1514 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -22,8 +22,8 @@
 		"LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions.
 -->
 
-<Sysmon schemaversion="3.20">
-	<HashAlgorithms>md5,IMPHASH</HashAlgorithms>
+<Sysmon schemaversion="3.3">
+	<HashAlgorithms>md5,sha256</HashAlgorithms>
 
 	<EventFiltering>
 
@@ -91,6 +91,9 @@
 		</FileCreateTime>
 		<FileCreateTime onmatch="exclude">
 			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
+			<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
+			<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->
+			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Chrome constantly changes file times-->
 			<Image condition="contains">setup</Image> <!--Ignore setups-->
 		</FileCreateTime>
 
@@ -110,8 +113,18 @@
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image condition="image">bitsadmin.exe</Image> <!--File Transfer program-->
+			<Image condition="image">mshta.exe</Image>
+			<Image condition="image">python.exe</Image>
+			<Image condition="image">psexecsvc.exe</Image>
+			<Image condition="image">java.exe</Image>
+			<Image condition="image">installutil.exe</Image>
+			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
+			<Image condition="image">certutil.exe</Image>
+			<Image condition="image">PsExec.exe</Image>
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
+			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<!--Suspicious destinations-->
 			<DestinationHostname condition="is">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
 			<DestinationHostname condition="is">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
@@ -121,6 +134,12 @@
 			<DestinationHostname condition="is">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
 			<DestinationHostname condition="is">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
 			<DestinationHostname condition="is">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="is">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="end with">goo.gl</DestinationHostname>
+			<DestinationHostname condition="end with">git.io</DestinationHostname>
+			<DestinationHostname condition="end with">bit.ly</DestinationHostname>
+			<DestinationHostname condition="end with">t.co</DestinationHostname>
+			<DestinationHostname condition="end with">ow.ly</DestinationHostname>
 			<!--Dynamic DNS Providers-->
 			<DestinationHostname condition="end with">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<DestinationHostname condition="end with">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
@@ -164,6 +183,12 @@
 			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
 			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
 			<Signature condition="begin with">Intel </Signature> <!--Exclude signed Intel drivers-->
+			<Signature condition="contains">Lenovo </Signature> <!--Exclude signed Lenovo drivers-->
+			<Signature condition="contains">Synaptic </Signature> <!--Exclude signed Synaptic drivers-->
+			<Signature condition="contains">Nvidia </Signature> <!--Exclude signed Nvidia drivers-->
+			<Signature condition="contains">Broadcom </Signature> <!--Exclude signed Broadcom drivers-->
+			<Signature condition="contains">AMD </Signature> <!--Exclude signed AMD drivers-->
+			<Signature condition="contains">VMware </Signature> <!--Exclude signed VMware drivers-->
 		</DriverLoad>
 
 	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS -->
@@ -198,6 +223,7 @@
 			<SourceImage condition="image">C:\Windows\System32\audiodg.exe</SourceImage>
 			<StartModule condition="is">C:\windows\system32\kernel32.dll</StartModule>
 			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
+			<SourceImage condition="contains">FireSvc.exe</SourceImage>
 		</CreateRemoteThread>
 
 	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS -->
@@ -215,6 +241,11 @@
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
 				Disabled by default since including even one entry here activates this component. Reward/performance decision.
 				Encourage you to experiment with this feature yourself.-->
+			<SourceImage condition="image">winword.exe</SourceImage> <!-- Hancitor process hollowing -->
+			<SourceImage condition="image">excel.exe</SourceImage> <!-- Hancitor process hollowing -->
+			<SourceImage condition="image">mspub.exe</SourceImage> <!-- Hancitor process hollowing -->
+			<SourceImage condition="image">msbuild.exe</SourceImage> <!-- Hancitor process hollowing -->
+			<SourceImage condition="image">powerpnt.exe</SourceImage> <!-- Hancitor process hollowing -->
 		<!--FUTURE WORK:	Include mimikatz-specific events.-->
 		</ProcessAccess>
 
@@ -248,6 +279,7 @@
 			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
 			<!--SECTION: Mimikatz-->
 				<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
 		</FileCreate>
@@ -400,6 +432,7 @@
 			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
 			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
 			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
+			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
 			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
 			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
 		</FileCreateStreamHash>

From 7cc4f0b7386267f11d90b262bf90e7b59ad27ddb Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 17:12:19 -0500
Subject: [PATCH 002/471] Update version & Contributors

---
 sysmonconfig-export.xml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e26b1514..80bdbcdf 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,8 +1,12 @@
 <!--
   sysmon-config | A sysmon configuration focused on high-quality event tracing
-  Version: 35 | Date: 2017-02-17
-  By @SwiftOnSecurity, with contributors credited in-line or on Git
+  Version: 36 | Date: 2017-02-20
+  Original By @SwiftOnSecurity, with contributors credited in-line or on Git
   https://github.com/SwiftOnSecurity/sysmon-config
+  Vector-sec Improvements:
+  https://github.com/vector-sec/sysmon-config
+  ion-storm Improvements:
+  https://github.com/ion-storm/sysmon-config
 
   Required Sysmon version: 5.02 or higher
   https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx

From 91c3dba2bebb75ed50582df907c51c8816326849 Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 17:31:30 -0500
Subject: [PATCH 003/471] Add additional filetypes

---
 sysmonconfig-export.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 80bdbcdf..3ff6d920 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -271,6 +271,16 @@
 			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
 			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
 			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
+			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
 			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
 			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
@@ -435,10 +445,16 @@
 			<TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
 			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
+			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
 			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
 			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
 			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
 			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
+			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting-->
+			<TargetFilename condition="end with">.ps1</TargetFilename> <!--Powershell-->
+			<TargetFilename condition="end with">.ps2</TargetFilename> <!--Powershell-->
+			<TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file-->
+			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
 		</FileCreateStreamHash>
 
 	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY [ SYSMON 6.00+ ] -->

From 3cc42ba3da7343e9fe889670dcd52649932170a8 Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 17:35:44 -0500
Subject: [PATCH 004/471] Add Remote registry to network detection

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3ff6d920..58870985 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -126,6 +126,7 @@
 			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
 			<Image condition="image">certutil.exe</Image>
 			<Image condition="image">PsExec.exe</Image>
+			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->

From a30978a6c0bc7ecd7860418323bf66626dc9614b Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 17:45:50 -0500
Subject: [PATCH 005/471] Added RDP/MSTSC

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 58870985..06cf5ba6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -127,6 +127,7 @@
 			<Image condition="image">certutil.exe</Image>
 			<Image condition="image">PsExec.exe</Image>
 			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
+			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
@@ -282,6 +283,7 @@
 			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
 			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
 			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
+			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
 			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
 			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->

From da03cf3517070f3ef5b04f809ff149630475d60b Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 20:09:48 -0500
Subject: [PATCH 006/471] Update README.md

---
 README.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/README.md b/README.md
index de01c5bc..6cbb6c60 100644
--- a/README.md
+++ b/README.md
@@ -12,8 +12,6 @@ Pull requests and issue tickets are welcome, and new additions will be credited
 
 Note: Exact syntax and filtering choices are deliberate to catch appropriate entries and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area.
 
-You can contact @SwiftOnSecurity on Twitter for any urgent questions or issues.
-
 ## Use ##
 ### Install ###
 Run with administrator rights

From 639192ef49b497a1335f8af811b4cb6c68baf3c1 Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 20:25:34 -0500
Subject: [PATCH 007/471] Add common SSH/Telnet utilities

---
 sysmonconfig-export.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 06cf5ba6..1e442e1a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -128,6 +128,13 @@
 			<Image condition="image">PsExec.exe</Image>
 			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
 			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
+			<Image condition="image">telnet.exe</Image><!-- Telnet -->
+			<Image condition="image">ssh.exe</Image><!-- SSH -->
+			<Image condition="image">putty.exe</Image><!-- SSH -->
+			<Image condition="image">kitty.exe</Image><!-- SSH -->
+			<Image condition="image">kitty_portable.exe</Image><!-- SSH -->
+			<Image condition="image">psftp.exe</Image><!-- SFTP -->
+			<Image condition="image">tftp.exe</Image><!-- TFTP -->
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->

From 5b722a2086ef30c9427584ab86c5c315963ac003 Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 20:55:56 -0500
Subject: [PATCH 008/471] Add Windows 10

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1e442e1a..e36a0019 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -40,6 +40,7 @@
 			<!--SECTION: Microsoft Windows-->
 			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
 			<Image condition="image">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
+			<Image condition="image">C:\Windows\System32\taskhostw.exe</Image> <!--Microsoft:Windows: Launched constantly-->
 			<Image condition="image">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
 			<Image condition="image">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
 			<ParentImage condition="image">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->

From 3a4a4311c193eb60a6186ea5792295317692f714 Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 21:00:49 -0500
Subject: [PATCH 009/471] Revert taskhostw addition

this may have some important things to watch
---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e36a0019..1e442e1a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -40,7 +40,6 @@
 			<!--SECTION: Microsoft Windows-->
 			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
 			<Image condition="image">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
-			<Image condition="image">C:\Windows\System32\taskhostw.exe</Image> <!--Microsoft:Windows: Launched constantly-->
 			<Image condition="image">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
 			<Image condition="image">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
 			<ParentImage condition="image">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->

From 896781ee4c142b30e6b1dcb2fa9a90859cb4b6ce Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 21:51:23 -0500
Subject: [PATCH 010/471] Add mimikatz detection

---
 sysmonconfig-export.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1e442e1a..457b78fa 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -259,7 +259,9 @@
 			<SourceImage condition="image">mspub.exe</SourceImage> <!-- Hancitor process hollowing -->
 			<SourceImage condition="image">msbuild.exe</SourceImage> <!-- Hancitor process hollowing -->
 			<SourceImage condition="image">powerpnt.exe</SourceImage> <!-- Hancitor process hollowing -->
-		<!--FUTURE WORK:	Include mimikatz-specific events.-->
+		<!--Include mimikatz-specific events.-->
+			<SourceImage condition="contains">powershell.exe</SourceImage>
+ 			<TargetImage condition="contains">lsass.exe</TargetImage>
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->

From 3a97995f0e2aadb1324e822ac3b6fbce9428ab12 Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 22:41:43 -0500
Subject: [PATCH 011/471] Add some common Ransomware filenames

---
 sysmonconfig-export.xml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 457b78fa..86f6e0e1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -306,6 +306,44 @@
 			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
 			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
+			<!--SECTION: Ransomware-->
+			<TargetFilename condition="contains">help_decrypt</TargetFilename>
+			<TargetFilename condition="contains">help_restore</TargetFilename>
+			<TargetFilename condition="contains">ReadDecryptFilesHere</TargetFilename>
+			<TargetFilename condition="contains">howto_recover_file</TargetFilename>
+			<TargetFilename condition="contains">recover_file_</TargetFilename>
+			<TargetFilename condition="contains">Recovery_file_</TargetFilename>
+			<TargetFilename condition="contains">how_to_decrypt</TargetFilename>
+			<TargetFilename condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
+			<TargetFilename condition="contains">_how_recover_</TargetFilename>
+			<TargetFilename condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
+			<TargetFilename condition="contains">help_my_files</TargetFilename>
+			<TargetFilename condition="contains">how_recover</TargetFilename>
+			<TargetFilename condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
+			<TargetFilename condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
+			<TargetFilename condition="contains">YOUR_FILES.url</TargetFilename>
+			<TargetFilename condition="contains">Coin.Locker.txt</TargetFilename>
+			<TargetFilename condition="contains">_secret_code.txt</TargetFilename>
+			<TargetFilename condition="contains">Decrypt_readme.txt</TargetFilename>
+			<TargetFilename condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
+			<TargetFilename condition="contains">FILESAREGONE.txt</TargetFilename>
+			<TargetFilename condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
+			<TargetFilename condition="contains">HELLOTHERE.TXT</TargetFilename>
+			<TargetFilename condition="contains">READTHISNOW!!!.txt</TargetFilename>
+			<TargetFilename condition="contains">SECRETIDHERE.KEY</TargetFilename>
+			<TargetFilename condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
+			<TargetFilename condition="contains">SECRET.KEY</TargetFilename>
+			<TargetFilename condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
+			<TargetFilename condition="contains">RECOVERY_FILES.TXT</TargetFilename>
+			<TargetFilename condition="contains">RECOVERY_FILE.</TargetFilename>
+			<TargetFilename condition="contains">HowtoRestore_Files</TargetFilename>
+			<TargetFilename condition="contains">restorefiles</TargetFilename>
+			<TargetFilename condition="contains">howrecover+</TargetFilename>
+			<TargetFilename condition="contains">recoveryfile</TargetFilename>
+			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
+			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
+			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
+			
 			<!--SECTION: Mimikatz-->
 				<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
 		</FileCreate>

From a206a9b56f9d8b9d3d33711295ce765437429ed1 Mon Sep 17 00:00:00 2001
From: Kyle Weller <defconoii@gmail.com>
Date: Mon, 20 Feb 2017 22:43:28 -0500
Subject: [PATCH 012/471] Update sysmonconfig-export.xml

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 86f6e0e1..626a043d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -343,7 +343,6 @@
 			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
 			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
 			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
-			
 			<!--SECTION: Mimikatz-->
 				<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
 		</FileCreate>

From ca1b6e0143bdddf4cec91dd6af196cb085ff28b8 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 13:35:45 -0500
Subject: [PATCH 013/471] Add Exclusion for Windows Taskbar Noise

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 626a043d..20ca4987 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -480,6 +480,7 @@
 			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+ -->
 			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked</TargetObject><!--Microsoft:Windows Remove noise from Windows 10 Taskbar--> <!--Win10 -->
 			<!--SECTION: 3rd party-->
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
 		</RegistryEvent>

From 33337612c9c1b2ea10ac3ac1edb86038150deeff Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 13:43:41 -0500
Subject: [PATCH 014/471] Add wmic /node logging.

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 20ca4987..d1a702e9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -135,6 +135,7 @@
 			<Image condition="image">kitty_portable.exe</Image><!-- SSH -->
 			<Image condition="image">psftp.exe</Image><!-- SFTP -->
 			<Image condition="image">tftp.exe</Image><!-- TFTP -->
+			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->

From e800c2f2a14f7860be8f3d6374b8570e3615034d Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 15:42:03 -0500
Subject: [PATCH 015/471] Add ConnectWise & ScreenConnect exclusions to cut
 down on noise.

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d1a702e9..8d5a3768 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -136,6 +136,7 @@
 			<Image condition="image">psftp.exe</Image><!-- SFTP -->
 			<Image condition="image">tftp.exe</Image><!-- TFTP -->
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
+			<Image condition="image">at.exe</Image><!-- Remote Task Scheduler logging -->
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
@@ -174,6 +175,8 @@
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
+			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--ConnectWise Client Noise-->
+			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Client Noise-->
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->

From b5c349a4042c5ea7f8d3d178355f9eecc5b76d75 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 15:44:10 -0500
Subject: [PATCH 016/471] Screenconnect & Connectwise Noise exclusions.

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8d5a3768..2d6a0486 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -175,8 +175,8 @@
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
-			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--ConnectWise Client Noise-->
-			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Client Noise-->
+			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--ConnectWise Noise-->
+			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->

From 181df78210abb7b6aeac3d486760dac82b923705 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 15:51:35 -0500
Subject: [PATCH 017/471] Add network logging of tor2web

---
 sysmonconfig-export.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2d6a0486..5263313a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -170,6 +170,17 @@
 			<DestinationHostname condition="end with">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<DestinationHostname condition="end with">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<DestinationHostname condition="end with">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<!--Tor2Web Providers-->
+			<DestinationHostname condition="end with">onion.to</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">onion.cab</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">onion.sh</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">onion.nu</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">onion.direct</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">tor2web.org</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">tor2web.fi</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">tor2web.blutmagie.de</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">tor-gateways.de</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">hiddenservice.net</DestinationHostname> <!--tor2web service -->
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From 23dd12cde82ef9fda2d365d5417b82225c7b1651 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 15:55:03 -0500
Subject: [PATCH 018/471] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6cbb6c60..8f47ba82 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ This is a Microsoft Sysinternals Sysmon configuration file template with default
 
 The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.
 
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)**
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)**
 
 Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems. It demonstrates a lot of what I wish I knew when I began with Sysmon in 2014.
 

From 747dec2a200e135794bb454ae959b5daca0861e7 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 16:03:33 -0500
Subject: [PATCH 019/471] Add Sysmon Auto Installer w/Config

---
 Install Sysmon.bat | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 Install Sysmon.bat

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
new file mode 100644
index 00000000..6ec73acd
--- /dev/null
+++ b/Install Sysmon.bat	
@@ -0,0 +1,10 @@
+@echo off
+cd %temp%
+echo [+] Downloading Sysmon...
+@powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe','%temp%\sysmon.exe')"
+echo [+] Downloading Sysmon config...
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','%temp%\sysmonconfig-export.xml')"
+sysmon.exe -accepteula -i sysmonconfig-export.xml
+echo [+] Sysmon Successfully Installed!
+timeout /t 10
+exit
\ No newline at end of file

From 053a08ba04a2cbcbcd2ec03ae116726ab91b0f29 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 16:09:17 -0500
Subject: [PATCH 020/471] Cleanup a bit of excess

---
 sysmonconfig-export.xml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5263313a..85a02eb7 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -171,16 +171,16 @@
 			<DestinationHostname condition="end with">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<DestinationHostname condition="end with">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<!--Tor2Web Providers-->
-			<DestinationHostname condition="end with">onion.to</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">onion.cab</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">onion.sh</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">onion.nu</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">onion.direct</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">tor2web.org</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">tor2web.fi</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">tor2web.blutmagie.de</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">tor-gateways.de</DestinationHostname> <!--tor2web service -->
-			<DestinationHostname condition="end with">hiddenservice.net</DestinationHostname> <!--tor2web service -->
+			<DestinationHostname condition="end with">onion.to</DestinationHostname>
+			<DestinationHostname condition="end with">onion.cab</DestinationHostname>
+			<DestinationHostname condition="end with">onion.sh</DestinationHostname>
+			<DestinationHostname condition="end with">onion.nu</DestinationHostname>
+			<DestinationHostname condition="end with">onion.direct</DestinationHostname>
+			<DestinationHostname condition="end with">tor2web.org</DestinationHostname>
+			<DestinationHostname condition="end with">tor2web.fi</DestinationHostname>
+			<DestinationHostname condition="end with">tor2web.blutmagie.de</DestinationHostname>
+			<DestinationHostname condition="end with">tor-gateways.de</DestinationHostname>
+			<DestinationHostname condition="end with">hiddenservice.net</DestinationHostname>
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From e21e9e7557ba3b6240909d22e9feed315c07322e Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 16:11:43 -0500
Subject: [PATCH 021/471] Update README.md

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 8f47ba82..8bfc85c1 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,10 @@ Pull requests and issue tickets are welcome, and new additions will be credited
 Note: Exact syntax and filtering choices are deliberate to catch appropriate entries and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area.
 
 ## Use ##
+
+### Auto-Install ###
+Install Sysmon.bat
+
 ### Install ###
 Run with administrator rights
 ~~~~

From 026714faef6f26bf1c13e62f45584d08126a0e67 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 16:42:59 -0500
Subject: [PATCH 022/471] Add wermgr.exe

Changes:
- Ignore wermgr.exe launches
MAJOR: 40 - Sysmon 6.0 required schema 3.3, performance

Changes:
- Adding networkconnect for msiexec.exe thanks @vector-sec
- Schema version 3.3 brings changes to registry syntax. HKLM and HKCU
replace \REGISTRY\MACHINE and \REGISTRY\USER
- Network destination hostname monitoring has been removed, see issue
#13 on Github
- For performance, changed fully-qualified application pathes to "is"
instead of "image" to prevent extra relative name checking
- Extra commentary
- Cleanup of default-disabled entries for better visual look
FIX: ControlSet001 to CurrentControlSet

Changes:
- Fix ControlSet001 to CurrentControlSet after schema version updated to
3.3
- Change back to md5,imphash by default
---
 sysmonconfig-export.xml | 190 ++++++++++++++++++++++------------------
 1 file changed, 107 insertions(+), 83 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 85a02eb7..c571ce84 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,14 +1,14 @@
 <!--
   sysmon-config | A sysmon configuration focused on high-quality event tracing
-  Version: 36 | Date: 2017-02-20
-  Original By @SwiftOnSecurity, with contributors credited in-line or on Git
+  Version: 40 | Date: 2017-02-21
+  By @SwiftOnSecurity, with contributors credited in-line or on Git
   https://github.com/SwiftOnSecurity/sysmon-config
   Vector-sec Improvements:
   https://github.com/vector-sec/sysmon-config
   ion-storm Improvements:
   https://github.com/ion-storm/sysmon-config
 
-  Required Sysmon version: 5.02 or higher
+  REQUIRED: Sysmon version 6.00 or higher (due to changes in registry syntax)
   https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
 
   NOTE: Although this is stable and inclusive, you should periodically check for new versions to ensure best coverage.
@@ -26,9 +26,8 @@
 		"LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions.
 -->
 
-<Sysmon schemaversion="3.3">
-	<HashAlgorithms>md5,sha256</HashAlgorithms>
-
+<Sysmon schemaversion="3.30">
+	<HashAlgorithms>sha256</HashAlgorithms>
 	<EventFiltering>
 
 	<!--SYSMON EVENT ID 1 : PROCESS CREATION -->
@@ -39,51 +38,69 @@
 				Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.-->
 			<!--SECTION: Microsoft Windows-->
 			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
-			<Image condition="image">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
-			<Image condition="image">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
-			<Image condition="image">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
-			<ParentImage condition="image">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
+			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
+			<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
+			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
+			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
 			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
 			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
-			<ParentCommandLine condition="begin with">%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
+			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
 			<CommandLine condition="is">C:\windows\System32\svchost.exe -k WerSvcGroup</CommandLine> <!--Microsoft:WindowsErrorReporting-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
+			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
 			<!--SECTION: Microsoft dotNet-->
-			<ParentImage condition="image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
-			<Image condition="image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
-			<ParentImage condition="image">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
-			<Image condition="image">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
 			<!--SECTION: Microsoft Office-->
-			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
-			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
-			<ParentImage condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
-			<ParentImage condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
+			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
+			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
 			<!--SECTION: Google-->
 			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
 			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
-			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Update\</CommandLine> <!--Google:Chrome: Updater-->
+			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
 			<!-- SECTION: Firefox -->
 			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
 			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
-			<!--SECTION: Dell-->
-			<Image condition="Image">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
-			<Image condition="Image">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
 			<!--SECTION: Adobe-->
 			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
 			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<Image condition="image">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<Image condition="image">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
-				<!-- COMMENT: Still debating about consolidating Adobe common files entries below -->
-			<Image condition="Image">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
-			<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image>
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
+			<!--SECTION: Adobe Flash-->
+			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
+			<!--SECTION: Adobe self-update-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<!--SECTION: Adobe supporting processes-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
+			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
+			<!--SECTION: Adobe Creative Cloud-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
 			<!--SECTION: Drivers-->
 			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image> <!--Nvidia:Driver: routine actions-->
 			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
+			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
+			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
+			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
 			<!--SECTION: Dropbox-->
-			<Image condition="image">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
+			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
 			<!--SECTION: Dell-->
 			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
 		</ProcessCreate>
@@ -105,6 +122,8 @@
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIP, DestinationHostname, DestinationPort, DestinationPortName-->
 		<NetworkConnect onmatch="include">
 		<!--COMMENT:	Takes a very conservative approach to network logging, limit to extremely high-signal events.-->
+		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which may not always have the information or may be a CDN. Using that field is best-effort only.-->
+			<!--NOTE: These exe's do not initiate their connections, cannot be included: BITSADMIN-->
 			<!--Suspicious sources-->
 			<Image condition="begin with">C:\Users</Image>
 			<Image condition="begin with">C:\ProgramData</Image>
@@ -112,8 +131,8 @@
 			<Image condition="image">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
 			<Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit to @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: Credit to @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: Credit to @arekfurt for reminder -->
+			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit: @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit: @arekfurt -->
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
@@ -155,6 +174,7 @@
 			<DestinationHostname condition="end with">bit.ly</DestinationHostname>
 			<DestinationHostname condition="end with">t.co</DestinationHostname>
 			<DestinationHostname condition="end with">ow.ly</DestinationHostname>
+			<Image condition="image">msiexec.exe</Image> <!--Microsoft:Windows: Can install from http:// paths | Credit: @vector-sec -->
 			<!--Dynamic DNS Providers-->
 			<DestinationHostname condition="end with">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<DestinationHostname condition="end with">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
@@ -195,6 +215,7 @@
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->
 		<!--DATA: UtcTime, State, Version, SchemaVersion-->
+		<!--Cannot be filtered.-->
 
 	<!--SYSMON EVENT ID 5 : PROCESS ENDED -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
@@ -233,8 +254,8 @@
 			<!-- <ImageLoaded condition="contains">npjpi</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">jp2iexp.dll</ImageLoaded> -->
 			<!-- Mimikatz -->
-				<!--NOTES: [ https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ ] -->
-				<!-- <ImageLoaded condition="image">wdigest.dll</ImageLoaded> -->
+			<!--NOTES: [ https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ ] -->
+			<!-- <ImageLoaded condition="image">wdigest.dll</ImageLoaded> -->
 		</ImageLoad>
 
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED -->
@@ -242,13 +263,13 @@
 		<CreateRemoteThread onmatch="exclude">
 		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions.
 				Exclude mostly-safe sources and log anything else.-->
-			<SourceImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\System32\svchost.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\System32\wininit.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\System32\csrss.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\System32\services.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\System32\winlogon.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\System32\audiodg.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage>
 			<StartModule condition="is">C:\windows\system32\kernel32.dll</StartModule>
 			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
 			<SourceImage condition="contains">FireSvc.exe</SourceImage>
@@ -284,11 +305,8 @@
 		<FileCreate onmatch="include">
 			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
 			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
-				<!--Default-disable <TargetFilename condition="begin with">C:\Windows\Prefetch</TargetFilename> --> <!--Microsoft:Windows: Prefetch traces-->
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
-				<!--Default-disable <TargetFilename condition="contains">\Temp\7z</TargetFilename> --> <!--7zip extractions-->
-				<!--Default-disable <TargetFilename condition="contains">\Temp\rar$</TargetFilename> --> <!--Winrar extractions-->
 			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
 			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
 			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
@@ -359,7 +377,7 @@
 			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
 			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
 			<!--SECTION: Mimikatz-->
-				<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
+			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
 		</FileCreate>
 		<FileCreate onmatch="exclude">
 			<TargetFilename condition="end with">\Downloads</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
@@ -381,7 +399,11 @@
 		<!--NOTE:	Writing to GUID's is very common, and they contain 0-9 and A-F so slightly try to avoid those in the first few positions. [ https://en.wikipedia.org/wiki/Universally_unique_identifier ] -->
 		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing stuff, doesn't mean these rules aren't being run.-->
 		<!--NOTE:	You don't have to spend a lot of time worrying about this, CPUs are fast, but it's something to consider. Every rule and condition type has a cost.-->
+
 		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details, NewName-->
+		<!--TECHNICAL:	Possible prefixes are HKLM, HKCU, HKCR, and HKEY_USERS-->
+		<!--CRITICAL:	Schema version 3.30 and higher use HKLM and HKCU and HKCR instead of HKLM\ and \REGISTRY\USER\-->
+		
 		<RegistryEvent onmatch="include">
 			<!--Autorun or Startups-->
 				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
@@ -393,8 +415,8 @@
 			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Value that points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
 			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Value that point to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
 			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual) -->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location-->
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->
 			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->
@@ -409,23 +431,23 @@
 			<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
 			<TargetObject condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
 			<!--AppPaths hijacking-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<!--Terminal service boobytraps-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
 			<!--Winsock and Winsock2-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
 			<!--Credential providers-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Lsa\</TargetObject>
 			<!--Networking-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<!--DLLs that get injected into every process launch-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
 			<!--Office-->
 			<TargetObject condition="contains">\Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
 			<!--IE-->
@@ -438,20 +460,19 @@
 			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
 			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and componenent installations-->
 			<!--Windows internals monitoring-->
-			<TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
+			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
 			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->
-			<!--Disabled-default <Image condition="image">C:\windows\explorer.exe</Image> -->
 			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
-			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
 			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
@@ -466,27 +487,29 @@
 			<TargetObject condition="end with">clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet-->
 			<TargetObject condition="end with">clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet-->
 			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
+			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join -->
 			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
 			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
 			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
 			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
-			<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations -->
 			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command" --> <!--Win8+ -->
-			<TargetObject condition="end with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<!--Sevices autostart noise-->
+			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
+			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
+			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
+			<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<!--FileExts noise filtering-->
 			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
@@ -524,14 +547,15 @@
 
 	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY [ SYSMON 6.00+ ] -->
 		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
+		<!--Cannot be filtered.-->
 
 	<!--SYSMON EVENT ID 17 : PIPE CREATED [ SYSMON 6.00+ ] -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-		<!--COMMENT: Currently intended for targetted malware monitoring only, not included in this configuration-->
+		<!--COMMENT: Currently intended for targetted malware monitoring only, not included in this configuration.-->
 
 	<!--SYSMON EVENT ID 18 : PIPE CONNECTED [ SYSMON 6.00+ ] -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-		<!--COMMENT: Currently intended for targetted malware monitoring only, not included in this configuration-->
-		
+		<!--COMMENT: Currently intended for targetted malware monitoring only, not included in this configuration.-->
+
 	</EventFiltering>
 </Sysmon>

From 747a238be86807bacce4a9a2d8ba7743fa98fcd6 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 16:45:27 -0500
Subject: [PATCH 023/471] FIX: ControlSet001 to CurrentControlSet

Changes:
- Fix ControlSet001 to CurrentControlSet after schema version updated to
3.3
- Change back to md5,imphash by default
---
 sysmonconfig-export.xml | 39 +++++++++++++++++++++------------------
 1 file changed, 21 insertions(+), 18 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c571ce84..eee94ff6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,6 +1,6 @@
 <!--
   sysmon-config | A sysmon configuration focused on high-quality event tracing
-  Version: 40 | Date: 2017-02-21
+  Version: 41 | Date: 2017-02-21
   By @SwiftOnSecurity, with contributors credited in-line or on Git
   https://github.com/SwiftOnSecurity/sysmon-config
   Vector-sec Improvements:
@@ -402,7 +402,7 @@
 
 		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details, NewName-->
 		<!--TECHNICAL:	Possible prefixes are HKLM, HKCU, HKCR, and HKEY_USERS-->
-		<!--CRITICAL:	Schema version 3.30 and higher use HKLM and HKCU and HKCR instead of HKLM\ and \REGISTRY\USER\-->
+		<!--CRITICAL:	Schema version 3.30 and higher use HKLM and HKCU and HKCR and CurrentControlSet instead of REGISTRY\MACHINE\ and \REGISTRY\USER\ and ControlSet001-->
 		
 		<RegistryEvent onmatch="include">
 			<!--Autorun or Startups-->
@@ -432,19 +432,19 @@
 			<TargetObject condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
 			<!--AppPaths hijacking-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<!--Terminal service boobytraps-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
 			<!--Winsock and Winsock2-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
 			<!--Credential providers-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Lsa\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
 			<!--Networking-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<!--DLLs that get injected into every process launch-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
@@ -463,8 +463,8 @@
 			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
 			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\ControlSet001\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
@@ -484,10 +484,9 @@
 			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
 			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
 			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
-			<TargetObject condition="end with">clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet-->
-			<TargetObject condition="end with">clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet-->
+
 			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join -->
 			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
 			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
@@ -499,17 +498,21 @@
 			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command" --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
 			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
 			<!--Sevices autostart noise-->
 			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
+			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
+			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
+			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
+			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
 			<!--FileExts noise filtering-->
 			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->

From 76fcf15c8afc546f3a2afd1fa115b01dbc8ea383 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 16:46:38 -0500
Subject: [PATCH 024/471] Add wermgr.exe

Changes:
- Ignore wermgr.exe launches
---
 sysmonconfig-export.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index eee94ff6..ea0472d2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -48,6 +48,8 @@
 			<CommandLine condition="is">C:\windows\System32\svchost.exe -k WerSvcGroup</CommandLine> <!--Microsoft:WindowsErrorReporting-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
+			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
+			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
 			<!--SECTION: Microsoft dotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
@@ -459,7 +461,7 @@
 			<!--Infection artifacts-->
 			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
 			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and componenent installations-->
-			<!--Windows internals monitoring-->
+			<!--Windows internals integrity monitoring-->
 			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
 			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
@@ -484,7 +486,6 @@
 			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
 			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
 			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
-
 			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join -->
@@ -498,6 +499,7 @@
 			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command" --> <!--Win8+ -->
+			<!--Bootup Control noise-->
 			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
 			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
 			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->

From c5e273a6f4f6509e8934c4af89a857b364a1ce69 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 16:50:01 -0500
Subject: [PATCH 025/471] md5,sha256 by default

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ea0472d2..806759f1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -27,7 +27,7 @@
 -->
 
 <Sysmon schemaversion="3.30">
-	<HashAlgorithms>sha256</HashAlgorithms>
+	<HashAlgorithms>md5,sha256</HashAlgorithms>
 	<EventFiltering>
 
 	<!--SYSMON EVENT ID 1 : PROCESS CREATION -->

From de414c9af8ca918407ad275c639d8fc1a6ab678f Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 20:12:00 -0500
Subject: [PATCH 026/471] add onedrive exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 806759f1..b0ed7264 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -208,6 +208,7 @@
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
+			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--ConnectWise Noise-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->

From 0f3a3f53c0615314ca51c67851f25f5717dceeb6 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 20:18:59 -0500
Subject: [PATCH 027/471] Download sysmon to ProgramData rather than temp
 location.

---
 Install Sysmon.bat | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index 6ec73acd..c1542e09 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -1,9 +1,10 @@
 @echo off
-cd %temp%
+mkdir C:\ProgramData\sysmon
+cd C:\ProgramData\sysmon\
 echo [+] Downloading Sysmon...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe','%temp%\sysmon.exe')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe','C:\ProgramData\sysmon\sysmon.exe')"
 echo [+] Downloading Sysmon config...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','%temp%\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
 sysmon.exe -accepteula -i sysmonconfig-export.xml
 echo [+] Sysmon Successfully Installed!
 timeout /t 10

From 42c663834e5abbe1c1845e84eb84d8bbe9dadb67 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 20:21:37 -0500
Subject: [PATCH 028/471] Correct Google Update exception

---
 sysmonconfig-export.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b0ed7264..136a2c6e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,6 +1,6 @@
 <!--
   sysmon-config | A sysmon configuration focused on high-quality event tracing
-  Version: 41 | Date: 2017-02-21
+  Version: 42 | Date: 2017-02-21
   By @SwiftOnSecurity, with contributors credited in-line or on Git
   https://github.com/SwiftOnSecurity/sysmon-config
   Vector-sec Improvements:
@@ -63,6 +63,7 @@
 			<!--SECTION: Google-->
 			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
 			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
+			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
 			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
 			<!-- SECTION: Firefox -->
 			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
@@ -478,7 +479,8 @@
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
 			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
+			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
 			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
 			<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
 			<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->

From a8103fd1d51df87d4856530858d09f8feb3bc29e Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 20:49:46 -0500
Subject: [PATCH 029/471] Add Common Signed Drivers & Office 2016 telemetry

---
 sysmonconfig-export.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 136a2c6e..746cb4fd 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -106,6 +106,7 @@
 			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
 			<!--SECTION: Dell-->
 			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
+			<ParentImage condition="end with">root\Office16\msoia.exe</ParentImage><!--Office Telemetry-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->
@@ -242,6 +243,12 @@
 			<Signature condition="contains">Broadcom </Signature> <!--Exclude signed Broadcom drivers-->
 			<Signature condition="contains">AMD </Signature> <!--Exclude signed AMD drivers-->
 			<Signature condition="contains">VMware </Signature> <!--Exclude signed VMware drivers-->
+			<Signature condition="contains">Realtek </Signature> <!--Exclude signed Realtek drivers-->
+			<Signature condition="contains">Micro-Star </Signature> <!--Exclude signed MSI drivers-->
+			<Signature condition="contains">Logitech </Signature> <!--Exclude signed Logitech drivers-->
+			<Signature condition="contains">Asmedia </Signature> <!--Exclude signed Asmedia drivers-->
+			<Signature condition="contains">SteelSeries </Signature> <!--Exclude signed MSI drivers-->
+			<Signature condition="contains">Fortinet </Signature> <!--Exclude signed MSI drivers-->
 		</DriverLoad>
 
 	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS -->

From 40d04fb26e36458fcb9b2b12b2de0e10ba388e80 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 21:44:55 -0500
Subject: [PATCH 030/471] Added Legacy Driver location Added little known and
 Legacy Persistence locations Added Word, Excel, Powerpoint Addins

---
 sysmonconfig-export.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 746cb4fd..cbe37938 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -461,6 +461,9 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
 			<!--Office-->
 			<TargetObject condition="contains">\Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
+			<TargetObject condition="contains">\Microsoft\Office\Excel\Addins\</TargetObject> <!--Microsoft:Office: Excel add-ins-->
+			<TargetObject condition="contains">\Microsoft\Office\Word\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
+			<TargetObject condition="contains">\Microsoft\Office\Powerpoint\Addins\</TargetObject> <!--Microsoft:Office: Powerpoint add-ins-->
 			<!--IE-->
 			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
@@ -479,6 +482,15 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
+			 <!--Common Malware Persistence locations-->
+			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject>
+			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From bbde5dbf4da01adc26298366bb487a95d50fe000 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Tue, 21 Feb 2017 21:56:46 -0500
Subject: [PATCH 031/471] Fix incorrect syntax

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index cbe37938..295b705b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -63,7 +63,7 @@
 			<!--SECTION: Google-->
 			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
 			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
-			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
+			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
 			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
 			<!-- SECTION: Firefox -->
 			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
@@ -106,7 +106,7 @@
 			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
 			<!--SECTION: Dell-->
 			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
-			<ParentImage condition="end with">root\Office16\msoia.exe</ParentImage><!--Office Telemetry-->
+			<Image condition="end with">root\Office16\msoia.exe</Image><!--Office Telemetry-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->

From ae00a73fa555d0feedee1f98b7ba566368b70590 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 08:00:58 -0500
Subject: [PATCH 032/471] Update Sysmon to 64bit

---
 Install Sysmon.bat | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index c1542e09..bf253675 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -2,10 +2,10 @@
 mkdir C:\ProgramData\sysmon
 cd C:\ProgramData\sysmon\
 echo [+] Downloading Sysmon...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe','C:\ProgramData\sysmon\sysmon.exe')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe','C:\ProgramData\sysmon\sysmon64.exe')"
 echo [+] Downloading Sysmon config...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
-sysmon.exe -accepteula -i sysmonconfig-export.xml
+sysmon64.exe -accepteula -i sysmonconfig-export.xml
 echo [+] Sysmon Successfully Installed!
 timeout /t 10
 exit
\ No newline at end of file

From 8a58e19a70c1fc0146c39d2a8c03aef9da338446 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 10:13:27 -0500
Subject: [PATCH 033/471] Exclude Dashlane

Dashlane.exe creates network events ~5m, DashlanePlugin.exe creates a
number of events on browser start. Excluding both to reduce noise.
---
 sysmonconfig-export.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 295b705b..fa1dd347 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,6 +1,6 @@
 <!--
   sysmon-config | A sysmon configuration focused on high-quality event tracing
-  Version: 42 | Date: 2017-02-21
+  Version: 43 | Date: 2017-02-21
   By @SwiftOnSecurity, with contributors credited in-line or on Git
   https://github.com/SwiftOnSecurity/sysmon-config
   Vector-sec Improvements:
@@ -213,6 +213,8 @@
 			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--ConnectWise Noise-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
+			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
+			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->

From 1e0e7288b7ac8d86f70c575bffbb1ae389c5ff32 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 10:33:22 -0500
Subject: [PATCH 034/471] Monitor Group policy logon, logoff, shutdown scripts.

---
 sysmonconfig-export.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index fa1dd347..23ba1491 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -493,6 +493,15 @@
 			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			 <!--Group Policy Scripts-->
+			 <TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			 <TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			 <TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			 <TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From 6ea2b5a23e80d40cf5fe061da85f7d2076b371fa Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 10:46:02 -0500
Subject: [PATCH 035/471] Change ConnectWise and Screenconnect image matching.

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 23ba1491..518ea6d3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -211,8 +211,8 @@
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
 			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
-			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--ConnectWise Noise-->
-			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
+			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
+			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
 			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
 			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->

From 36b997d45bdba30ec1d2b17effe77f6fb42d3e50 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 11:15:38 -0500
Subject: [PATCH 036/471] Remove Trailing spaces

---
 sysmonconfig-export.xml | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 518ea6d3..aba1e4ee 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -238,19 +238,19 @@
 				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
 			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
 			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
-			<Signature condition="begin with">Intel </Signature> <!--Exclude signed Intel drivers-->
-			<Signature condition="contains">Lenovo </Signature> <!--Exclude signed Lenovo drivers-->
-			<Signature condition="contains">Synaptic </Signature> <!--Exclude signed Synaptic drivers-->
-			<Signature condition="contains">Nvidia </Signature> <!--Exclude signed Nvidia drivers-->
-			<Signature condition="contains">Broadcom </Signature> <!--Exclude signed Broadcom drivers-->
-			<Signature condition="contains">AMD </Signature> <!--Exclude signed AMD drivers-->
-			<Signature condition="contains">VMware </Signature> <!--Exclude signed VMware drivers-->
-			<Signature condition="contains">Realtek </Signature> <!--Exclude signed Realtek drivers-->
-			<Signature condition="contains">Micro-Star </Signature> <!--Exclude signed MSI drivers-->
-			<Signature condition="contains">Logitech </Signature> <!--Exclude signed Logitech drivers-->
-			<Signature condition="contains">Asmedia </Signature> <!--Exclude signed Asmedia drivers-->
-			<Signature condition="contains">SteelSeries </Signature> <!--Exclude signed MSI drivers-->
-			<Signature condition="contains">Fortinet </Signature> <!--Exclude signed MSI drivers-->
+			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel drivers-->
+			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
+			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic drivers-->
+			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia drivers-->
+			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom drivers-->
+			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD drivers-->
+			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware drivers-->
+			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek drivers-->
+			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI drivers-->
+			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
+			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
+			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
+			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI drivers-->
 		</DriverLoad>
 
 	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS -->

From 287074cbc193c0158a878b7217989d27acd761df Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 12:07:04 -0500
Subject: [PATCH 037/471] Add Port logging.

---
 sysmonconfig-export.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index aba1e4ee..a6aa8b40 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -205,6 +205,23 @@
 			<DestinationHostname condition="end with">tor2web.blutmagie.de</DestinationHostname>
 			<DestinationHostname condition="end with">tor-gateways.de</DestinationHostname>
 			<DestinationHostname condition="end with">hiddenservice.net</DestinationHostname>
+			<!--Ports-->
+			<DestinationPort condition="is">3389</DestinationPort>
+			<DestinationPort condition="is">3540</DestinationPort>
+			<DestinationPort condition="is">22</DestinationPort>
+			<DestinationPort condition="is">25</DestinationPort>
+			<DestinationPort condition="is">137</DestinationPort>
+			<DestinationPort condition="is">138</DestinationPort>
+			<DestinationPort condition="is">139</DestinationPort>
+			<DestinationPort condition="is">445</DestinationPort>
+			<DestinationPort condition="is">5800</DestinationPort>
+			<DestinationPort condition="is">5900</DestinationPort>
+			<DestinationPort condition="is">1194</DestinationPort>
+			<DestinationPort condition="is">1701</DestinationPort>
+			<DestinationPort condition="is">1723</DestinationPort>
+			<DestinationPort condition="is">1293</DestinationPort>
+			<DestinationPort condition="is">4500</DestinationPort>
+			<DestinationPort condition="is">1080</DestinationPort>
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From 21cbbe1ff3e4882ffb923abeed8d648a35a0b775 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 12:35:57 -0500
Subject: [PATCH 038/471] Add notes & Tor Ports

---
 sysmonconfig-export.xml | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a6aa8b40..7620ea99 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -206,22 +206,24 @@
 			<DestinationHostname condition="end with">tor-gateways.de</DestinationHostname>
 			<DestinationHostname condition="end with">hiddenservice.net</DestinationHostname>
 			<!--Ports-->
-			<DestinationPort condition="is">3389</DestinationPort>
-			<DestinationPort condition="is">3540</DestinationPort>
-			<DestinationPort condition="is">22</DestinationPort>
-			<DestinationPort condition="is">25</DestinationPort>
-			<DestinationPort condition="is">137</DestinationPort>
-			<DestinationPort condition="is">138</DestinationPort>
-			<DestinationPort condition="is">139</DestinationPort>
-			<DestinationPort condition="is">445</DestinationPort>
-			<DestinationPort condition="is">5800</DestinationPort>
-			<DestinationPort condition="is">5900</DestinationPort>
-			<DestinationPort condition="is">1194</DestinationPort>
-			<DestinationPort condition="is">1701</DestinationPort>
-			<DestinationPort condition="is">1723</DestinationPort>
-			<DestinationPort condition="is">1293</DestinationPort>
-			<DestinationPort condition="is">4500</DestinationPort>
-			<DestinationPort condition="is">1080</DestinationPort>
+			<DestinationPort condition="is">3389</DestinationPort> <!--RDP Port-->
+			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
+			<DestinationPort condition="is">22</DestinationPort>   <!--SSH Port-->
+			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
+			<DestinationPort condition="is">137</DestinationPort>  <!--SMB Port-->
+			<DestinationPort condition="is">138</DestinationPort>  <!--SMB Port-->
+			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->
+			<DestinationPort condition="is">445</DestinationPort>  <!--SMB Port-->
+			<DestinationPort condition="is">5800</DestinationPort> <!--VNC Port-->
+			<DestinationPort condition="is">5900</DestinationPort> <!--VNC Port-->
+			<DestinationPort condition="is">1194</DestinationPort> <!--OpenVPN Port-->
+			<DestinationPort condition="is">1701</DestinationPort> <!--L2TP Port-->
+			<DestinationPort condition="is">1723</DestinationPort> <!--Tor Port-->
+			<DestinationPort condition="is">1293</DestinationPort> <!--IPSec Nat Traversal Port-->
+			<DestinationPort condition="is">4500</DestinationPort> <!--Tor Port-->
+			<DestinationPort condition="is">1080</DestinationPort> <!--Socks Port-->
+			<DestinationPort condition="is">9001</DestinationPort> <!--Tor Port-->
+			<DestinationPort condition="is">9030</DestinationPort> <!--Tor Port-->
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From 1afd706e7172d952d96a7ba1332c26de819434a2 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 12:40:20 -0500
Subject: [PATCH 039/471] Add Telnet and Socks Ports

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7620ea99..a03fe1cd 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -209,6 +209,7 @@
 			<DestinationPort condition="is">3389</DestinationPort> <!--RDP Port-->
 			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
 			<DestinationPort condition="is">22</DestinationPort>   <!--SSH Port-->
+			<DestinationPort condition="is">23</DestinationPort>   <!--Telnet Port-->
 			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
 			<DestinationPort condition="is">137</DestinationPort>  <!--SMB Port-->
 			<DestinationPort condition="is">138</DestinationPort>  <!--SMB Port-->
@@ -222,6 +223,8 @@
 			<DestinationPort condition="is">1293</DestinationPort> <!--IPSec Nat Traversal Port-->
 			<DestinationPort condition="is">4500</DestinationPort> <!--Tor Port-->
 			<DestinationPort condition="is">1080</DestinationPort> <!--Socks Port-->
+			<DestinationPort condition="is">8080</DestinationPort> <!--Socks Port-->
+			<DestinationPort condition="is">3128</DestinationPort> <!--Socks Port-->
 			<DestinationPort condition="is">9001</DestinationPort> <!--Tor Port-->
 			<DestinationPort condition="is">9030</DestinationPort> <!--Tor Port-->
 		</NetworkConnect>

From c41eba974de915a5a62f11ef4a4cb714377a6ebe Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 13:40:45 -0500
Subject: [PATCH 040/471] Add Logging of USB Devices & Network History.

---
 sysmonconfig-export.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a03fe1cd..f8aeb248 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -524,6 +524,13 @@
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
 			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
 			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			 <!--Detect Network History-->
+			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</TargetObject>
+			 <!--Detect User Activity-->
+			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			 <TargetObject condition="begin with">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB</TargetObject>
+			 <TargetObject condition="begin with">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From 536a07a0203f61bc28cfd33a88a2d4fde6cbd662 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 20:15:27 -0500
Subject: [PATCH 041/471] Added Windows Defender updater exclusions & Intel
 Telemetry exclusions to cut down on noise

---
 sysmonconfig-export.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f8aeb248..23240f87 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -50,6 +50,10 @@
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
 			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
 			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
+			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
+			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
+			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
+			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
 			<!--SECTION: Microsoft dotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
@@ -96,7 +100,7 @@
 			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
 			<!--SECTION: Drivers-->
-			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image> <!--Nvidia:Driver: routine actions-->
+			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
 			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
 			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
 			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
@@ -106,7 +110,8 @@
 			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
 			<!--SECTION: Dell-->
 			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
-			<Image condition="end with">root\Office16\msoia.exe</Image><!--Office Telemetry-->
+			<!--SECTION: Intel-->
+			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel Telemetry-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->

From 4729a088bb55b16d9dbd475bf3512ae0d12954d0 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 22:12:25 -0500
Subject: [PATCH 042/471] Add Fork Licensing :)

---
 sysmonconfig-export.xml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 23240f87..4a039b29 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,12 +1,13 @@
 <!--
   sysmon-config | A sysmon configuration focused on high-quality event tracing
-  Version: 43 | Date: 2017-02-21
-  By @SwiftOnSecurity, with contributors credited in-line or on Git
-  https://github.com/SwiftOnSecurity/sysmon-config
-  Vector-sec Improvements:
-  https://github.com/vector-sec/sysmon-config
-  ion-storm Improvements:
-  https://github.com/ion-storm/sysmon-config
+  Master version:	44 | Date: 2017-02-22
+  Master author:	@SwiftOnSecurity, with contributors credited in-line or on Git.
+  Master project:	https://github.com/SwiftOnSecurity/sysmon-config
+  Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+  Fork version:	5
+  Fork author:	ionstorm
+  Fork project:	https://github.com/ion-storm/sysmon-config
+  Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
   REQUIRED: Sysmon version 6.00 or higher (due to changes in registry syntax)
   https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx

From 9d3ce5b7971fdca01bf70c3b19db145257fda6f5 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Wed, 22 Feb 2017 23:28:17 -0500
Subject: [PATCH 043/471] The only way to log bitsadmin executed file transfers
 is to log C:\Windows\system32\svchost.exe which encompasses all services. 
 This is necessary because bitsadmin /transfer is the closest to an
 undetectable file transfer.

---
 sysmonconfig-export.xml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4a039b29..38d6cd1e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -146,7 +146,7 @@
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image condition="image">bitsadmin.exe</Image> <!--File Transfer program-->
+			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--BITS File Transfer program-->
 			<Image condition="image">mshta.exe</Image>
 			<Image condition="image">python.exe</Image>
 			<Image condition="image">psexecsvc.exe</Image>
@@ -440,7 +440,6 @@
 		<!--NOTE:	Writing to GUID's is very common, and they contain 0-9 and A-F so slightly try to avoid those in the first few positions. [ https://en.wikipedia.org/wiki/Universally_unique_identifier ] -->
 		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing stuff, doesn't mean these rules aren't being run.-->
 		<!--NOTE:	You don't have to spend a lot of time worrying about this, CPUs are fast, but it's something to consider. Every rule and condition type has a cost.-->
-
 		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details, NewName-->
 		<!--TECHNICAL:	Possible prefixes are HKLM, HKCU, HKCR, and HKEY_USERS-->
 		<!--CRITICAL:	Schema version 3.30 and higher use HKLM and HKCU and HKCR and CurrentControlSet instead of REGISTRY\MACHINE\ and \REGISTRY\USER\ and ControlSet001-->

From ef2b66f6bc0d76437ac82dfc23f28fa0772a0010 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 08:36:50 -0500
Subject: [PATCH 044/471] Add Remote Management console logging

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 38d6cd1e..bf8eda7c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -166,6 +166,7 @@
 			<Image condition="image">tftp.exe</Image><!-- TFTP -->
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
 			<Image condition="image">at.exe</Image><!-- Remote Task Scheduler logging -->
+			<Image condition="image">C:\windows\system32\mmc.exe</Image><!-- Microsoft Management Console -->
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
@@ -217,6 +218,7 @@
 			<DestinationPort condition="is">22</DestinationPort>   <!--SSH Port-->
 			<DestinationPort condition="is">23</DestinationPort>   <!--Telnet Port-->
 			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
+			<DestinationPort condition="is">135</DestinationPort>  <!--MMC Remote Management-->
 			<DestinationPort condition="is">137</DestinationPort>  <!--SMB Port-->
 			<DestinationPort condition="is">138</DestinationPort>  <!--SMB Port-->
 			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->

From 490506369b096c935d01f54d4256a989256b759c Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 08:48:17 -0500
Subject: [PATCH 045/471] Remove noise from Cortana in Windows 10 in FileExts

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bf8eda7c..18c63bcb 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -593,6 +593,7 @@
 			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
 			<TargetObject condition="end with">SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked</TargetObject><!--Microsoft:Windows Remove noise from Windows 10 Taskbar--> <!--Win10 -->
+			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
 			<!--SECTION: 3rd party-->
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
 		</RegistryEvent>

From aac8b7490c09f035c4f94cbe92e8688dc4eb7759 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 08:52:37 -0500
Subject: [PATCH 046/471] remove dupe

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 18c63bcb..99ae56be 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -592,7 +592,6 @@
 			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+ -->
 			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked</TargetObject><!--Microsoft:Windows Remove noise from Windows 10 Taskbar--> <!--Win10 -->
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
 			<!--SECTION: 3rd party-->
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>

From 82216dc02f0f619156a1bfa4f7c06aca250d017c Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 09:27:44 -0500
Subject: [PATCH 047/471] Image file Hijack: IFEO

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 99ae56be..9ef8a49c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -459,6 +459,7 @@
 			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual) -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location-->
+			<TargetObject condition="contains">CurrentVersion\Image File Execution Options\</TargetObject><!--TaskMgr/Debugger Hijack location-->
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->
 			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->

From f287607c24350ca6fa68b4112c75c4042f2b8f88 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 09:31:29 -0500
Subject: [PATCH 048/471] Detection of changes to tcpip parameters to detect
 DNS changing trojans and unauthorized changes.

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9ef8a49c..d4eab704 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -534,7 +534,7 @@
 			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
 			 <!--Detect Network History-->
 			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</TargetObject>
+			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\</TargetObject><!--Also detects DNS Change Trojans-->
 			 <!--Detect User Activity-->
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			 <TargetObject condition="begin with">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB</TargetObject>

From 977d44c378f8dad60d9f37a8503cc1093d78c4d7 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 09:56:11 -0500
Subject: [PATCH 049/471] Add more network connection detection images.

---
 sysmonconfig-export.xml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d4eab704..03110df0 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -149,12 +149,15 @@
 			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--BITS File Transfer program-->
 			<Image condition="image">mshta.exe</Image>
 			<Image condition="image">python.exe</Image>
-			<Image condition="image">psexecsvc.exe</Image>
+			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
+			<Image condition="contains">pskill</Image><!--Detect pskill-->
+			<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
+			<Image condition="contains">psservice</Image><!--Detect PsService-->
+			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
 			<Image condition="image">java.exe</Image>
 			<Image condition="image">installutil.exe</Image>
 			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
 			<Image condition="image">certutil.exe</Image>
-			<Image condition="image">PsExec.exe</Image>
 			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
 			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
 			<Image condition="image">telnet.exe</Image><!-- Telnet -->
@@ -166,7 +169,15 @@
 			<Image condition="image">tftp.exe</Image><!-- TFTP -->
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
 			<Image condition="image">at.exe</Image><!-- Remote Task Scheduler logging -->
+			<Image condition="image">net.exe</Image><!-- net use/net view-->
 			<Image condition="image">C:\windows\system32\mmc.exe</Image><!-- Microsoft Management Console -->
+			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
+			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
+			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
+			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
+			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
+			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->

From 1e9f415c397d0fa61a5c052e98350e5f33b7a418 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 14:39:21 -0500
Subject: [PATCH 050/471] Quiet down network logging Not logging
 LLMR,SSDP,netbios-ns, netbios-dgm

---
 sysmonconfig-export.xml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 03110df0..ffbfe236 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -229,9 +229,6 @@
 			<DestinationPort condition="is">22</DestinationPort>   <!--SSH Port-->
 			<DestinationPort condition="is">23</DestinationPort>   <!--Telnet Port-->
 			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
-			<DestinationPort condition="is">135</DestinationPort>  <!--MMC Remote Management-->
-			<DestinationPort condition="is">137</DestinationPort>  <!--SMB Port-->
-			<DestinationPort condition="is">138</DestinationPort>  <!--SMB Port-->
 			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->
 			<DestinationPort condition="is">445</DestinationPort>  <!--SMB Port-->
 			<DestinationPort condition="is">5800</DestinationPort> <!--VNC Port-->
@@ -256,9 +253,19 @@
 			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
 			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
 			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
+			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
+			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
+			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
+			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
+			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->
+			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
+			<DestinationPortName condition="is">netbios-ns</DestinationPortName> <!--Netbios DNS Resolution-->
+			<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
+			<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
+			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->

From 3a394a15c44ce1098c2f7b26e3edb7152b66adf5 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 14:52:35 -0500
Subject: [PATCH 051/471] Exclude Webroot from lsass logging.

---
 sysmonconfig-export.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ffbfe236..e4263fa8 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -360,7 +360,9 @@
 			<SourceImage condition="contains">powershell.exe</SourceImage>
  			<TargetImage condition="contains">lsass.exe</TargetImage>
 		</ProcessAccess>
-
+		<ProcessAccess onmatch="exclude">
+			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
+		</ProcessAccess>
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">

From ab5c54837be2a25fa1ffb9971a52163e09d6fe1b Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 15:01:26 -0500
Subject: [PATCH 052/471] Add additional Webroot AV Exclusions

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e4263fa8..0c080a50 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -113,6 +113,8 @@
 			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
 			<!--SECTION: Intel-->
 			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel Telemetry-->
+			<!--SECTION: Antivirus-->
+			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->

From 1fc7e99cab84a0ab9008b6da5839f86853ecf790 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 15:24:09 -0500
Subject: [PATCH 053/471] Add smartgit exclusion

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0c080a50..a4987d1c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -115,6 +115,8 @@
 			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel Telemetry-->
 			<!--SECTION: Antivirus-->
 			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
+			<!--SECTION: Custom Apps-->
+			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->

From 8eb0fedd6873e5aa123e2a234f11efa54d1c56f3 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 20:45:25 -0500
Subject: [PATCH 054/471] Windows defender exclusions

---
 sysmonconfig-export.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a4987d1c..12b33714 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -52,7 +52,9 @@
 			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
 			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
 			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
-			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
+			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
+			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
+			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
 			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
 			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
 			<!--SECTION: Microsoft dotNet-->
@@ -366,6 +368,7 @@
 		</ProcessAccess>
 		<ProcessAccess onmatch="exclude">
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
 		</ProcessAccess>
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->

From 5d208d92d0b7249a29fb0ddb0f5ae6334b02dcb4 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Thu, 23 Feb 2017 20:52:01 -0500
Subject: [PATCH 055/471] More Nvidia

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 12b33714..47b8b0a6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -104,6 +104,7 @@
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
 			<!--SECTION: Drivers-->
 			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
+			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
 			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
 			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
 			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>

From 12c097ede3e6394f24d189144dbfdd8807af575e Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 12:58:19 -0500
Subject: [PATCH 056/471] Add info for Graylog

---
 README.md | 157 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 157 insertions(+)

diff --git a/README.md b/README.md
index 8bfc85c1..671972b3 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,9 @@ Note: Exact syntax and filtering choices are deliberate to catch appropriate ent
 ## Use ##
 
 ### Auto-Install ###
+~~~~
 Install Sysmon.bat
+~~~~
 
 ### Install ###
 Run with administrator rights
@@ -34,3 +36,158 @@ Run with administrator rights
 ~~~~
 sysmon.exe -u
 ~~~~
+
+## Graylog Configuration ##
+
+## Sysmon Pipeline Rules ##
+
+## Stage -1 ##
+## sysmon cleanup (gl2_source_fix) ##
+~~~~
+// This rule is cleaning up the message
+// -- It addresses an issue with older filebeat versions, which can have trouble with the 'source' field 
+// -- The rule will not cause any trouble with filebeat versions that do not have that issue
+rule "sysmon cleanup (gl2_source_fix)"
+when
+    is_not_null($message.winlogbeat_fields_gl2_source_collector)
+then
+    set_field("gl2_source_collector", to_string($message.winlogbeat_fields_gl2_source_collector));
+    remove_field("winlogbeat_fields_gl2_source_collector");
+end
+~~~~
+
+## sysmon cleanup ##
+~~~~
+// Sysmon Installation
+// -- Sysmon has to be installed on Windows, and be run with: sysmon –i –accepteula –h md5 –n -l 
+// -- Transport should be a winlogbeat
+// -- Consider using the Graylog Sidecar to manage winlogbeat remotely
+rule "sysmon cleanup"
+when
+    // Only run for Sysmon messages
+    has_field("winlogbeat_source_name") AND contains(to_string($message.winlogbeat_source_name), "Microsoft-Windows-Sysmon")
+then
+
+    // Rename some fields to clean up
+    rename_field("winlogbeat_computer_name", "sysmon_computer_name");
+    rename_field("winlogbeat_event_data_Image", "sysmon_data_process");
+    rename_field("winlogbeat_event_data_UtcTime", "sysmon_data_utc_time");
+    rename_field("winlogbeat_event_id", "sysmon_event_id");
+    rename_field("winlogbeat_level", "sysmon_data_level");
+    rename_field("winlogbeat_task", "sysmon_task");
+    rename_field("winlogbeat_event_data_User", "sysmon_data_user");
+    rename_field("winlogbeat_event_data_TargetFilename", "sysmon_data_file_created");
+    rename_field("winlogbeat_event_data_CreationUtcTime", "sysmon_data_file_created_time");
+    rename_field("winlogbeat_event_data_PreviousCreationUtcTime", "sysmon_data_file_created_time_previous");
+    rename_field("winlogbeat_user_name", "sysmon_data_user_name");
+    rename_field("winlogbeat_thread_id", "sysmon_thread_id"); 
+    rename_field("winlogbeat_user_domain", "sysmon_user_domain");
+    rename_field("winlogbeat_user_identifier", "sysmon_user_identifier");
+    rename_field("winlogbeat_user_type", "sysmon_user_type");
+    rename_field("winlogbeat_event_data_DestinationHostname", "sysmon_dns_lookup");
+    rename_field("winlogbeat_event_data_DestinationIp", "sysmon_dns_lookup_ip");
+    rename_field("winlogbeat_event_data_DestinationPort", "sysmon_dest_port");
+    rename_field("winlogbeat_event_data_DestinationPortName", "sysmon_dest_port_name");
+    rename_field("winlogbeat_event_data_Initiated", "sysmon_con_initiated");
+    rename_field("winlogbeat_event_data_Protocol", "sysmon_con_proto");
+    rename_field("winlogbeat_event_data_SourceHostname", "sysmon_src_name");
+    rename_field("winlogbeat_event_data_SourceIp", "sysmon_src_ip");
+    rename_field("winlogbeat_event_data_SourcePort", "sysmon_src_port");
+    rename_field("winlogbeat_event_data_SourcePortName", "sysmon_src_port_name");
+    rename_field("winlogbeat_event_data_CommandLine", "sysmon_cmd_event");
+    rename_field("winlogbeat_event_data_CurrentDirectory", "sysmon_cmd_location");
+    rename_field("winlogbeat_event_data_Hashes", "sysmon_cmd_hash");
+    rename_field("winlogbeat_event_data_IntegrityLevel", "sysmon_cmd_integrity");
+    rename_field("winlogbeat_event_data_LogonId", "sysmon_cmd_logon_id");
+    rename_field("winlogbeat_event_data_ParentCommandLine", "sysmon_cmd_parent_cmd");
+    rename_field("winlogbeat_event_data_ParentImage", "sysmon_cmd_parent_file");
+    rename_field("winlogbeat_event_data_ParentProcessId", "sysmon_cmd_parent_pid");
+    rename_field("winlogbeat_event_data_TerminalSessionId", "sysmon_cmd_terminal_pid");
+    rename_field("winlogbeat_event_data_LogonGuid", "sysmon_cmd_logon_guid");
+    rename_field("winlogbeat_event_data_ParentProcessGuid", "sysmon_cmd_parent_guid");
+    rename_field("winlogbeat_event_data_TargetObject", "sysmon_registry_object");
+    rename_field("winlogbeat_event_EventType", "sysmon_registry_Type");
+    rename_field("winlogbeat_event_data_Details", "sysmon_registry_set");
+    rename_field("winlogbeat_event_data_SourceImage", "sysmon_paccess_source_img");
+    rename_field("winlogbeat_event_data_SourceProcessGUID", "sysmon_paccess_pguid");
+    rename_field("winlogbeat_event_data_SourceProcessId", "sysmon_paccess_pid");
+    rename_field("winlogbeat_event_data_SourceThreadId", "sysmon_paccess_threadid");
+    rename_field("winlogbeat_event_data_TargetImage", "sysmon_paccess_target_image");
+    rename_field("winlogbeat_event_data_TargetProcessGUID", "sysmon_paccess_target_guid");
+    rename_field("winlogbeat_event_data_TargetProcessid", "sysmon_paccess_target_pid");    
+
+    // Remove clutter.
+    let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_event_data_ProcessGuid));
+    set_field("sysmon_data_process_guid", to_string(fix["0"]));
+    remove_field("winlogbeat_event_data_ProcessGuid");
+
+    let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_provider_guid));
+    set_field("sysmon_data_provider_gui", to_string(fix["0"]));
+    remove_field("winlogbeat_provider_guid");
+
+
+    // Remove unwanted fields
+    remove_field("name");
+    remove_field("tags");
+    remove_field("type");
+
+    // Remove winlogbeats fields we don't need
+    remove_field("winlogbeat_event_data_ProcessId");
+    remove_field("winlogbeat_log_name");
+    remove_field("winlogbeat_opcode");
+    remove_field("winlogbeat_process_id");
+    remove_field("winlogbeat_record_number");
+    remove_field("winlogbeat_source_name");
+    remove_field("winlogbeat_tags");
+    remove_field("winlogbeat_type");
+    remove_field("winlogbeat_version");
+    remove_field("winlogbeat_event_data_SourceIsIpv6");
+    remove_field("winlogbeat_event_data_DestinationIsIpv6");
+end
+~~~~
+
+## Stage 0 ##
+~~~~
+// Threat Intelligence enrichment
+// --- Needs installed Graylog Threat Intel plugin : https://github.com/Graylog2/graylog-plugin-threatintel
+rule "sysmon threatintel"
+when
+   // To save CPU cycles, only run if there is something to look up
+   has_field("sysmon_dns_lookup") OR has_field("sysmon_dns_lookup_ip") OR has_field("sysmon_src_ip")
+then
+
+    // look up the requested DNS captured by sysmon
+    // this will be the most fired rule
+    let sysmon_dns_lookup_intel = threat_intel_lookup_domain(to_string($message.query_domain), "sysmon_dns_lookup");
+    set_fields(sysmon_dns_lookup_intel);
+
+    // look up the ip from the DNS answer
+    // if we do not monitor the dns, then this might be nice to have
+    let sysmon_lookup_ip_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "sysmon_dns_lookup_ip");
+    set_fields(sysmon_lookup_ip_answer_intel);
+
+    // look up the requesting IP 
+    // this is useful if dealing with non internal IPs 
+    // so you know if your IP is seen as a problem
+    let sysmon_src_ip_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "sysmon_src_ip");
+    set_fields(sysmon_src_ip_answer_intel);
+
+    // WHOIS lookup. This is disabled by default. Enable and carefully watch latency and performance.
+    //let sysmon_dns_lookup_ip_whois = whois_lookup_ip(to_string($message.query_answer), "sysmon_dns_lookup_ip");
+    //set_fields(sysmon_dns_lookup_ip_whois);
+end
+~~~~
+
+## Stage 1 ##
+~~~~
+rule "sysmon threatintel inflate"
+when
+    // run only if one of the fields is true
+    to_bool($message.sysmon_dns_lookup_ip_threat_indicated) OR to_bool($message.sysmon_dns_lookup_threat_indicated) OR to_bool($message.sysmon_src_ip_threat_indicated)
+then
+
+    // This is to make Graylog searches easy
+    // -- Enables searches like threat_indicated:true
+    set_field("threat_indicated", true);
+end
+~~~~

From c92f1de7ee1abe3002bf2d5a00e66037c953a98d Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 13:00:27 -0500
Subject: [PATCH 057/471] Update README.md

---
 README.md | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 671972b3..bb6fac9d 100644
--- a/README.md
+++ b/README.md
@@ -37,12 +37,13 @@ Run with administrator rights
 sysmon.exe -u
 ~~~~
 
-## Graylog Configuration ##
+### Graylog Configuration ###
 
-## Sysmon Pipeline Rules ##
+
+### Sysmon Pipeline Rules ###
 
 ## Stage -1 ##
-## sysmon cleanup (gl2_source_fix) ##
+# sysmon cleanup (gl2_source_fix) #
 ~~~~
 // This rule is cleaning up the message
 // -- It addresses an issue with older filebeat versions, which can have trouble with the 'source' field 
@@ -56,7 +57,7 @@ then
 end
 ~~~~
 
-## sysmon cleanup ##
+# sysmon cleanup #
 ~~~~
 // Sysmon Installation
 // -- Sysmon has to be installed on Windows, and be run with: sysmon –i –accepteula –h md5 –n -l 
@@ -146,7 +147,7 @@ then
 end
 ~~~~
 
-## Stage 0 ##
+# Stage 0 #
 ~~~~
 // Threat Intelligence enrichment
 // --- Needs installed Graylog Threat Intel plugin : https://github.com/Graylog2/graylog-plugin-threatintel
@@ -178,7 +179,7 @@ then
 end
 ~~~~
 
-## Stage 1 ##
+# Stage 1 #
 ~~~~
 rule "sysmon threatintel inflate"
 when

From 5270b8043a560d194ec878e23aa9104a9575fd75 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 13:06:28 -0500
Subject: [PATCH 058/471] Add Graylog Content Pack

---
 Graylog_Content_Pack/sysmon_content_pack.json | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Graylog_Content_Pack/sysmon_content_pack.json

diff --git a/Graylog_Content_Pack/sysmon_content_pack.json b/Graylog_Content_Pack/sysmon_content_pack.json
new file mode 100644
index 00000000..ed739001
--- /dev/null
+++ b/Graylog_Content_Pack/sysmon_content_pack.json
@@ -0,0 +1 @@
+{"name":"sysmon dashboard","description":"Sysmon Dashboard\n\nGraylog Sysmon Dashboard\n","category":"sysmon, windows","inputs":[],"streams":[],"outputs":[],"dashboards":[{"title":"SysMon","description":"Windows Information Board","dashboard_widgets":[{"description":"Task (registered 24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_task","show_pie_chart":false,"query":"_exists_:sysmon_task","show_data_table":true},"col":1,"row":4,"height":2,"width":1},{"description":"Target Location (24h)","type":"org.graylog.plugins.map.widget.strategy.MapWidgetStrategy","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_dns_lookup_ip_geolocation","query":"_exists_:sysmon_dns_lookup_ip_geolocation"},"col":2,"row":1,"height":2,"width":2},{"description":"Integrity (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_cmd_integrity","show_pie_chart":false,"query":"_exists_:sysmon_cmd_integrity","show_data_table":true},"col":4,"row":3,"height":2,"width":1},{"description":"DNS Lookup (24h)","type":"QUICKVALUES","cache_time":100,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_dns_lookup","show_pie_chart":false,"query":"_exists_:sysmon_dns_lookup","show_data_table":true},"col":3,"row":3,"height":3,"width":1},{"description":"Event ID (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_event_id","show_pie_chart":true,"query":"_exists_:sysmon_event_id","show_data_table":false},"col":1,"row":2,"height":2,"width":1},{"description":"User Acting (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_user_type","show_pie_chart":false,"query":"_exists_: sysmon_user_type","show_data_table":true},"col":4,"row":2,"height":1,"width":1},{"description":"Programs (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_data_process","show_pie_chart":false,"query":"_exists_:sysmon_data_process","show_data_table":true},"col":2,"row":3,"height":3,"width":1},{"description":"Thread Indicated (24h)","type":"SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":true,"trend":true,"query":"_exists_:sysmon_task AND _exists_:threat_indicated AND threat_indicated:true"},"col":1,"row":1,"height":1,"width":1},{"description":"Threat Lookups (24h)","type":"SEARCH_RESULT_COUNT","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"trend":true,"query":"_exists_:sysmon_task AND _exists_:threat_indicated AND threat_indicated:false"},"col":4,"row":1,"height":1,"width":1}]}],"grok_patterns":[]}
\ No newline at end of file

From fecff433ef8b1d6f94c2dd8a1fb4d8b15b2a20d1 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 13:12:42 -0500
Subject: [PATCH 059/471] Keep Fields for now

---
 README.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index bb6fac9d..69f681f2 100644
--- a/README.md
+++ b/README.md
@@ -133,17 +133,17 @@ then
     remove_field("type");
 
     // Remove winlogbeats fields we don't need
-    remove_field("winlogbeat_event_data_ProcessId");
-    remove_field("winlogbeat_log_name");
-    remove_field("winlogbeat_opcode");
-    remove_field("winlogbeat_process_id");
-    remove_field("winlogbeat_record_number");
-    remove_field("winlogbeat_source_name");
-    remove_field("winlogbeat_tags");
-    remove_field("winlogbeat_type");
-    remove_field("winlogbeat_version");
-    remove_field("winlogbeat_event_data_SourceIsIpv6");
-    remove_field("winlogbeat_event_data_DestinationIsIpv6");
+    //remove_field("winlogbeat_event_data_ProcessId");
+    //remove_field("winlogbeat_log_name");
+    //remove_field("winlogbeat_opcode");
+    //remove_field("winlogbeat_process_id");
+    //remove_field("winlogbeat_record_number");
+    //remove_field("winlogbeat_source_name");
+    //remove_field("winlogbeat_tags");
+    //remove_field("winlogbeat_type");
+    //remove_field("winlogbeat_version");
+    //remove_field("winlogbeat_event_data_SourceIsIpv6");
+    //remove_field("winlogbeat_event_data_DestinationIsIpv6");
 end
 ~~~~
 

From c356e43597dbaf9b7be3df5439ae62bd49df510c Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 15:51:46 -0500
Subject: [PATCH 060/471] Add Windows Services to cut down on noise.

---
 sysmonconfig-export.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 47b8b0a6..9f52aee3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -57,6 +57,19 @@
 			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
 			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
 			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine><!--Microsoft:Windows 10-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine><!--Microsoft:Windows 10-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k UnistackSvcGroup</CommandLine><!--Microsoft:Windows 10-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k defragsvc</CommandLine><!--Microsoft:Windows Defrag-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k RPCSS</CommandLine><!--Microsoft:Windows Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k utcsvc</CommandLine><!--Microsoft:Windows Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup</CommandLine><!--Microsoft:Windows Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k DcomLaunch</CommandLine><!--Microsoft:Windows Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
 			<!--SECTION: Microsoft dotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->

From ea638513cd4e12f8abafb8148e283b5f3479d1ad Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 15:58:16 -0500
Subject: [PATCH 061/471] Add more .Net framework exclusions.

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9f52aee3..2e7a11e7 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -75,6 +75,8 @@
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
+			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
 			<!--SECTION: Microsoft Office-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
 			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->

From f84257392dc0241714b109a36c96890edbc63ac9 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 16:04:30 -0500
Subject: [PATCH 062/471] Add powercfg exclusion, allot of noise on MSI Gaming
 Laptops

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2e7a11e7..09ab77c1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -70,6 +70,7 @@
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
+			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
 			<!--SECTION: Microsoft dotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->

From 6e6a2ef12fdecf50ddea6680cb6c73b72c3e08c5 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 16:22:46 -0500
Subject: [PATCH 063/471] exclude .log and .etl files

---
 sysmonconfig-export.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 09ab77c1..3e7dcdde 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -474,7 +474,9 @@
 			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
 			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
 			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
-			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
+			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mou	nt\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
+			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
+			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
 			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
 			<Image condition="begin with">Firefox Setup </Image> <!-- Firefox:Installer -->
 		</FileCreate>

From 0c627710609dcc5ef60dd9cc201d01f7e12d4ed3 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 16:24:59 -0500
Subject: [PATCH 064/471] delete accidental tab ;)

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3e7dcdde..e5764822 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -474,7 +474,7 @@
 			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
 			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
 			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
-			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mou	nt\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
+			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
 			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
 			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
 			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->

From 0972bdb10c085cff9da94535fdc27b07c54796f7 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 18:30:49 -0500
Subject: [PATCH 065/471] Exclude Network Noise from WS-Discovery

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e5764822..aea6dcf8 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -289,6 +289,9 @@
 			<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
 			<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
 			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
+			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
+			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
+			<SourcePort condition="is">5228</SourcePort> <!--Windows: WS-Discovery noise-->
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->

From c3d22b0b0b94fd90336d35a5a16cac4e1641e021 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 18:32:19 -0500
Subject: [PATCH 066/471] Test: Log DNS for Graylog threat discovery

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index aea6dcf8..ab8e793c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -266,6 +266,7 @@
 			<DestinationPort condition="is">3128</DestinationPort> <!--Socks Port-->
 			<DestinationPort condition="is">9001</DestinationPort> <!--Tor Port-->
 			<DestinationPort condition="is">9030</DestinationPort> <!--Tor Port-->
+			<DestinationPort condition="is">53</DestinationPort> <!--Log DNS for Graylog threat discovery-->
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From 696d22ef1f5cfc78866f53bb9d25719ee30dd711 Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 19:11:28 -0500
Subject: [PATCH 067/471] Add additional ports to exclude

---
 sysmonconfig-export.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ab8e793c..ca21bd06 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -291,8 +291,10 @@
 			<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
 			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
 			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
+			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
 			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">5228</SourcePort> <!--Windows: WS-Discovery noise-->
+			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
+			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->

From 348c3cc36b656d3c9c560ecdaf6dc676efb90a8a Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 19:30:12 -0500
Subject: [PATCH 068/471] HD Audio Noise exclusion

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ca21bd06..dfc50c3c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -648,6 +648,8 @@
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
 			<!--SECTION: 3rd party-->
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
+			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED -->

From 70a23dca061e42cb30e443d723fb51665c8d78ae Mon Sep 17 00:00:00 2001
From: defcon <defconoii@gmail.com>
Date: Sun, 26 Feb 2017 20:23:50 -0500
Subject: [PATCH 069/471] Make network detection more specific, could not use:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\
 Oddly... If anyone can make wildcards work, let me know.

---
 sysmonconfig-export.xml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index dfc50c3c..93d6a582 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -586,7 +586,14 @@
 			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
 			 <!--Detect Network History-->
 			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\</TargetObject><!--Also detects DNS Change Trojans-->
+			 <TargetObject condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
+			 <TargetObject condition="end with">DefaultGateway</TargetObject><!--Networking: Detect changes-->
+			 <TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
+			 <TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
+			 <TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			 <TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
+			 <TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
+			 <TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
 			 <!--Detect User Activity-->
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			 <TargetObject condition="begin with">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB</TargetObject>

From 509dd6772b1ee4cb8bd99af9c01290a72555379a Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 09:58:10 -0500
Subject: [PATCH 070/471] Vivaldi browser installed in appdata exception

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 93d6a582..0f902693 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -136,6 +136,7 @@
 			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
 			<!--SECTION: Custom Apps-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
+			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--SmartGit-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->

From aea769107dab7ce594e9091bb34af2ae0f6b9418 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 12:22:53 -0500
Subject: [PATCH 071/471] Add Labtech, Vivaldi Exceptions & Added Webroot AV
 threat detection

---
 sysmonconfig-export.xml | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0f902693..c0999ed7 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -134,9 +134,39 @@
 			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel Telemetry-->
 			<!--SECTION: Antivirus-->
 			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
+			<!--SECTION: Labtech -->
+			<!--Since Labtech nests its processes, the following exclusions could be exploited, remove if you do not need-->
+			<!--TODO: Will define these more in the future-->
+			<ParentCommandLine condition="is">C:\Windows\LTSvc\LTSVC.exe -sLTService</ParentCommandLine> <!--Labtech Agent-->
+			<ParentImage condition="is">C:\Windows\LTSvc\LTSVC.exe</ParentImage> <!--Labtech Agent-->
+			<CommandLine condition="contains">find /i "Listening"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">netstat -an</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">powershell.exe "(Get-Item 'C:\Program Files\StorageCraft\ImageManager\ImageManager.exe'</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">powershell.exe "Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue;(Get-PSSnapin microsoft.sharepoint.powershell).Version.Major;"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">tasklist</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">wmic path win32_operatingsystem get</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">sc queryex type= service</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">powershell.exe "(Get-Item 'C:\Program Files\StorageCraft\ImageManager\ImageManager.exe'</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">powershell.exe "Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue;(Get-PSSnapin microsoft.sharepoint.powershell).Version.Major;"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="is">powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="is">powershell.exe "(Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="is">powershell.exe "(Get-WmiObject -Namespace Root\CimV2\TerminalServices -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="is">"cmd.exe" /C "net view \\localhost | find " Print ""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="is">"cmd.exe" /C "net view \\localhost | find " Disk ""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="is">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<!--SECTION: Custom Apps-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
-			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--SmartGit-->
+			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
+			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->
@@ -599,6 +629,10 @@
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			 <TargetObject condition="begin with">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB</TargetObject>
 			 <TargetObject condition="begin with">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			  <!--Detect Threats from Webroot Antivirus-->
+			  <!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
+			 <TargetObject condition="contains">HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
+			 <TargetObject condition="contains">HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From d1c84510a713f794497273857761d5f7f53f0d60 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 12:26:10 -0500
Subject: [PATCH 072/471] Network Services Exclusions

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c0999ed7..e1c69294 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -70,6 +70,8 @@
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
+			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
 			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
 			<!--SECTION: Microsoft dotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->

From 40a3df91a3ecf4a203a1bc33bc9c9275b064d49c Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 15:04:08 -0500
Subject: [PATCH 073/471] Add file and process exclusions

---
 sysmonconfig-export.xml | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e1c69294..708d158f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -132,10 +132,13 @@
 			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
 			<!--SECTION: Dell-->
 			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
+			<!--SECTION: Lenovo-->
+			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo Platform Services-->
 			<!--SECTION: Intel-->
 			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel Telemetry-->
 			<!--SECTION: Antivirus-->
 			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
+			<!--SECTION: Custom Apps-->
 			<!--SECTION: Labtech -->
 			<!--Since Labtech nests its processes, the following exclusions could be exploited, remove if you do not need-->
 			<!--TODO: Will define these more in the future-->
@@ -149,7 +152,7 @@
 			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">powershell.exe "(Get-Item 'C:\Program Files\StorageCraft\ImageManager\ImageManager.exe'</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">powershell.exe "(Get-Item 'C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe'</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">powershell.exe "Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue;(Get-PSSnapin microsoft.sharepoint.powershell).Version.Major;"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
@@ -158,17 +161,25 @@
 			<CommandLine condition="contains">sc queryex type= service</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">powershell.exe "(Get-Item 'C:\Program Files\StorageCraft\ImageManager\ImageManager.exe'</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">powershell.exe "Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue;(Get-PSSnapin microsoft.sharepoint.powershell).Version.Major;"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">powershell.exe "Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue;get-spfarm | select Products;"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="is">powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="is">powershell.exe "(Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="is">powershell.exe "(Get-WmiObject -Namespace Root\CimV2\TerminalServices -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">powershell.exe "(Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">powershell.exe "(Get-WmiObject -Namespace Root\CimV2\TerminalServices -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="is">"cmd.exe" /C "net view \\localhost | find " Print ""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="is">"cmd.exe" /C "net view \\localhost | find " Disk ""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="is">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<!--SECTION: Custom Apps-->
+			<ParentCommandLine condition="is">"cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentImage condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</ParentImage> <!--Labtech Client-->
+			<!--END: Labtech-->
+			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
 			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
 			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
+			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
+			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
+			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->
@@ -518,6 +529,17 @@
 			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
 			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
 			<Image condition="begin with">Firefox Setup </Image> <!-- Firefox:Installer -->
+			<TargetFilename condition="is">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive</TargetFilename> <!--Powershell spam!-->
+			<TargetFilename condition="is">C:\Windows\System32\config\netlogon.ftl</TargetFilename> <!-- Microsoft:Windows: Domain login cache-->
+			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image><!-- Microsoft:Windows: WMI Performance updates-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image><!-- Microsoft:Office Click2Run-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
+			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
+			<Image condition="is">C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe</Image><!-- Microsoft:SQL Server: Creating tons of files-->
+			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image><!--INTEL: Application creates a bat file in Windows System32, and drops other files-->
+			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
+			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image><!-- VMware:vSphere: Creates .cmdline apps in appdata\*\Temp-->
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION -->

From fa68a4aa31f073fa8fd0555ec942a692f87e6d7e Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 16:04:06 -0500
Subject: [PATCH 074/471] Add Lenovo Exclusions

---
 sysmonconfig-export.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 708d158f..258e99cb 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -133,7 +133,11 @@
 			<!--SECTION: Dell-->
 			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
 			<!--SECTION: Lenovo-->
-			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo Platform Services-->
+			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
+			<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine><!--Lenovo: System Update-->
+			<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
+			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
 			<!--SECTION: Intel-->
 			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel Telemetry-->
 			<!--SECTION: Antivirus-->

From 0570d73bc7907a1b02ef00b51f5409da5783fe77 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 16:29:49 -0500
Subject: [PATCH 075/471] Add additional Lenovo, Microsoft and Synaptics
 Exclusions

---
 sysmonconfig-export.xml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 258e99cb..bd855433 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -57,6 +57,7 @@
 			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
 			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
 			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
+			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine><!--Microsoft:Windows: Search Indexer-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine><!--Microsoft:Windows 10-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine><!--Microsoft:Windows 10-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k UnistackSvcGroup</CommandLine><!--Microsoft:Windows 10-->
@@ -72,6 +73,7 @@
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
 			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
+			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
 			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
 			<!--SECTION: Microsoft dotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
@@ -127,6 +129,7 @@
 			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
 			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
 			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
+			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
 			<!--SECTION: Dropbox-->
 			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
 			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
@@ -138,8 +141,13 @@
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine><!--Lenovo: System Update-->
 			<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
 			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
+			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
+			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
+			<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
+			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
 			<!--SECTION: Intel-->
-			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel Telemetry-->
+			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
+			<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
 			<!--SECTION: Antivirus-->
 			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
 			<!--SECTION: Custom Apps-->

From 50c742e63229ec97d83d0b83eb9a2777aab27d0e Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 17:16:40 -0500
Subject: [PATCH 076/471] adjusted personal exclusions for labtech EXCESSIVE
 noise, added LDAP exclusion.

---
 sysmonconfig-export.xml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bd855433..f7d0ce32 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -164,24 +164,23 @@
 			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">powershell.exe "(Get-Item 'C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe'</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">powershell.exe "Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue;(Get-PSSnapin microsoft.sharepoint.powershell).Version.Major;"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">tasklist</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">wmic path win32_operatingsystem get</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">sc queryex type= service</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">powershell.exe "(Get-Item 'C:\Program Files\StorageCraft\ImageManager\ImageManager.exe'</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">powershell.exe "Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue;(Get-PSSnapin microsoft.sharepoint.powershell).Version.Major;"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">powershell.exe "Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue;get-spfarm | select Products;"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="is">powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">powershell.exe "(Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">powershell.exe "(Get-WmiObject -Namespace Root\CimV2\TerminalServices -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">C:\Program Files\StorageCraft\ImageManager\ImageManager.exe</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">Get-WmiObject -Namespace Root\CimV2\TerminalServices</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="is">"cmd.exe" /C "net view \\localhost | find " Print ""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="is">"cmd.exe" /C "net view \\localhost | find " Disk ""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="is">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="is">"cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">net view \\localhost | find " Print</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">net view \\localhost | find " Disk</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentImage condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</ParentImage> <!--Labtech Client-->
 			<!--END: Labtech-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
@@ -338,6 +337,7 @@
 			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
+			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
 			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
 			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
 			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->

From 76344dd7cbd815cf7fe32bf20deb99530ec82963 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 17:34:52 -0500
Subject: [PATCH 077/471] Add More Exclusions

---
 sysmonconfig-export.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f7d0ce32..ddef55f1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -42,6 +42,8 @@
 			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
 			<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
 			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
+			<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->
+			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
 			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
 			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
 			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
@@ -145,6 +147,7 @@
 			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
 			<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
 			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
+			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image><!--Lenovo: Modern Apps Plugin Host-->
 			<!--SECTION: Intel-->
 			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
 			<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
@@ -191,6 +194,7 @@
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
 			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
 			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
+			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->

From 45f43d08ab6d8fef356776e065ae2596152de04b Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 27 Feb 2017 18:30:10 -0500
Subject: [PATCH 078/471] Detect Changes to Proxy Server settings in Windows

---
 sysmonconfig-export.xml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ddef55f1..ddac1d9d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -667,12 +667,15 @@
 			 <TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
 			 <!--Detect User Activity-->
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			 <TargetObject condition="begin with">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB</TargetObject>
-			 <TargetObject condition="begin with">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USB</TargetObject>
+			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			  <!--Detect Threats from Webroot Antivirus-->
 			  <!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
-			 <TargetObject condition="contains">HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
-			 <TargetObject condition="contains">HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
+			 <TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
+			 <TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
+			 <!--Detect Changes to Proxy Server Setting-->
+			 <TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer</TargetObject>
+			 <TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From 2fb42f60ea99ff6f8ee76a6c47c8d41afc93de04 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 08:55:05 -0500
Subject: [PATCH 079/471] Cleanup & Update

Changes:
- Monitor proxy server changes
- Monitor writing Office macro documents
- ngen/ngentask filtering
- Now monitoring net.exe, sec.exe, qwinstal.exe, and sensitive ports.
thanks to @ion-storm
- Cleaned up NamedPipe area in sysmonconfig
---
 extra-NamedPipes.xml    | 21 ++++++++++++
 sysmonconfig-export.xml | 73 +++++++++++++++++++++++------------------
 2 files changed, 62 insertions(+), 32 deletions(-)
 create mode 100644 extra-NamedPipes.xml

diff --git a/extra-NamedPipes.xml b/extra-NamedPipes.xml
new file mode 100644
index 00000000..5f80e333
--- /dev/null
+++ b/extra-NamedPipes.xml
@@ -0,0 +1,21 @@
+<!--Addendum file for sysmon-config.xml which enables PipeEvent monitoring when merged. Currently under development.-->
+
+		<PipeEvent onmatch="exclude">
+		<!--COMMENT: Exclude known-good pipe users-->
+				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+			<!--SECTION: Microsoft-->
+			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
+			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
+			<!--SECTION: Webroot-->
+			<PipeName condition="is">\WRSVCPipe</PipeName>
+			<PipeName condition="is">\WRSynUM2</PipeName>
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
+			<!--SECTION: Google-->
+			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
+			<!--SECTION: Other-->
+			<Image condition="end with">slack.exe</Image>
+		</PipeEvent>
\ No newline at end of file
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ddac1d9d..7f8cf15a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,10 +1,10 @@
 <!--
   sysmon-config | A sysmon configuration focused on high-quality event tracing
-  Master version:	44 | Date: 2017-02-22
+  Master version:	46 | Date: 2017-02-28
   Master author:	@SwiftOnSecurity, with contributors credited in-line or on Git.
   Master project:	https://github.com/SwiftOnSecurity/sysmon-config
   Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
-  Fork version:	5
+  Fork version:	10
   Fork author:	ionstorm
   Fork project:	https://github.com/ion-storm/sysmon-config
   Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
@@ -95,14 +95,14 @@
 			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
 			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
 			<!-- SECTION: Firefox -->
-			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
-			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
+			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
+			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
 			<!--SECTION: Adobe-->
 			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
 			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure -->
 			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure -->
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
 			<!--SECTION: Adobe Flash-->
 			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
@@ -217,14 +217,14 @@
 		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which may not always have the information or may be a CDN. Using that field is best-effort only.-->
 			<!--NOTE: These exe's do not initiate their connections, cannot be included: BITSADMIN-->
 			<!--Suspicious sources-->
-			<Image condition="begin with">C:\Users</Image>
-			<Image condition="begin with">C:\ProgramData</Image>
-			<Image condition="begin with">C:\Windows\Temp</Image>
+			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
+			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
+			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
 			<Image condition="image">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit to @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit: @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit: @arekfurt -->
+			<Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
@@ -278,7 +278,6 @@
 			<DestinationHostname condition="end with">bit.ly</DestinationHostname>
 			<DestinationHostname condition="end with">t.co</DestinationHostname>
 			<DestinationHostname condition="end with">ow.ly</DestinationHostname>
-			<Image condition="image">msiexec.exe</Image> <!--Microsoft:Windows: Can install from http:// paths | Credit: @vector-sec -->
 			<!--Dynamic DNS Providers-->
 			<DestinationHostname condition="end with">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<DestinationHostname condition="end with">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
@@ -537,6 +536,8 @@
 			<TargetFilename condition="end with">\Start Menu</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
 			<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
 			<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
+			<!--SECTION: Microsoft-->
+			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
 			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
 			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
 			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
@@ -552,10 +553,13 @@
 			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
 			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
 			<Image condition="is">C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe</Image><!-- Microsoft:SQL Server: Creating tons of files-->
-			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image><!--INTEL: Application creates a bat file in Windows System32, and drops other files-->
 			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
 			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
 			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image><!-- VMware:vSphere: Creates .cmdline apps in appdata\*\Temp-->
+			<!--SECTION: Dell-->
+			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
+			<!--SECTION: Intel-->
+			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION -->
@@ -565,6 +569,7 @@
 		<!--NOTE:	Writing to GUID's is very common, and they contain 0-9 and A-F so slightly try to avoid those in the first few positions. [ https://en.wikipedia.org/wiki/Universally_unique_identifier ] -->
 		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing stuff, doesn't mean these rules aren't being run.-->
 		<!--NOTE:	You don't have to spend a lot of time worrying about this, CPUs are fast, but it's something to consider. Every rule and condition type has a cost.-->
+
 		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details, NewName-->
 		<!--TECHNICAL:	Possible prefixes are HKLM, HKCU, HKCR, and HKEY_USERS-->
 		<!--CRITICAL:	Schema version 3.30 and higher use HKLM and HKCU and HKCR and CurrentControlSet instead of REGISTRY\MACHINE\ and \REGISTRY\USER\ and ControlSet001-->
@@ -577,16 +582,17 @@
 			<TargetObject condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts -->
 			<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
-			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Value that points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
-			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Value that point to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
+			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
+			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
 			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual) -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location-->
-			<TargetObject condition="contains">CurrentVersion\Image File Execution Options\</TargetObject><!--TaskMgr/Debugger Hijack location-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Microsoft:Windows: Legacy driver loading | Credit @ion-storm -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<!--CLSID launch commands and file association changes-->
-			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->
-			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->
-			<TargetObject condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->
+			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
 			<!--Windows shell hijack-->
 			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
@@ -605,12 +611,14 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
 			<!--Winsock and Winsock2-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
 			<!--Credential providers-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
 			<!--Networking-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
 			<!--DLLs that get injected into every process launch-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
@@ -639,7 +647,6 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
 			 <!--Common Malware Persistence locations-->
-			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject>
 			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
 			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
@@ -679,8 +686,11 @@
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->
+			<!--SECTION: Microsoft binaries-->
 			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
+			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
+			<!--Misc-->
 			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
@@ -700,7 +710,7 @@
 			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
 			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
 			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system -->
 			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
 			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
@@ -752,24 +762,23 @@
 			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
 			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
 			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting-->
 			<TargetFilename condition="end with">.ps1</TargetFilename> <!--Powershell-->
 			<TargetFilename condition="end with">.ps2</TargetFilename> <!--Powershell-->
 			<TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file-->
 			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
+			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting | Credit @ion-storm -->
 		</FileCreateStreamHash>
 
-	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY [ SYSMON 6.00+ ] -->
+	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->
 		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
 		<!--Cannot be filtered.-->
 
-	<!--SYSMON EVENT ID 17 : PIPE CREATED [ SYSMON 6.00+ ] -->
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-		<!--COMMENT: Currently intended for targetted malware monitoring only, not included in this configuration.-->
-
-	<!--SYSMON EVENT ID 18 : PIPE CONNECTED [ SYSMON 6.00+ ] -->
+	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-		<!--COMMENT: Currently intended for targetted malware monitoring only, not included in this configuration.-->
+		<PipeEvent onmatch="include">
+			<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+			<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+		</PipeEvent>
 
 	</EventFiltering>
 </Sysmon>

From 2a3b5e7d80de83853f77e8ea13dfbaef812fc61a Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 09:00:26 -0500
Subject: [PATCH 080/471] Remove duplicate on cherry-pick

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7f8cf15a..fec0511f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -681,7 +681,6 @@
 			 <TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
 			 <TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
 			 <!--Detect Changes to Proxy Server Setting-->
-			 <TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer</TargetObject>
 			 <TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">

From 2f1c4b492a96d92e55a2ef67d60b773a5b37cc0a Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 11:37:40 -0500
Subject: [PATCH 081/471] Add my initial named pipe exclusions, excluding most
 Windows service pipes and custom apps I use in my environment.

---
 sysmonconfig-export.xml | 75 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 69 insertions(+), 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index fec0511f..b80b85c9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -772,12 +772,75 @@
 		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
 		<!--Cannot be filtered.-->
 
-	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED -->
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-		<PipeEvent onmatch="include">
-			<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
-			<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+		<PipeEvent onmatch="exclude">
+		<!--COMMENT: Exclude known-good pipe users-->
+				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+			<!--SECTION: Microsoft-->
+			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
+			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
+			<PipeName condition="contains">vmware-</PipeName>
+			<Image condition="is">System</Image>
+			<PipeName condition="contains">InitShutdown</PipeName>
+			<Image condition="is">C:\Windows\System32\wininit.exe</Image>
+			<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="is">C:\Windows\System32\services.exe</Image>
+			<PipeName condition="is">\ntsvcs</PipeName>
+			<PipeName condition="is">\scerpc</PipeName>
+			<Image condition="is">C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe</Image>
+			<Image condition="is">C:\Windows\System32\smss.exe</Image>
+			<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
+			<PipeName condition="is">\epmapper</PipeName>
+			<PipeName condition="is">\atsvc</PipeName>
+			<PipeName condition="is">\browser</PipeName>
+			<PipeName condition="is">\srvsvc</PipeName>
+			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
+			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
+			<PipeName condition="is">\W32TIME_ALT</PipeName>
+			<PipeName condition="is">\eventlog</PipeName>
+			<PipeName condition="is">\wkssvc</PipeName>
+			<PipeName condition="contains">\TDLN-</PipeName>
+			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
+			<!--SECTION: Webroot-->
+			<PipeName condition="is">\WRSVCPipe</PipeName>
+			<PipeName condition="is">\WRSynUM2</PipeName>
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
+			<!--SECTION: Google-->
+			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
+			<PipeName condition="contains">mojo.</PipeName>
+			<PipeName condition="contains">crashpad_</PipeName>
+			<PipeName condition="contains">chrome.</PipeName>
+			<PipeName condition="contains">GoogleCrashServices</PipeName>
+			<!--SECTION: Other-->
+			<Image condition="end with">slack.exe</Image>
+			<!--SECTION: ConnectWise-->
+			<PipeName condition="contains">booma\</PipeName>
+			<!--SECTION: EnPass-->
+			<PipeName condition="contains">qtsingleapp-enpass-</PipeName>
+			<Image condition="contains">qtsingleapp-enpass-</Image>
+			<!--SECTION: Everything Search-->
+			<PipeName condition="contains">Everything Service</PipeName>
+			<PipeName condition="contains">anchor_gui_agent</PipeName>
+			<!--SECTION: Lenovo-->
+			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
+			<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
+			<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
+			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
+			<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
+			<!--SECTION: Labtech-->
+			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
+			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
+			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
+			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>
+			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
+			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
+			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
+			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
+			<Image condition="contains">C:\Program Files (x86)\SmartGit\</Image>
 		</PipeEvent>
-
 	</EventFiltering>
 </Sysmon>

From e5c8abd060049fc8bd3f21ebd6d8b3dc6a54e74d Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 11:51:36 -0500
Subject: [PATCH 082/471] Add Rename fields for Graylog Filtering

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 69f681f2..1b22274c 100644
--- a/README.md
+++ b/README.md
@@ -115,7 +115,10 @@ then
     rename_field("winlogbeat_event_data_SourceThreadId", "sysmon_paccess_threadid");
     rename_field("winlogbeat_event_data_TargetImage", "sysmon_paccess_target_image");
     rename_field("winlogbeat_event_data_TargetProcessGUID", "sysmon_paccess_target_guid");
-    rename_field("winlogbeat_event_data_TargetProcessid", "sysmon_paccess_target_pid");    
+    rename_field("winlogbeat_event_data_TargetProcessid", "sysmon_paccess_target_pid");
+    rename_field("winlogbeat_event_data_DestinationIp_geolocation", "sysmon_dns_lookup_ip_geolocation");
+    rename_field("winlogbeat_event_data_PipeName", "sysmon_pipe_name");
+    rename_field("winlogbeat_event_data_ProcessId", "sysmon_pipe_pid");
 
     // Remove clutter.
     let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_event_data_ProcessGuid));

From 8d6765508653fa8103edf017e6fd52a1f8302127 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 11:55:16 -0500
Subject: [PATCH 083/471] Add new Graylog Content pack with new dashboards

---
 Graylog_Content_Pack/new_content_pack.json | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Graylog_Content_Pack/new_content_pack.json

diff --git a/Graylog_Content_Pack/new_content_pack.json b/Graylog_Content_Pack/new_content_pack.json
new file mode 100644
index 00000000..ba945195
--- /dev/null
+++ b/Graylog_Content_Pack/new_content_pack.json
@@ -0,0 +1 @@
+{"name":"Sysmon Threat Intelligence","description":"Threat intelligence with Sysmon","category":"threat intel, dfir, sysmon","inputs":[],"streams":[],"outputs":[],"dashboards":[{"title":"Sysmon Threat Intelligence","description":"Windows Information Board","dashboard_widgets":[{"description":"Task (registered 24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_task","show_pie_chart":false,"query":"_exists_:sysmon_task","show_data_table":true},"col":4,"row":3,"height":2,"width":1},{"description":"Target Location (24h)","type":"org.graylog.plugins.map.widget.strategy.MapWidgetStrategy","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_dns_lookup_ip_geolocation","query":"_exists_:sysmon_dns_lookup_ip_geolocation"},"col":2,"row":1,"height":2,"width":2},{"description":"Integrity (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_cmd_integrity","show_pie_chart":false,"query":"_exists_:sysmon_cmd_integrity","show_data_table":true},"col":4,"row":5,"height":2,"width":1},{"description":"DNS Lookup (24h)","type":"QUICKVALUES","cache_time":100,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_dns_lookup","show_pie_chart":false,"query":"_exists_:sysmon_dns_lookup","show_data_table":true},"col":1,"row":4,"height":3,"width":1},{"description":"Event ID (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_event_id","show_pie_chart":true,"query":"_exists_:sysmon_event_id","show_data_table":false},"col":1,"row":2,"height":2,"width":1},{"description":"Programs (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_data_process","show_pie_chart":false,"query":"_exists_:sysmon_data_process","show_data_table":true},"col":2,"row":3,"height":3,"width":1},{"description":"Threat Lookups (24h)","type":"SEARCH_RESULT_COUNT","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"trend":true,"query":"_exists_:sysmon_task AND _exists_:sysmon_dns_lookup_ip_threat_indicated"},"col":4,"row":1,"height":1,"width":1},{"description":"User Acting (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_user_type","show_pie_chart":false,"query":"_exists_: sysmon_user_type","show_data_table":true},"col":4,"row":2,"height":1,"width":1},{"description":"Threat Indicated (24h)","type":"SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":true,"trend":true,"query":"_exists_:sysmon_task AND sysmon_src_ip_threat_indicated:true"},"col":1,"row":1,"height":1,"width":1},{"description":"Unidentified Files Created","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_data_file_created","show_pie_chart":false,"query":"_exists_:sysmon_data_file_created","show_data_table":true},"col":5,"row":1,"height":3,"width":1},{"description":"Registry Change Locations","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_registry_object","show_pie_chart":false,"query":"_exists_:sysmon_registry_object","show_data_table":true},"col":5,"row":4,"height":3,"width":1},{"description":"Top Command Line Events","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_cmd_event","show_pie_chart":false,"query":"_exists_:sysmon_cmd_event","show_data_table":true},"col":3,"row":3,"height":3,"width":1},{"description":"Alternate Data Streams Detected","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_data_file_created","show_pie_chart":false,"query":"_exists_:sysmon_data_file_created AND sysmon_task:\"File stream created (rule: FileCreateStreamHash)\"","show_data_table":true},"col":2,"row":6,"height":3,"width":1}]}],"grok_patterns":[]}
\ No newline at end of file

From 60656191aaa083d0697e4a2815e117aa6de931a7 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 12:32:39 -0500
Subject: [PATCH 084/471] Add Pipe exclusions for Smartgit and Bash on Windows

---
 sysmonconfig-export.xml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b80b85c9..36bbfd4a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -781,9 +781,10 @@
 			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
+			<Image condition="is">C:\Windows\System32\LxRun.exe</Image> <!--Bash On Windows -->
 			<PipeName condition="contains">vmware-</PipeName>
-			<Image condition="is">System</Image>
-			<PipeName condition="contains">InitShutdown</PipeName>
+			<Image condition="is">\System</Image>
+			<PipeName condition="is">\InitShutdown</PipeName>
 			<Image condition="is">C:\Windows\System32\wininit.exe</Image>
 			<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
 			<Image condition="is">C:\Windows\System32\services.exe</Image>
@@ -810,6 +811,7 @@
 			<!--SECTION: Google-->
 			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
+			<Image condition="contains">AppData\Local\Google\Chrome\User Data\SwReporter\</Image>
 			<PipeName condition="contains">mojo.</PipeName>
 			<PipeName condition="contains">crashpad_</PipeName>
 			<PipeName condition="contains">chrome.</PipeName>
@@ -840,7 +842,10 @@
 			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
 			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
-			<Image condition="contains">C:\Program Files (x86)\SmartGit\</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
 		</PipeEvent>
 	</EventFiltering>
 </Sysmon>

From b15ca41aa21054d16b42abea9478ead63dc6a9ad Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 13:08:54 -0500
Subject: [PATCH 085/471] Add Destination Hostname exclusions originating from
 Windows svchost.exe services.

---
 sysmonconfig-export.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 36bbfd4a..6156ac2f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -311,7 +311,7 @@
 			<DestinationPort condition="is">23</DestinationPort>   <!--Telnet Port-->
 			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
 			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->
-			<DestinationPort condition="is">445</DestinationPort>  <!--SMB Port-->
+			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
 			<DestinationPort condition="is">5800</DestinationPort> <!--VNC Port-->
 			<DestinationPort condition="is">5900</DestinationPort> <!--VNC Port-->
 			<DestinationPort condition="is">1194</DestinationPort> <!--OpenVPN Port-->
@@ -339,6 +339,9 @@
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
+			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname> <!--Bing & Cortana Searches-->
+			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
+			<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
 			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
 			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
 			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->

From e070bddb12cf5795f42665e4313ec4271f37eec1 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 16:32:45 -0500
Subject: [PATCH 086/471] Some little stuff

---
 sysmonconfig-export.xml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6156ac2f..57188252 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -449,7 +449,7 @@
 			<SourceImage condition="image">powerpnt.exe</SourceImage> <!-- Hancitor process hollowing -->
 		<!--Include mimikatz-specific events.-->
 			<SourceImage condition="contains">powershell.exe</SourceImage>
- 			<TargetImage condition="contains">lsass.exe</TargetImage>
+ 		<!--<TargetImage condition="contains">lsass.exe</TargetImage>--> <!--Disabled: To cut down noise-->
 		</ProcessAccess>
 		<ProcessAccess onmatch="exclude">
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
@@ -458,6 +458,7 @@
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">
+			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\</TargetFilename> <!--Microsoft:Windows: taskhostw re-creates certificate store constantly-->
 			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
 			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
@@ -541,6 +542,7 @@
 			<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
 			<!--SECTION: Microsoft-->
 			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
+			<Image condition="is">\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates</Image>
 			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
 			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
 			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
@@ -677,7 +679,7 @@
 			 <TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
 			 <!--Detect User Activity-->
 			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USB</TargetObject>
+			 <!--<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USB</TargetObject> Disabled: Tons of Noise -->
 			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			  <!--Detect Threats from Webroot Antivirus-->
 			  <!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
@@ -747,6 +749,7 @@
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
 			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
+			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED -->

From 6a74c6ecdf9373b7c0f5c4964ba740ec4e6017c7 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 16:34:59 -0500
Subject: [PATCH 087/471] exclude! not include! lol

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 57188252..c286eb27 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -458,7 +458,6 @@
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">
-			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\</TargetFilename> <!--Microsoft:Windows: taskhostw re-creates certificate store constantly-->
 			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
 			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
@@ -536,6 +535,7 @@
 			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
 		</FileCreate>
 		<FileCreate onmatch="exclude">
+			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\</TargetFilename> <!--Microsoft:Windows: taskhostw re-creates certificate store constantly-->
 			<TargetFilename condition="end with">\Downloads</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
 			<TargetFilename condition="end with">\Start Menu</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
 			<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->

From 86a8d465ff041061f9c9eecd5002b5b680412ae6 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 16:37:09 -0500
Subject: [PATCH 088/471] exclude smartgit java

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c286eb27..1526d9cf 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -357,6 +357,7 @@
 			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
 			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
 			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
+			<Image condition="image">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->

From f3194e899eb42068dd992d2b0040797cce53ad60 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 16:43:45 -0500
Subject: [PATCH 089/471] MSOSync & Smartgit exclusions

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1526d9cf..d8f5fc05 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -89,6 +89,7 @@
 			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
 			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
 			<!--SECTION: Google-->
 			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
 			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
@@ -188,6 +189,7 @@
 			<!--END: Labtech-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
+			<ParentImage condition="is">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
 			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
 			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
 			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->

From 57aec71260debe19312347e4889bddede35e41ea Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 17:02:55 -0500
Subject: [PATCH 090/471] more smartgit commits

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d8f5fc05..6e63bb4e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -852,6 +852,7 @@
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
 			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>

From 1a8a2b9f27eb6643f4159ece46d57816348e8ab5 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 22:10:28 -0500
Subject: [PATCH 091/471] -Added additional Autorun Locations -Added Browser
 Hijack Detection. -Added Firewall Change Detection. -Added Security Center &
 Defender modification detection -Added New Fileless UAC Bypass detection

---
 sysmonconfig-export.xml | 106 ++++++++++++++++++++++++++--------------
 1 file changed, 70 insertions(+), 36 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6e63bb4e..0082f4b3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -590,13 +590,20 @@
 			<TargetObject condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts -->
 			<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
+			<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
 			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
 			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
 			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual) -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Microsoft:Windows: Legacy driver loading | Credit @ion-storm -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
@@ -654,42 +661,69 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			 <!--Common Malware Persistence locations-->
-			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			 <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			 <!--Group Policy Scripts-->
-			 <TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			 <TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			 <TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
-			 <TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			 <!--Detect Network History-->
-			 <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			 <TargetObject condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			 <TargetObject condition="end with">DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			 <TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			 <TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			 <TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			 <TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			 <TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			 <TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
-			 <!--Detect User Activity-->
-			 <TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			 <!--<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USB</TargetObject> Disabled: Tons of Noise -->
-			 <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			  <!--Detect Threats from Webroot Antivirus-->
-			  <!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
-			 <TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
-			 <TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
-			 <!--Detect Changes to Proxy Server Setting-->
-			 <TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<!--Common Malware Persistence locations-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<!--Group Policy Scripts-->
+			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<!--Detect Network History-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
+			<TargetObject condition="end with">DefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
+			<!--Detect User Activity-->
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<!--Detect Threats from Webroot Antivirus-->
+			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
+			<TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
+			<TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
+			<!--Detect Changes to Proxy Server Setting-->
+			<TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<!--Detect Browser Hijackers-->
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>
+			<!--Detect Unauthorized Firewall Changes-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Check for apps added to Firewall Auth List-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering-->
+			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
+			<TargetObject condition="contains">\Security\Level</TargetObject>
+			<TargetObject condition="contains">\Security\Level1Remove</TargetObject>
+			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<!--Detect if Windows Defender is Disabled-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
+			<!-- Other Stuff -->	
+			<TargetObject condition="begin with">HKCU\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From 3905e28268081343b442ed4ce8d497919e255a56 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 22:28:37 -0500
Subject: [PATCH 092/471] dotnet x64 exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0082f4b3..69a730b5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -84,6 +84,7 @@
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
 			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
 			<!--SECTION: Microsoft Office-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
 			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->

From 58c40e16334afcf1a89be78df91baea555b5031a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 28 Feb 2017 22:37:36 -0500
Subject: [PATCH 093/471] Windows Defender exclusion for registry entries
 created

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 69a730b5..588efe17 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -732,6 +732,7 @@
 			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
+			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
 			<!--Misc-->
 			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->

From 053de7b2c41363d654824d6a6817700c2000ed70 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 1 Mar 2017 09:06:02 -0500
Subject: [PATCH 094/471] Add Exclusions for Framework, Lenovo Laptops, MSI
 Laptops, Webroot, Synaptic Touchpad, OpenVPN, and Enpass.

---
 sysmonconfig-export.xml | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 588efe17..baa25383 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -47,6 +47,7 @@
 			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
 			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
 			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
+			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
 			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
 			<CommandLine condition="is">C:\windows\System32\svchost.exe -k WerSvcGroup</CommandLine> <!--Microsoft:WindowsErrorReporting-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
@@ -71,8 +72,10 @@
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
 			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
 			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
@@ -129,6 +132,7 @@
 			<!--SECTION: Drivers-->
 			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
 			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
+			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
 			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
 			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
 			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
@@ -142,19 +146,39 @@
 			<!--SECTION: Lenovo-->
 			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
 			<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine><!--Lenovo: System Update-->
 			<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
 			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
 			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
 			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
 			<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
 			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
-			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image><!--Lenovo: Modern Apps Plugin Host-->
+			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
+			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
+			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
+			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
+			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
+			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
+			<!--SECTION: MSI: Micro-Star International Computers-->
+			<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
+			<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
+			<ParentImage condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</ParentImage><!-- MSI: Helpdesk Updater-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
+			<ParentImage condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</ParentImage><!-- MSI: Dragon Center Updater-->
 			<!--SECTION: Intel-->
 			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
 			<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
+			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe</Image><!--Intel: Graphics Driver-->
+			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe</Image><!--Intel: Graphics Driver-->
 			<!--SECTION: Antivirus-->
 			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
+			<CommandLine condition="contains">C:\Program Files (x86)\Webroot\WRSA.exe" -ul</CommandLine> <!--Webroot-->
+			<ParentCommandLine condition="is">"C:\Program Files (x86)\Webroot\WRSA.exe" -service</ParentCommandLine> <!--Webroot-->
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image><!--Webroot-->
+			<!--SECTION: Synaptics Touchpad-->
+			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
+			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
 			<!--SECTION: Custom Apps-->
 			<!--SECTION: Labtech -->
 			<!--Since Labtech nests its processes, the following exclusions could be exploited, remove if you do not need-->
@@ -198,6 +222,8 @@
 			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
 			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
 			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
+			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
+			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage><!--Enpass Password Manager-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->
@@ -559,10 +585,10 @@
 			<TargetFilename condition="is">C:\Windows\System32\config\netlogon.ftl</TargetFilename> <!-- Microsoft:Windows: Domain login cache-->
 			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image><!-- Microsoft:Windows: WMI Performance updates-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image><!-- Microsoft:Office Click2Run-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
 			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
 			<Image condition="is">C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe</Image><!-- Microsoft:SQL Server: Creating tons of files-->
 			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
 			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
 			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image><!-- VMware:vSphere: Creates .cmdline apps in appdata\*\Temp-->
 			<!--SECTION: Dell-->

From 93658589127691ded08f272b02419600277ad520 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 1 Mar 2017 09:35:15 -0500
Subject: [PATCH 095/471] Detected & Identify Rogue Scheduled Tasks Created and
 added to Boot or Logon

---
 sysmonconfig-export.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index baa25383..41df3e8f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -88,6 +88,7 @@
 			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
 			<!--SECTION: Microsoft Office-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
 			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
@@ -153,6 +154,7 @@
 			<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
 			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
 			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
+			<ParentCommandLine condition="contains">C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</ParentCommandLine> <!--Lenovo: Modern Apps Plugin Host-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
 			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
 			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
@@ -751,6 +753,9 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
 			<!-- Other Stuff -->	
 			<TargetObject condition="begin with">HKCU\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject><!--Identify Rogue Scheduled Task ID's added to Boot -->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From a9faef1633638a4741f05f8451f257ede89e76c6 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 1 Mar 2017 09:56:54 -0500
Subject: [PATCH 096/471] Add More IOC Detection

---
 sysmonconfig-export.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 41df3e8f..b094c6fb 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -641,6 +641,8 @@
 			<!--Windows shell hijack-->
 			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
 			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
 			<TargetObject condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
 			<TargetObject condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
 			<TargetObject condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
@@ -756,6 +758,14 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject><!--Identify Rogue Scheduled Task ID's added to Boot -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject condition="contains">\comfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\htafile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\batfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\exefile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From 9a0935ab730a55b71284257e5160bb0ef4e227c6 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 1 Mar 2017 10:43:41 -0500
Subject: [PATCH 097/471] Add Detection: COMObject Hijacking

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b094c6fb..38f2b9e2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -766,6 +766,8 @@
 			<TargetObject condition="contains">\exefile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
 			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
 			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
+			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From 50a31f942824d1b2fcd0631e276f521421253f59 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 1 Mar 2017 13:18:38 -0500
Subject: [PATCH 098/471] Removed old Graylog Content Pack

---
 Graylog_Content_Pack/sysmon_content_pack.json | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 Graylog_Content_Pack/sysmon_content_pack.json

diff --git a/Graylog_Content_Pack/sysmon_content_pack.json b/Graylog_Content_Pack/sysmon_content_pack.json
deleted file mode 100644
index ed739001..00000000
--- a/Graylog_Content_Pack/sysmon_content_pack.json
+++ /dev/null
@@ -1 +0,0 @@
-{"name":"sysmon dashboard","description":"Sysmon Dashboard\n\nGraylog Sysmon Dashboard\n","category":"sysmon, windows","inputs":[],"streams":[],"outputs":[],"dashboards":[{"title":"SysMon","description":"Windows Information Board","dashboard_widgets":[{"description":"Task (registered 24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_task","show_pie_chart":false,"query":"_exists_:sysmon_task","show_data_table":true},"col":1,"row":4,"height":2,"width":1},{"description":"Target Location (24h)","type":"org.graylog.plugins.map.widget.strategy.MapWidgetStrategy","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_dns_lookup_ip_geolocation","query":"_exists_:sysmon_dns_lookup_ip_geolocation"},"col":2,"row":1,"height":2,"width":2},{"description":"Integrity (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_cmd_integrity","show_pie_chart":false,"query":"_exists_:sysmon_cmd_integrity","show_data_table":true},"col":4,"row":3,"height":2,"width":1},{"description":"DNS Lookup (24h)","type":"QUICKVALUES","cache_time":100,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_dns_lookup","show_pie_chart":false,"query":"_exists_:sysmon_dns_lookup","show_data_table":true},"col":3,"row":3,"height":3,"width":1},{"description":"Event ID (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_event_id","show_pie_chart":true,"query":"_exists_:sysmon_event_id","show_data_table":false},"col":1,"row":2,"height":2,"width":1},{"description":"User Acting (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_user_type","show_pie_chart":false,"query":"_exists_: sysmon_user_type","show_data_table":true},"col":4,"row":2,"height":1,"width":1},{"description":"Programs (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_data_process","show_pie_chart":false,"query":"_exists_:sysmon_data_process","show_data_table":true},"col":2,"row":3,"height":3,"width":1},{"description":"Thread Indicated (24h)","type":"SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":true,"trend":true,"query":"_exists_:sysmon_task AND _exists_:threat_indicated AND threat_indicated:true"},"col":1,"row":1,"height":1,"width":1},{"description":"Threat Lookups (24h)","type":"SEARCH_RESULT_COUNT","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"trend":true,"query":"_exists_:sysmon_task AND _exists_:threat_indicated AND threat_indicated:false"},"col":4,"row":1,"height":1,"width":1}]}],"grok_patterns":[]}
\ No newline at end of file

From 3f4bad7974c0c6793a1aec05ddcebcb6eb5201cc Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 1 Mar 2017 15:07:20 -0500
Subject: [PATCH 099/471] update name.

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1b22274c..620c4e92 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# sysmon-config | A Sysmon configuration file for everybody #
+# Sysmon Threat Intelligence Configuration #
 
 This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
 

From bdb8a608008a76dc2a66c09c090a1d5cf3d87842 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 1 Mar 2017 16:57:59 -0500
Subject: [PATCH 100/471] Turning down noise a bit.

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 38f2b9e2..664a92bf 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -777,6 +777,7 @@
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
 			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
 			<!--Misc-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->
 			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->

From 7fe1314405fc8c65465b447ae357dd3dcc1ce002 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 1 Mar 2017 20:21:14 -0500
Subject: [PATCH 101/471] Add additional exclusions to cut down noise: We need
 the Sysinternals team to add File Image Signature detection to further
 improve sysmon's filtering and security capabilities.

---
 sysmonconfig-export.xml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 664a92bf..4ac4dfa1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -259,7 +259,7 @@
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--BITS File Transfer program-->
+			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
 			<Image condition="image">mshta.exe</Image>
 			<Image condition="image">python.exe</Image>
 			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
@@ -573,7 +573,9 @@
 			<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
 			<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
 			<!--SECTION: Microsoft-->
-			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
+			<Image condition="contains">C:\Windows\System32\svchost.exe</Image> <!-- Microsoft:Windows: Svchost creating thousands of files, creating new profiles on TS's -->
+			<Image condition="contains">C:\Windows\System32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
+			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\IE</TargetFilename> <!-- Microsoft:Windows: Creates thousands of files including new profiles -->
 			<Image condition="is">\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates</Image>
 			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
 			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
@@ -777,6 +779,8 @@
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
 			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
 			<!--Misc-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->
 			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
@@ -833,6 +837,7 @@
 			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
+			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED -->
@@ -896,6 +901,7 @@
 			<!--SECTION: Webroot-->
 			<PipeName condition="is">\WRSVCPipe</PipeName>
 			<PipeName condition="is">\WRSynUM2</PipeName>
+			<PipeName condition="is">\wrUrl</PipeName><!--Webroot Webfiltering Pipe-->
 			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
 			<!--SECTION: Google-->
 			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>

From 41859493d9a9eaa2a580973bb342b5230c5b3635 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 2 Mar 2017 21:34:29 -0500
Subject: [PATCH 102/471] Initial Release Of Graylog Sidecar Auto-Installer

---
 Graylog_Content_Pack/Install_Sidecar.bat | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 Graylog_Content_Pack/Install_Sidecar.bat

diff --git a/Graylog_Content_Pack/Install_Sidecar.bat b/Graylog_Content_Pack/Install_Sidecar.bat
new file mode 100644
index 00000000..acd01dbf
--- /dev/null
+++ b/Graylog_Content_Pack/Install_Sidecar.bat
@@ -0,0 +1,18 @@
+@echo off
+cd %temp%
+set /p glg= "[+] What's the Graylog Server name or IP?  "
+echo [+] Server set to to: %glg%
+echo [+] Downloading Graylog Sidecar to: %temp%\Sidecar.exe...
+@powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/Graylog2/collector-sidecar/releases/download/0.1.0-rc.1/collector_sidecar_installer_0.1.0-rc.1.exe','%temp%\Sidecar.exe')"
+start /wait Sidecar.exe /S -SERVERURL=https://%glg%:443/api -TAGS="windows"
+echo [+] Executing Script to edit content of sidecar configuration...
+@powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://goo.gl/mYNrH7')"
+cd "C:\Program Files\graylog\collector-sidecar\"
+echo [+] Installing Graylog Services...
+graylog-collector-sidecar.exe -service install
+graylog-collector-sidecar.exe -service start
+echo [+] Checking Services...
+@powershell get-service collector-sidecar
+echo [+] Graylog Sidecar Successfully Installed and Configured!
+timeout /t 10
+exit
\ No newline at end of file

From ad32c19a8d6b10d17dc1d8a16ac62b31dc911bac Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 2 Mar 2017 21:42:32 -0500
Subject: [PATCH 103/471] Add noprompt installer, you know what to do

---
 .../Install_Sidecar_noprompt.bat                 | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 Graylog_Content_Pack/Install_Sidecar_noprompt.bat

diff --git a/Graylog_Content_Pack/Install_Sidecar_noprompt.bat b/Graylog_Content_Pack/Install_Sidecar_noprompt.bat
new file mode 100644
index 00000000..d50e9b26
--- /dev/null
+++ b/Graylog_Content_Pack/Install_Sidecar_noprompt.bat
@@ -0,0 +1,16 @@
+@echo off
+cd %temp%
+echo [+] Downloading Graylog Sidecar to: %temp%\Sidecar.exe...
+@powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/Graylog2/collector-sidecar/releases/download/0.1.0-rc.1/collector_sidecar_installer_0.1.0-rc.1.exe','%temp%\Sidecar.exe')"
+start /wait Sidecar.exe /S -SERVERURL=https://YOURSERVERIPHERE:443/api -TAGS="windows"
+echo [+] Executing Script to edit content of sidecar configuration...
+@powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://goo.gl/mYNrH7')"
+cd "C:\Program Files\graylog\collector-sidecar\"
+echo [+] Installing Graylog Services...
+graylog-collector-sidecar.exe -service install
+graylog-collector-sidecar.exe -service start
+echo [+] Checking Services...
+@powershell get-service collector-sidecar
+echo [+] Graylog Sidecar Successfully Installed and Configured!
+timeout /t 10
+exit
\ No newline at end of file

From 406661b0f777446c3a3fbdbb9a789b21254a07bf Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 2 Mar 2017 21:50:15 -0500
Subject: [PATCH 104/471] double to's lol

---
 Graylog_Content_Pack/Install_Sidecar.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Graylog_Content_Pack/Install_Sidecar.bat b/Graylog_Content_Pack/Install_Sidecar.bat
index acd01dbf..8646ef94 100644
--- a/Graylog_Content_Pack/Install_Sidecar.bat
+++ b/Graylog_Content_Pack/Install_Sidecar.bat
@@ -1,7 +1,7 @@
 @echo off
 cd %temp%
 set /p glg= "[+] What's the Graylog Server name or IP?  "
-echo [+] Server set to to: %glg%
+echo [+] Server set to: %glg%
 echo [+] Downloading Graylog Sidecar to: %temp%\Sidecar.exe...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/Graylog2/collector-sidecar/releases/download/0.1.0-rc.1/collector_sidecar_installer_0.1.0-rc.1.exe','%temp%\Sidecar.exe')"
 start /wait Sidecar.exe /S -SERVERURL=https://%glg%:443/api -TAGS="windows"

From 2d08dbbcbfd6a0fb077b1bea17424a1aa8b91d96 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 2 Mar 2017 21:56:54 -0500
Subject: [PATCH 105/471] unshorten URL's for the paranoid like myself :P

---
 Graylog_Content_Pack/Install_Sidecar.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Graylog_Content_Pack/Install_Sidecar.bat b/Graylog_Content_Pack/Install_Sidecar.bat
index 8646ef94..8f9a1795 100644
--- a/Graylog_Content_Pack/Install_Sidecar.bat
+++ b/Graylog_Content_Pack/Install_Sidecar.bat
@@ -6,7 +6,7 @@ echo [+] Downloading Graylog Sidecar to: %temp%\Sidecar.exe...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/Graylog2/collector-sidecar/releases/download/0.1.0-rc.1/collector_sidecar_installer_0.1.0-rc.1.exe','%temp%\Sidecar.exe')"
 start /wait Sidecar.exe /S -SERVERURL=https://%glg%:443/api -TAGS="windows"
 echo [+] Executing Script to edit content of sidecar configuration...
-@powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://goo.gl/mYNrH7')"
+@powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/ion-storm/39d1e70fde966c6e69e57bcb989c5c8d/raw/e3bf0a7b589a340cc557c14bc0f619372cae8752/sidecar.ps1')"
 cd "C:\Program Files\graylog\collector-sidecar\"
 echo [+] Installing Graylog Services...
 graylog-collector-sidecar.exe -service install

From 9a479022a0abdcfd9eb42bf803deafc26d4a9cd3 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 3 Mar 2017 10:56:10 -0500
Subject: [PATCH 106/471] get rid of short url, for security

---
 Graylog_Content_Pack/Install_Sidecar_noprompt.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Graylog_Content_Pack/Install_Sidecar_noprompt.bat b/Graylog_Content_Pack/Install_Sidecar_noprompt.bat
index d50e9b26..c9ac62cc 100644
--- a/Graylog_Content_Pack/Install_Sidecar_noprompt.bat
+++ b/Graylog_Content_Pack/Install_Sidecar_noprompt.bat
@@ -4,7 +4,7 @@ echo [+] Downloading Graylog Sidecar to: %temp%\Sidecar.exe...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/Graylog2/collector-sidecar/releases/download/0.1.0-rc.1/collector_sidecar_installer_0.1.0-rc.1.exe','%temp%\Sidecar.exe')"
 start /wait Sidecar.exe /S -SERVERURL=https://YOURSERVERIPHERE:443/api -TAGS="windows"
 echo [+] Executing Script to edit content of sidecar configuration...
-@powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://goo.gl/mYNrH7')"
+@powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/ion-storm/39d1e70fde966c6e69e57bcb989c5c8d/raw/e3bf0a7b589a340cc557c14bc0f619372cae8752/sidecar.ps1')"
 cd "C:\Program Files\graylog\collector-sidecar\"
 echo [+] Installing Graylog Services...
 graylog-collector-sidecar.exe -service install

From cf95b6956f05806775f625b4141d307a90e9f278 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 3 Mar 2017 11:42:50 -0500
Subject: [PATCH 107/471] Merge in and clean up.

---
 sysmonconfig-export.xml | 236 ++++++++++++++++++++++++----------------
 1 file changed, 144 insertions(+), 92 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4ac4dfa1..ec044150 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,16 +1,17 @@
 <!--
-  sysmon-config | A sysmon configuration focused on high-quality event tracing
-  Master version:	46 | Date: 2017-02-28
-  Master author:	@SwiftOnSecurity, with contributors credited in-line or on Git.
+  sysmon-config | A sysmon configuration focused on default high-quality event tracing and easy customization by the community
+  Master version:	50 | Date: 2017-03-02
+  Master author:	@SwiftOnSecurity, with contributors also credited in-line or on Git.
   Master project:	https://github.com/SwiftOnSecurity/sysmon-config
   Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
-  Fork version:	10
+
+  Fork version:	100
   Fork author:	ionstorm
   Fork project:	https://github.com/ion-storm/sysmon-config
   Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
   REQUIRED: Sysmon version 6.00 or higher (due to changes in registry syntax)
-  https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
+	https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
 
   NOTE: Although this is stable and inclusive, you should periodically check for new versions to ensure best coverage.
 
@@ -31,16 +32,22 @@
 	<HashAlgorithms>md5,sha256</HashAlgorithms>
 	<EventFiltering>
 
-	<!--SYSMON EVENT ID 1 : PROCESS CREATION -->
+	<!--SYSMON EVENT ID 1 : PROCESS CREATION-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
 		<ProcessCreate onmatch="exclude">
-		<!--COMMENT:	All process launched will be included in log, except for what matches a rule below. It's best to be as specific as possible, to
-				avoid user-mode executables immitating other process names to avoid logging, or if malware drops files in an existing directory.
+		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
+				avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
 				Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.-->
 			<!--SECTION: Microsoft Windows-->
 			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
+			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
+			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
+			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
+			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
+			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
 			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
 			<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
+			<Image condition="is">C:\Windows\System32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
 			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
 			<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->
 			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
@@ -49,7 +56,8 @@
 			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
 			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
 			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
-			<CommandLine condition="is">C:\windows\System32\svchost.exe -k WerSvcGroup</CommandLine> <!--Microsoft:WindowsErrorReporting-->
+			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
+			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
 			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
@@ -82,8 +90,12 @@
 			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
 			<!--SECTION: Microsoft dotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
+			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
+			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
+			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
 			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
@@ -91,7 +103,6 @@
 			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
 			<!--SECTION: Microsoft Office-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
-			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
 			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
 			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
@@ -100,23 +111,23 @@
 			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
 			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
 			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
-			<!-- SECTION: Firefox -->
+			<!--SECTION: Firefox-->
 			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
 			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
 			<!--SECTION: Adobe-->
 			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
 			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure -->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
 			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure -->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
-			<!--SECTION: Adobe Flash-->
+			<!--SECTION: Adobe:Flash-->
 			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
-			<!--SECTION: Adobe self-update-->
+			<!--SECTION: Adobe:Updater-->
 			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
 			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
 			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<!--SECTION: Adobe supporting processes-->
+			<!--SECTION: Adobe:Supporting processes-->
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
 			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
 			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
@@ -125,20 +136,21 @@
 			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
 			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
-			<!--SECTION: Adobe Creative Cloud-->
+			<!--SECTION: Adobe:Creative Cloud-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
 			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
 			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
 			<!--SECTION: Drivers-->
+			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
 			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
 			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
 			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
 			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
-			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
 			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
 			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
 			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
+			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
 			<!--SECTION: Dropbox-->
 			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
 			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
@@ -226,9 +238,10 @@
 			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage><!--Enpass Password Manager-->
+			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
 		</ProcessCreate>
 
-	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->
+	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
 		<FileCreateTime onmatch="include">
 			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
@@ -241,19 +254,20 @@
 			<Image condition="contains">setup</Image> <!--Ignore setups-->
 		</FileCreateTime>
 
-	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED -->
+	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIP, DestinationHostname, DestinationPort, DestinationPortName-->
 		<NetworkConnect onmatch="include">
 		<!--COMMENT:	Takes a very conservative approach to network logging, limit to extremely high-signal events.-->
 		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which may not always have the information or may be a CDN. Using that field is best-effort only.-->
-			<!--NOTE: These exe's do not initiate their connections, cannot be included: BITSADMIN-->
+		<!--TECHNICAL:	These exe's do not initiate their connections, and cannot be included: BITSADMIN-->
 			<!--Suspicious sources-->
 			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
 			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
-			<Image condition="image">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<!--Suspicious Windows tools-->
+			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
+			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
 			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
@@ -270,7 +284,6 @@
 			<Image condition="image">java.exe</Image>
 			<Image condition="image">installutil.exe</Image>
 			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
-			<Image condition="image">certutil.exe</Image>
 			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
 			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
 			<Image condition="image">telnet.exe</Image><!-- Telnet -->
@@ -281,7 +294,6 @@
 			<Image condition="image">psftp.exe</Image><!-- SFTP -->
 			<Image condition="image">tftp.exe</Image><!-- TFTP -->
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
-			<Image condition="image">at.exe</Image><!-- Remote Task Scheduler logging -->
 			<Image condition="image">net.exe</Image><!-- net use/net view-->
 			<Image condition="image">C:\windows\system32\mmc.exe</Image><!-- Microsoft Management Console -->
 			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
@@ -358,8 +370,8 @@
 			<DestinationPort condition="is">53</DestinationPort> <!--Log DNS for Graylog threat discovery-->
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
-			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
+			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
 			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
 			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
@@ -391,18 +403,18 @@
 			<Image condition="image">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
 		</NetworkConnect>
 
-	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->
+	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->
 		<!--DATA: UtcTime, State, Version, SchemaVersion-->
 		<!--Cannot be filtered.-->
 
-	<!--SYSMON EVENT ID 5 : PROCESS ENDED -->
+	<!--SYSMON EVENT ID 5 : PROCESS ENDED-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
 		<ProcessTerminate onmatch="include">
 		<!--COMMENT:	Useful data in building infection timelines.-->
 			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
 		</ProcessTerminate>
 
-	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL -->
+	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL-->
 		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 		<DriverLoad onmatch="exclude">
 		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
@@ -424,10 +436,10 @@
 			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI drivers-->
 		</DriverLoad>
 
-	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS -->
+	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 		<ImageLoad onmatch="include">
-		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below. -->
+		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
 			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">vbscript.dll</ImageLoaded> -->
@@ -442,7 +454,7 @@
 			<!-- <ImageLoaded condition="image">wdigest.dll</ImageLoaded> -->
 		</ImageLoad>
 
-	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED -->
+	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
 		<CreateRemoteThread onmatch="exclude">
 		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions.
@@ -459,7 +471,7 @@
 			<SourceImage condition="contains">FireSvc.exe</SourceImage>
 		</CreateRemoteThread>
 
-	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS -->
+	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
 		<RawAccessRead onmatch="include">
 		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
@@ -468,7 +480,7 @@
 		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
 		</RawAccessRead>
 
-	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS -->
+	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
 		<ProcessAccess onmatch="include">
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
@@ -487,6 +499,7 @@
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
 		</ProcessAccess>
+
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">
@@ -494,13 +507,16 @@
 			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
-			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
 			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
 			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
 			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
-			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
 			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
 			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
 			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
@@ -513,13 +529,15 @@
 			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
 			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
 			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
+			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
+			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
+			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
 			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
 			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
-			<TargetFilename condition="begin with">C:\Windows\System32\drivers</TargetFilename> <!--Microsoft: Drivers dropped here -->
-			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here -->
-			<TargetFilename condition="begin with">C:\Windows\System32\wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
-			<TargetFilename condition="begin with">C:\Windows\SysWOW64\wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
+			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks-->
+			<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
+			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
 			<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
@@ -580,6 +598,9 @@
 			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
 			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
 			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
+			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
+			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
+			<!--SECTION: Microsoft:Windows:Updates-->
 			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
 			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
 			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
@@ -601,7 +622,7 @@
 			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
 		</FileCreate>
 
-	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION -->
+	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION-->
 		<!--NOTE:	It may appear this section is missing important entries, but many of them match multiple areas, so look carefully to see if something is already covered.-->
 		<!--NOTE:	"contains" conditions below are formatted to reduce CPU load, so they may appear written inconsistently, but this is on purpose from tuning.-->
 		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurance as possible.-->
@@ -619,12 +640,12 @@
 				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
 				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
 			<TargetObject condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
-			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts -->
+			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
 			<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
 			<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
 			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
 			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
-			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual) -->
+			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
@@ -636,20 +657,27 @@
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
 			<!--CLSID launch commands and file association changes-->
+			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
+			<!--Windows COM-->
+			<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
 			<!--Windows shell hijack-->
 			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
 			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
 			<TargetObject condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
 			<TargetObject condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
 			<TargetObject condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
 			<!--AppPaths hijacking-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
@@ -662,8 +690,8 @@
 			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
 			<!--Credential providers-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
 			<!--Networking-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
@@ -685,11 +713,8 @@
 			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
 			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and componenent installations-->
 			<!--Windows internals integrity monitoring-->
-			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
-			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
@@ -769,12 +794,16 @@
 			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
 			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
 			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
-			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
+			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->
 			<!--SECTION: Microsoft binaries-->
 			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
+			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
 			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
@@ -794,41 +823,44 @@
 			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
 			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
 			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
-			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join -->
-			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
-			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
-			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
-			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system -->
-			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
-			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
-			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
-			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes -->
-			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command" --> <!--Win8+ -->
+			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join-->
+			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
+			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
+			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
+			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system-->
+			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
+			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
+			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
+			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
+			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Microsoft:Windows: SvcHost Noise-->
+			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Windows: Remove noise from Windows 10 Cortana | Credit @ion-storm--> <!--Win10-->
 			<!--Bootup Control noise-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
-			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise --> <!--Win8+ -->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
 			<!--Sevices autostart noise-->
-			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
-			<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start" -->
 			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
 			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
 			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
 			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
+			<TargetObject condition="end with">\services\DeviceAssociationService\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
 			<!--FileExts noise filtering-->
 			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">\UserChoice</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+ -->
-			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+ -->
+			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
+			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
 			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
@@ -838,9 +870,11 @@
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
 			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
+			<!--SECTION: 3rd party-->
+			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
 		</RegistryEvent>
 
-	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED -->
+	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
 		<FileCreateStreamHash onmatch="include">
 		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
@@ -851,21 +885,38 @@
 			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
 			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
 			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
-			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
-			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
-			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
 			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename condition="end with">.ps1</TargetFilename> <!--Powershell-->
-			<TargetFilename condition="end with">.ps2</TargetFilename> <!--Powershell-->
-			<TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file-->
-			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
-			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting | Credit @ion-storm -->
+			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
+			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
+			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
+			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
+			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.js</TargetFilename> <!--Java-->
 		</FileCreateStreamHash>
 
-	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->
+	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->
 		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
 		<!--Cannot be filtered.-->
 
+	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED-->
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
 		<PipeEvent onmatch="exclude">
 		<!--COMMENT: Exclude known-good pipe users-->
 				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
@@ -943,5 +994,6 @@
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
 		</PipeEvent>
+
 	</EventFiltering>
 </Sysmon>

From ffeade2b04fe62e3df1ee5e0065d17e4a4163ad8 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 3 Mar 2017 14:45:47 -0500
Subject: [PATCH 108/471] Update Intel

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 620c4e92..fd9b9c4d 100644
--- a/README.md
+++ b/README.md
@@ -162,23 +162,23 @@ then
 
     // look up the requested DNS captured by sysmon
     // this will be the most fired rule
-    let sysmon_dns_lookup_intel = threat_intel_lookup_domain(to_string($message.query_domain), "sysmon_dns_lookup");
+    let sysmon_dns_lookup_intel = threat_intel_lookup_domain(to_string($message.sysmon_dns_lookup), "sysmon_dns_lookup");
     set_fields(sysmon_dns_lookup_intel);
 
     // look up the ip from the DNS answer
     // if we do not monitor the dns, then this might be nice to have
-    let sysmon_lookup_ip_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "sysmon_dns_lookup_ip");
+    let sysmon_lookup_ip_answer_intel = threat_intel_lookup_ip(to_string($message.sysmon_dns_lookup_ip), "sysmon_dns_lookup_ip");
     set_fields(sysmon_lookup_ip_answer_intel);
 
     // look up the requesting IP 
     // this is useful if dealing with non internal IPs 
     // so you know if your IP is seen as a problem
-    let sysmon_src_ip_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "sysmon_src_ip");
+    let sysmon_src_ip_answer_intel = threat_intel_lookup_ip(to_string($message.sysmon_src_ip), "sysmon_src_ip");
     set_fields(sysmon_src_ip_answer_intel);
 
     // WHOIS lookup. This is disabled by default. Enable and carefully watch latency and performance.
-    //let sysmon_dns_lookup_ip_whois = whois_lookup_ip(to_string($message.query_answer), "sysmon_dns_lookup_ip");
-    //set_fields(sysmon_dns_lookup_ip_whois);
+    let sysmon_dns_lookup_ip_whois = whois_lookup_ip(to_string($message.sysmon_dns_lookup_ip), "sysmon_dns_lookup_ip");
+    set_fields(sysmon_dns_lookup_ip_whois);
 end
 ~~~~
 

From 316cbdcdefddfc39d6273869d8e942da6473c538 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 3 Mar 2017 21:17:41 -0500
Subject: [PATCH 109/471] Add Alienvault OTX to Graylog pipeline cfg

---
 README.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fd9b9c4d..82df80e4 100644
--- a/README.md
+++ b/README.md
@@ -179,6 +179,14 @@ then
     // WHOIS lookup. This is disabled by default. Enable and carefully watch latency and performance.
     let sysmon_dns_lookup_ip_whois = whois_lookup_ip(to_string($message.sysmon_dns_lookup_ip), "sysmon_dns_lookup_ip");
     set_fields(sysmon_dns_lookup_ip_whois);
+    
+    //AlienVault OTX
+    let intel = otx_lookup_ip(to_string($message.sysmon_src_ip));
+    let intel = otx_lookup_domain(to_string($message.sysmon_dns_lookup_ip));
+    set_field("otx_threat_indicated", intel.otx_threat_indicated);
+    set_field("otx_threat_ids", intel.otx_threat_ids);
+    set_field("otx_threat_names", intel.otx_threat_names);
+
 end
 ~~~~
 
@@ -187,7 +195,7 @@ end
 rule "sysmon threatintel inflate"
 when
     // run only if one of the fields is true
-    to_bool($message.sysmon_dns_lookup_ip_threat_indicated) OR to_bool($message.sysmon_dns_lookup_threat_indicated) OR to_bool($message.sysmon_src_ip_threat_indicated)
+    to_bool($message.sysmon_dns_lookup_ip_threat_indicated) OR to_bool($message.sysmon_dns_lookup_threat_indicated) OR to_bool($message.sysmon_src_ip_threat_indicated) OR to_bool($message.otx_threat_indicated)
 then
 
     // This is to make Graylog searches easy

From 3b96f6430a614b634923668662c44873642ce5b2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 10:15:10 -0500
Subject: [PATCH 110/471] Add Shellcode/Exploit Detection of Office Macro's

---
 sysmonconfig-export.xml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ec044150..7235ffc5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -491,13 +491,16 @@
 			<SourceImage condition="image">mspub.exe</SourceImage> <!-- Hancitor process hollowing -->
 			<SourceImage condition="image">msbuild.exe</SourceImage> <!-- Hancitor process hollowing -->
 			<SourceImage condition="image">powerpnt.exe</SourceImage> <!-- Hancitor process hollowing -->
-		<!--Include mimikatz-specific events.-->
 			<SourceImage condition="contains">powershell.exe</SourceImage>
- 		<!--<TargetImage condition="contains">lsass.exe</TargetImage>--> <!--Disabled: To cut down noise-->
+			<CallTrace condition="contains">VBE7.dll</CallTrace> <!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
+			<CallTrace condition="contains">VBE6.dll</CallTrace> <!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
+ 			<!--Include mimikatz-specific events.-->
+		<!--<TargetImage condition="contains">lsass.exe</TargetImage>--> <!--Disabled: To cut down noise-->
 		</ProcessAccess>
 		<ProcessAccess onmatch="exclude">
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
+			<CallTrace condition="excludes">UNKNOWN</CallTrace> <!-- ShellCode Spawned from Office Macros: Credit: @JohnLaTwC -->
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->

From 66581427b52fb63b5efa22624cdf74cd209e0e32 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 14:47:20 -0500
Subject: [PATCH 111/471] Add Detection of PoisonTap, USB RubberDucky, Driver &
 DLL Drops, LSA Security Providers, ACPI Rootkits, Debugger Hijack Location,
 Poweliks Detection

---
 sysmonconfig-export.xml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7235ffc5..c70fc556 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -269,7 +269,7 @@
 			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
 			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
 			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
+			<Image condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
@@ -510,6 +510,8 @@
 			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
+			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
+			<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->
 			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
 			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
 			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
@@ -649,6 +651,14 @@
 			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
 			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
 			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>  <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
@@ -659,6 +669,11 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Microsoft:Windows: Legacy driver loading | Credit @ion-storm -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
@@ -729,6 +744,7 @@
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
 			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
 			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
 			<!--Group Policy Scripts-->
 			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
 			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
@@ -801,6 +817,8 @@
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
 			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
 			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect New USB Network Devices: Poison Tap -->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From 0bd90fdb12337a0a278b6860a9e1465fb5e28539 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 16:04:06 -0500
Subject: [PATCH 112/471] Add Image Loaded By Process, Excluding all signed and
 Valid DLL's

---
 sysmonconfig-export.xml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c70fc556..4007a3d5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -439,6 +439,8 @@
 	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 		<ImageLoad onmatch="include">
+		<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
+		<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
 		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
 			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
@@ -452,6 +454,27 @@
 			<!-- Mimikatz -->
 			<!--NOTES: [ https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ ] -->
 			<!-- <ImageLoaded condition="image">wdigest.dll</ImageLoaded> -->
+			<!-- Microsoft & Common Computer Vendor Exclusions -->
+			<!-- Here are the exclude rules, were using include now :)
+			<Signature condition="contains">Microsoft</Signature>
+			<Signature condition="contains">Windows</Signature>
+			<Signature condition="contains">Dell</Signature>
+			<Signature condition="contains">Lenovo</Signature>
+			<Signature condition="contains">HP</Signature>
+			<Signature condition="contains">Micro-Star</Signature>
+			<Signature condition="contains">MSI</Signature>
+			<Signature condition="contains">Intel</Signature>
+			<Signature condition="contains">AMD</Signature>
+			<Signature condition="contains">Advanced Micro Devices</Signature>
+			<Signature condition="contains">Broadcom</Signature>
+			<Signature condition="contains">Realtek</Signature>
+			<Signature condition="contains">VMware</Signature>
+			<Signature condition="contains">Synaptic</Signature>
+			<Signature condition="contains">Logitech</Signature>
+			<Signature condition="contains">Steelseries</Signature>
+			<Signature condition="contains">Cisco</Signature>
+			<Signature condition="contains">Fortinet</Signature> -->
+			
 		</ImageLoad>
 
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->

From 7a2bce3040023efae63aa46d8052de531ed4fd63 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 16:14:28 -0500
Subject: [PATCH 113/471] Add unavailable status

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4007a3d5..eb5d64ec 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -441,6 +441,7 @@
 		<ImageLoad onmatch="include">
 		<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
 		<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
+		<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
 		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
 			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->

From f381bd664adc06a38e7a233d4e88b96411d4917a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 16:34:23 -0500
Subject: [PATCH 114/471] cut down the DLL Noise, excluding Program Files for
 Production for now

---
 sysmonconfig-export.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index eb5d64ec..4d327c7b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -475,9 +475,14 @@
 			<Signature condition="contains">Steelseries</Signature>
 			<Signature condition="contains">Cisco</Signature>
 			<Signature condition="contains">Fortinet</Signature> -->
-			
 		</ImageLoad>
-
+		<ImageLoad onmatch="exclude">
+		<Image condition="is">C:\Windows\System32\mmc.exe</Image>
+		<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
+		<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
+		<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
+		<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise -->
+		</ImageLoad>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
 		<CreateRemoteThread onmatch="exclude">

From 9a52dc70211fb5ee67278ee70c8704072695dc42 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 16:45:26 -0500
Subject: [PATCH 115/471] add additional notice

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4d327c7b..a10465c9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -481,7 +481,7 @@
 		<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
 		<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
 		<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
-		<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise -->
+		<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
 		</ImageLoad>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->

From 79b974da859a5459b6820c65b6c2136e617cc276 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 18:10:42 -0500
Subject: [PATCH 116/471] Rename ImageLoaded winlogbeat fields to sysmon fields

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 82df80e4..032d4751 100644
--- a/README.md
+++ b/README.md
@@ -119,6 +119,10 @@ then
     rename_field("winlogbeat_event_data_DestinationIp_geolocation", "sysmon_dns_lookup_ip_geolocation");
     rename_field("winlogbeat_event_data_PipeName", "sysmon_pipe_name");
     rename_field("winlogbeat_event_data_ProcessId", "sysmon_pipe_pid");
+    rename_field("winlogbeat_process_id", "sysmon_img_pid");
+    rename_field("winlogbeat_event_data_ImageLoaded", "sysmon_imgloaded");
+    rename_field("winlogbeat_event_data_SignatureStatus", "sysmon_signatureStatus");
+    rename_field("winlogbeat_event_data_Signed", "sysmon_signed");
 
     // Remove clutter.
     let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_event_data_ProcessGuid));

From 51eb15eb2d6ff6ec689c805aeb2ab46baa10cb64 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 18:51:09 -0500
Subject: [PATCH 117/471] fix formatting

---
 sysmonconfig-export.xml | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a10465c9..a796b679 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -439,9 +439,9 @@
 	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 		<ImageLoad onmatch="include">
-		<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
-		<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
-		<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
+			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
+			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
+			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
 		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
 			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
@@ -477,11 +477,12 @@
 			<Signature condition="contains">Fortinet</Signature> -->
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
-		<Image condition="is">C:\Windows\System32\mmc.exe</Image>
-		<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
-		<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
-		<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
-		<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
+			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
+			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
+			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
+			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
+			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
 		</ImageLoad>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->

From a281c8356c021c12c139dca596bc93e394247d15 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 19:39:28 -0500
Subject: [PATCH 118/471] Lower noise with dll loading with Windows 10 apps and
 mmc

---
 sysmonconfig-export.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a796b679..d1e80933 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -483,6 +483,11 @@
 			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
 			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
 			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
+			<ImageLoaded condition="contains">C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.214.10010.0_x64__8wekyb3d8bbwe\</ImageLoaded> <!-- Unsigned dll for Photos app in w10 -->
+			<ImageLoaded condition="is">C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\8f6ad0cc031c686d71ed83adf76119fe\EventViewer.ni.dll</ImageLoaded> <!-- Event Viewer -->
+			<ImageLoaded condition="is">C:\Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\a3e102751d6a27e8a54df2e57a4ae2d0\MIGUIControls.ni.dll</ImageLoaded> <!-- Event Viewer -->
+			<ImageLoaded condition="is">C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\04d8bd77c408266f65f7bb3f90ff7e1c\System.Web.ni.dll</ImageLoaded> <!-- Event Viewer -->
+			<ImageLoaded condition="contains">C:\Program Files\WindowsApps\</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
 		</ImageLoad>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->

From 7a5b01bd453bb1ec60a23ef96df5f4b652733086 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 19:57:34 -0500
Subject: [PATCH 119/471] We detect file drops, for now were lowering noise
 here.

---
 sysmonconfig-export.xml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d1e80933..6ce83fcc 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -483,11 +483,8 @@
 			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
 			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
 			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
-			<ImageLoaded condition="contains">C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.214.10010.0_x64__8wekyb3d8bbwe\</ImageLoaded> <!-- Unsigned dll for Photos app in w10 -->
-			<ImageLoaded condition="is">C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\8f6ad0cc031c686d71ed83adf76119fe\EventViewer.ni.dll</ImageLoaded> <!-- Event Viewer -->
-			<ImageLoaded condition="is">C:\Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\a3e102751d6a27e8a54df2e57a4ae2d0\MIGUIControls.ni.dll</ImageLoaded> <!-- Event Viewer -->
-			<ImageLoaded condition="is">C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\04d8bd77c408266f65f7bb3f90ff7e1c\System.Web.ni.dll</ImageLoaded> <!-- Event Viewer -->
-			<ImageLoaded condition="contains">C:\Program Files\WindowsApps\</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
+			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
+			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
 		</ImageLoad>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->

From 274a95aee0f4526824084c8791a3a2b541021888 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 20:05:36 -0500
Subject: [PATCH 120/471] exclude noisy tasks that are standard windows tasks

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6ce83fcc..3f8b32df 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -863,6 +863,9 @@
 			<!--Misc-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->
 			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->

From 35d56f41fb0a3d87dd0c1f0010b3347450783b4c Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 20:24:52 -0500
Subject: [PATCH 121/471] Mimikatz detection credits: @Antonlovesdnb

---
 sysmonconfig-export.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3f8b32df..8497a955 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -527,7 +527,8 @@
 			<CallTrace condition="contains">VBE7.dll</CallTrace> <!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
 			<CallTrace condition="contains">VBE6.dll</CallTrace> <!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
  			<!--Include mimikatz-specific events.-->
-		<!--<TargetImage condition="contains">lsass.exe</TargetImage>--> <!--Disabled: To cut down noise-->
+			<TargetImage condition="contains">C:\Windows\System32\lsass.exe</TargetImage> <!--Mimikatz @Antonlovesdnb -->
+			<TargetImage condition="contains">C:\Windows\System32\winlogon.exe</TargetImage> <!--Mimikatz @Antonlovesdnb -->
 		</ProcessAccess>
 		<ProcessAccess onmatch="exclude">
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
@@ -948,6 +949,8 @@
 			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
 			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
 			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.dll</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.sys</TargetFilename> <!--Executable-->
 			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
 			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
 			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->

From 32fb1c2c8780b4b843d73bf7783283542b04e6f0 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 5 Mar 2017 20:59:40 -0500
Subject: [PATCH 122/471] exclude sysmon and defender from process access
 detection

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8497a955..1dd7335a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -533,6 +533,8 @@
 		<ProcessAccess onmatch="exclude">
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
+			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
+			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
 			<CallTrace condition="excludes">UNKNOWN</CallTrace> <!-- ShellCode Spawned from Office Macros: Credit: @JohnLaTwC -->
 		</ProcessAccess>
 

From b8df5eadbbecd96b1b88ef483723a0b88a7c2bf8 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 6 Mar 2017 09:46:17 -0500
Subject: [PATCH 123/471] lync reg change exclusion

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1dd7335a..59dffb48 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -861,6 +861,8 @@
 			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
 			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
 			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
 			<!--Misc-->

From 67a3a57048c8672a8bbb2a726841e4be2d3d6c72 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 6 Mar 2017 12:48:03 -0500
Subject: [PATCH 124/471] Add exclusions to cut down noise, see Notice's

---
 sysmonconfig-export.xml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 59dffb48..4ece186a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -370,6 +370,7 @@
 			<DestinationPort condition="is">53</DestinationPort> <!--Log DNS for Graylog threat discovery-->
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
+			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
 			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
@@ -400,7 +401,8 @@
 			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
 			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
 			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
-			<Image condition="image">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->
@@ -485,6 +487,9 @@
 			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
 			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
 			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
+			<!-- Custom App Exclusions -->
+			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
+			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
 		</ImageLoad>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
@@ -865,6 +870,7 @@
 			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
 			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
+			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\</TargetObject> <!-- Edge Extensions Creating Reg entries on launch -->
 			<!--Misc-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
@@ -1012,6 +1018,7 @@
 			<PipeName condition="is">\wkssvc</PipeName>
 			<PipeName condition="contains">\TDLN-</PipeName>
 			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
+			<PipeName condition="is">\MsFteWds</PipeName>
 			<!--SECTION: Webroot-->
 			<PipeName condition="is">\WRSVCPipe</PipeName>
 			<PipeName condition="is">\WRSynUM2</PipeName>
@@ -1049,6 +1056,7 @@
 			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
 			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
 			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
+			<Image condition="contains">C:\Program Files\Lenovo\</Image>
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
 			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
@@ -1056,6 +1064,8 @@
 			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
+			<PipeName condition="contains">Anonymous Pipe</PipeName> <!-- NOTICE: Comment this out if you dont use Labtech, labtech nests processes and causes excessive noise -->
+			
 		</PipeEvent>
 
 	</EventFiltering>

From f62ec86c43c9f0d3a9593d77322f7c7cdcb96b50 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 6 Mar 2017 14:02:21 -0500
Subject: [PATCH 125/471] Hide Sysmon from services.msc and the ability to
 query it.

---
 README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/README.md b/README.md
index 032d4751..ee5cd3ad 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,15 @@ Run with administrator rights
 sysmon.exe -u
 ~~~~
 
+## Hide Sysmon from services.msc ##
+~~~~
+Hide:
+sc sdset Sysmon D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
+Restore:
+sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
+
+~~~~
+
 ### Graylog Configuration ###
 
 

From 8c60b80d3d6f8c13f735273886cdf3c9163afc55 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 6 Mar 2017 15:37:20 -0500
Subject: [PATCH 126/471] Add Detection of Certificate store Hijacking,
 manipulation and changes to the Root certificate store.  Also added detection
 of dropped certificate files and with alternate data streams.

---
 sysmonconfig-export.xml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4ece186a..7dd24b8e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -626,6 +626,22 @@
 			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
 			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
 			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
+			<!--SECTION: Certificates -->
+			<TargetFilename condition="contains">.pem</TargetFilename>
+			<TargetFilename condition="contains">.crt</TargetFilename>
+			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
+			<TargetFilename condition="contains">.cer</TargetFilename>
+			<TargetFilename condition="contains">.csr</TargetFilename>
+			<TargetFilename condition="contains">.der</TargetFilename>
+			<TargetFilename condition="contains">.p7b</TargetFilename>
+			<TargetFilename condition="contains">.p7r</TargetFilename>
+			<TargetFilename condition="contains">.p7s</TargetFilename>
+			<TargetFilename condition="contains">.pfx</TargetFilename>
+			<TargetFilename condition="contains">.sto</TargetFilename>
+			<TargetFilename condition="contains">.p12</TargetFilename>
+			<TargetFilename condition="contains">.crl</TargetFilename>
+			<TargetFilename condition="contains">.sst</TargetFilename>
+			<TargetFilename condition="contains">.key</TargetFilename>
 			<!--SECTION: Mimikatz-->
 			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
 		</FileCreate>
@@ -839,6 +855,15 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
+			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
+			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
 			<!-- Other Stuff -->	
 			<TargetObject condition="begin with">HKCU\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
@@ -978,6 +1003,22 @@
 			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
 			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
 			<TargetFilename condition="end with">.js</TargetFilename> <!--Java-->
+			<!--SECTION: Certificates -->
+			<TargetFilename condition="contains">.pem</TargetFilename>
+			<TargetFilename condition="contains">.crt</TargetFilename>
+			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
+			<TargetFilename condition="contains">.cer</TargetFilename>
+			<TargetFilename condition="contains">.csr</TargetFilename>
+			<TargetFilename condition="contains">.der</TargetFilename>
+			<TargetFilename condition="contains">.p7b</TargetFilename>
+			<TargetFilename condition="contains">.p7r</TargetFilename>
+			<TargetFilename condition="contains">.p7s</TargetFilename>
+			<TargetFilename condition="contains">.pfx</TargetFilename>
+			<TargetFilename condition="contains">.sto</TargetFilename>
+			<TargetFilename condition="contains">.p12</TargetFilename>
+			<TargetFilename condition="contains">.crl</TargetFilename>
+			<TargetFilename condition="contains">.sst</TargetFilename>
+			<TargetFilename condition="contains">.key</TargetFilename>
 		</FileCreateStreamHash>
 
 	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From 0f2f12f2a42b6e697347d008154ce28f0a805295 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 6 Mar 2017 16:37:57 -0500
Subject: [PATCH 127/471] SearchProtocolHost spamming registry Keystores

---
 sysmonconfig-export.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7dd24b8e..d5140061 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -964,6 +964,15 @@
 			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
 			<!--SECTION: 3rd party-->
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
+			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates\Disallowed</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\Disallowed</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed</TargetObject>
+			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed</TargetObject>
+			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\SystemCertificates\Disallowed</TargetObject>
+			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED-->

From 5202228f70cee0799b11a86274e3d6fbf4c14d30 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 6 Mar 2017 16:40:36 -0500
Subject: [PATCH 128/471] derp fix

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d5140061..e2dc4058 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -228,7 +228,7 @@
 			<!--END: Labtech-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
-			<ParentImage condition="is">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
+			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
 			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
 			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
 			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->

From 8951db7c039484a15a43f656754ed4a0bfa1f970 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 6 Mar 2017 17:16:57 -0500
Subject: [PATCH 129/471] introduced too much noise, need better detection
 vector

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e2dc4058..b9814b05 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -856,6 +856,7 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
 			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
+			<!-- Lots of noise from multiple locations, need a better monitor
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
 			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates</TargetObject>
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates</TargetObject>
@@ -864,6 +865,7 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
 			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
+			-->
 			<!-- Other Stuff -->	
 			<TargetObject condition="begin with">HKCU\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->

From 53a48f63d7a739f6aa23185ec4de39d380adf7c6 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 6 Mar 2017 18:16:20 -0500
Subject: [PATCH 130/471] Revert to lower noise.

---
 sysmonconfig-export.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b9814b05..b3f87292 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -490,6 +490,7 @@
 			<!-- Custom App Exclusions -->
 			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
 			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
+			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
 		</ImageLoad>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
@@ -885,7 +886,9 @@
 			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
 			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect New USB Network Devices: Poison Tap -->
+			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
+			-->
 		</RegistryEvent>
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->

From 76285c11692497d579b166cb8843f65130968253 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 7 Mar 2017 16:01:45 -0500
Subject: [PATCH 131/471] Add CIA Vault 7 IOC's

---
 sysmonconfig-export.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b3f87292..ef218792 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -444,6 +444,9 @@
 			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
 			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
 			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
+			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll </ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
+			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
+		<ImageLoaded condition="contains">psapi.dll</ImageLoaded> <!-- CIA Vault7 Leak: RainMaker - Vulnerable VLC DLL's-->
 		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
 			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
@@ -643,6 +646,13 @@
 			<TargetFilename condition="contains">.crl</TargetFilename>
 			<TargetFilename condition="contains">.sst</TargetFilename>
 			<TargetFilename condition="contains">.key</TargetFilename>
+			<!--SECTION: CIA Vault7 Leak -->
+			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Vault7 CIA Leak: Possible malformed file will escape IE sandbox -->
+			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
+			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
+			<TargetFilename condition="contains">.manifest</TargetFilename>
+			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
+			<TargetFilename condition="contains">HammerDrillStatus.dll</TargetFilename> <!-- Vault7 CIA Leak: HammerDrill DLL -->
 			<!--SECTION: Mimikatz-->
 			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
 		</FileCreate>
@@ -1033,6 +1043,12 @@
 			<TargetFilename condition="contains">.crl</TargetFilename>
 			<TargetFilename condition="contains">.sst</TargetFilename>
 			<TargetFilename condition="contains">.key</TargetFilename>
+			<!--SECTION: CIA Vault7 Leak -->
+			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
+			<TargetFilename condition="contains">.manifest</TargetFilename>
+			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
+			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
+			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
 		</FileCreateStreamHash>
 
 	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From ce827491ad5f5f732023cf68856038fc5e5992a3 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 8 Mar 2017 09:03:47 -0500
Subject: [PATCH 132/471] disable psapi monitoring, too noisy, will
 re-introduce later with stronger ruleset

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ef218792..36db138c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -446,7 +446,6 @@
 			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
 			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll </ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
 			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
-		<ImageLoaded condition="contains">psapi.dll</ImageLoaded> <!-- CIA Vault7 Leak: RainMaker - Vulnerable VLC DLL's-->
 		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
 			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->

From 86d6a493b8cf218a4e0786464f53cca26d200380 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 8 Mar 2017 11:28:00 -0500
Subject: [PATCH 133/471] Noise Reduction for Mass Deployment

---
 sysmonconfig-export.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 36db138c..ed35de15 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -54,6 +54,8 @@
 			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
 			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
 			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
+			<ParentCommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</ParentCommandLine> <!--Microsoft:Windows 10 Noise-->
+			<CommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</CommandLine> <!--Microsoft:Windows 10 Noise-->
 			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
 			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
 			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
@@ -85,6 +87,7 @@
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
+			<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
 			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
 			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
 			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
@@ -239,6 +242,7 @@
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage><!--Enpass Password Manager-->
 			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentCommandLine> <!--FortiClient Noise -->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->
@@ -544,6 +548,7 @@
 			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
 			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
 			<CallTrace condition="excludes">UNKNOWN</CallTrace> <!-- ShellCode Spawned from Office Macros: Credit: @JohnLaTwC -->
+			<SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage> <!-- ScreenConnect Querying lsass/winlogon SPAM -->
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->

From 35efa38044d5e466c1e51432e1800a010c641738 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 8 Mar 2017 11:29:46 -0500
Subject: [PATCH 134/471] Forticlient noise reduction

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ed35de15..ab83228a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -243,6 +243,7 @@
 			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage><!--Enpass Password Manager-->
 			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentCommandLine> <!--FortiClient Noise -->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentCommandLine> <!--FortiClient Noise -->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->

From 756702ae728c8ee16c17652ff741c59cfe5805c5 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 8 Mar 2017 11:35:23 -0500
Subject: [PATCH 135/471] More Noise Reduction for Production

---
 sysmonconfig-export.xml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ab83228a..5d1b7014 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1124,6 +1124,7 @@
 			<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
 			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
 			<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
 			<!--SECTION: Labtech-->
 			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
@@ -1141,7 +1142,15 @@
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
 			<PipeName condition="contains">Anonymous Pipe</PipeName> <!-- NOTICE: Comment this out if you dont use Labtech, labtech nests processes and causes excessive noise -->
-			
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
 		</PipeEvent>
 
 	</EventFiltering>

From 4b38aa17775bdb461c6d00623af0a3081e6f4642 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 8 Mar 2017 11:41:31 -0500
Subject: [PATCH 136/471] Chrome noise reduction

---
 sysmonconfig-export.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5d1b7014..6c81cc35 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -697,6 +697,19 @@
 			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
 			<!--SECTION: Intel-->
 			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
+			<!--SECTION: Chrome Noise-->
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlUws.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeExtMalware.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\IpMalware.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSubresourceFilter.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new</TargetFilename>
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION-->

From 7568850b758c60710d28ff9178af911c3262b9de Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 8 Mar 2017 11:47:02 -0500
Subject: [PATCH 137/471] spooler noise reduction

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6c81cc35..e6c30860 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1006,6 +1006,7 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed</TargetObject>
 			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\SystemCertificates\Disallowed</TargetObject>
 			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED-->

From 895df80ffc72ad1a4931863e1103a86d18b1def1 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Thu, 9 Mar 2017 17:05:09 -0500
Subject: [PATCH 138/471] noise reduction

---
 sysmonconfig-export.xml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e6c30860..7e3b1d1c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -87,6 +87,7 @@
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k GPSvcGroup</CommandLine><!--Microsoft:Windows Network Services-->
 			<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
 			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
 			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
@@ -176,6 +177,10 @@
 			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
 			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
 			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
+			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe</ParentImage>
+			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe</ParentImage>
+			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsu.exe</ParentImage>
+			<Image condition="contains">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
 			<!--SECTION: MSI: Micro-Star International Computers-->
 			<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
 			<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
@@ -240,10 +245,13 @@
 			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
 			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
-			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage><!--Enpass Password Manager-->
+			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage> <!--Enpass Password Manager-->
+			<Image condition="contains">C:\Program Files (x86)\Enpass\Enpass.exe</Image> <!--Enpass Password Manager-->
 			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentCommandLine> <!--FortiClient Noise -->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentCommandLine> <!--FortiClient Noise -->
+			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentImage> <!--FortiClient Noise -->
+			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
+			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->

From 898c910ce6eb062edb8ad9c5cd323ad270cd980b Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 10 Mar 2017 22:38:33 -0500
Subject: [PATCH 139/471] no need any longer

---
 extra-NamedPipes.xml | 21 ---------------------
 1 file changed, 21 deletions(-)
 delete mode 100644 extra-NamedPipes.xml

diff --git a/extra-NamedPipes.xml b/extra-NamedPipes.xml
deleted file mode 100644
index 5f80e333..00000000
--- a/extra-NamedPipes.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<!--Addendum file for sysmon-config.xml which enables PipeEvent monitoring when merged. Currently under development.-->
-
-		<PipeEvent onmatch="exclude">
-		<!--COMMENT: Exclude known-good pipe users-->
-				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
-				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
-			<!--SECTION: Microsoft-->
-			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
-			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
-			<!--SECTION: Webroot-->
-			<PipeName condition="is">\WRSVCPipe</PipeName>
-			<PipeName condition="is">\WRSynUM2</PipeName>
-			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
-			<!--SECTION: Google-->
-			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
-			<!--SECTION: Other-->
-			<Image condition="end with">slack.exe</Image>
-		</PipeEvent>
\ No newline at end of file

From 248ff6bac106b2ed9996b33d48a3cf5c5e760b68 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Sat, 11 Mar 2017 12:20:42 -0500
Subject: [PATCH 140/471] Microsoft Exclusions

---
 sysmonconfig-export.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7e3b1d1c..90467a1d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -110,6 +110,11 @@
 			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
 			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
+			<!--SECTION: Microsoft Exchange-->
+			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
+			<!--SECTION: Microsoft Misc-->
+			<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
 			<!--SECTION: Google-->
 			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
 			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->

From 9a3f0dabde1f63be076add635e23b819ece1e033 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 12 Mar 2017 00:31:52 -0500
Subject: [PATCH 141/471] Exclude dns.exe for DC's

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 90467a1d..b1f89522 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -388,6 +388,8 @@
 			<DestinationPort condition="is">53</DestinationPort> <!--Log DNS for Graylog threat discovery-->
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
+			<!--SECTION: Microsoft -->
+			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
 			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From 42a9a89f8f8f0a0598811429cddac3c52ff12fc7 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 12 Mar 2017 12:02:21 -0400
Subject: [PATCH 142/471] Initial MimiKatz Detection thanks to @Cyb3rWard0g and
 ProxyBypass Detection thanks to @SwiftOnSecurity

---
 sysmonconfig-export.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b1f89522..155c2b99 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -466,6 +466,14 @@
 			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
 			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll </ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
 			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
+			<!-- Mimikatz Detection -->
+			<ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<ImageLoaded condition="is">WMINet_Utils.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- END: Mimikatz Detection -->
 		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
 			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
 			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
@@ -825,6 +833,7 @@
 			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
+			<TargetObject condition="contains">\ProxyBypass</TargetObject> <!-- Detects Malware Bypassing Proxy Settings Credit: @SwiftOnSecurity -->
 			<!--Magic registry keys-->
 			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
 			<!--Infection artifacts-->

From 2339161c12a8d3001b886d83d584f4ef5456682a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 12 Mar 2017 12:21:44 -0400
Subject: [PATCH 143/471] Add more labtech exclusions

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 155c2b99..fe4ca0f5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -238,6 +238,9 @@
 			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentImage condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</ParentImage> <!--Labtech Client-->
+			<ParentCommandLine condition="contains">C:\Windows\LTSvc\LTSvcMon.exe -sLTService</ParentCommandLine>
+			<ParentImage condition="is">C:\Windows\LTSvc\LTSvcMon.exe</ParentImage>
+			<Image condition="is">C:\Windows\LTSvc\LTTray.exe</Image>
 			<!--END: Labtech-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->

From b6438302cb04c5f6cac95869091ad7f5cba71fda Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 12 Mar 2017 14:04:59 -0400
Subject: [PATCH 144/471] Disable Inter-Process access Detection, Extremely
 high IO

---
 sysmonconfig-export.xml | 58 +++++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 22 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index fe4ca0f5..b30c4d1f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -29,7 +29,7 @@
 -->
 
 <Sysmon schemaversion="3.30">
-	<HashAlgorithms>md5,sha256</HashAlgorithms>
+	<HashAlgorithms>sha256,imphash</HashAlgorithms>
 	<EventFiltering>
 
 	<!--SYSMON EVENT ID 1 : PROCESS CREATION-->
@@ -512,6 +512,7 @@
 			<Signature condition="contains">Fortinet</Signature> -->
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
 			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
 			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
 			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
@@ -553,30 +554,43 @@
 
 	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
-		<ProcessAccess onmatch="include">
+		<!--<ProcessAccess onmatch="include"> -->
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
 				Disabled by default since including even one entry here activates this component. Reward/performance decision.
-				Encourage you to experiment with this feature yourself.-->
-			<SourceImage condition="image">winword.exe</SourceImage> <!-- Hancitor process hollowing -->
-			<SourceImage condition="image">excel.exe</SourceImage> <!-- Hancitor process hollowing -->
-			<SourceImage condition="image">mspub.exe</SourceImage> <!-- Hancitor process hollowing -->
-			<SourceImage condition="image">msbuild.exe</SourceImage> <!-- Hancitor process hollowing -->
-			<SourceImage condition="image">powerpnt.exe</SourceImage> <!-- Hancitor process hollowing -->
-			<SourceImage condition="contains">powershell.exe</SourceImage>
-			<CallTrace condition="contains">VBE7.dll</CallTrace> <!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
-			<CallTrace condition="contains">VBE6.dll</CallTrace> <!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
+				Encourage you to experiment with this feature yourself.
+				Uses 4mbs+ IO -->
+			<!-- Hancitor process hollowing -->
+			<!-- <SourceImage condition="image">winword.exe</SourceImage> -->
+			<!-- <SourceImage condition="image">excel.exe</SourceImage> -->
+			<!-- <SourceImage condition="image">mspub.exe</SourceImage> -->
+			<!-- <SourceImage condition="image">msbuild.exe</SourceImage> -->
+			<!-- <SourceImage condition="image">powerpnt.exe</SourceImage> -->
+			<!-- <SourceImage condition="contains">powershell.exe</SourceImage> -->
+			<!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
+			<!-- <CallTrace condition="contains">VBE7.dll</CallTrace> -->
+			<!-- <CallTrace condition="contains">VBE6.dll</CallTrace> -->
  			<!--Include mimikatz-specific events.-->
-			<TargetImage condition="contains">C:\Windows\System32\lsass.exe</TargetImage> <!--Mimikatz @Antonlovesdnb -->
-			<TargetImage condition="contains">C:\Windows\System32\winlogon.exe</TargetImage> <!--Mimikatz @Antonlovesdnb -->
-		</ProcessAccess>
-		<ProcessAccess onmatch="exclude">
-			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
-			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
-			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
-			<CallTrace condition="excludes">UNKNOWN</CallTrace> <!-- ShellCode Spawned from Office Macros: Credit: @JohnLaTwC -->
-			<SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage> <!-- ScreenConnect Querying lsass/winlogon SPAM -->
-		</ProcessAccess>
+			<!-- <TargetImage condition="contains">C:\Windows\System32\lsass.exe</TargetImage> -->
+			<!-- <TargetImage condition="contains">C:\Windows\System32\winlogon.exe</TargetImage> -->
+			<!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <CallTrace condition="contains">WinSCard.dll</CallTrace>  -->
+			<!-- <CallTrace condition="contains">cryptdll.dll</CallTrace> -->
+			<!-- <CallTrace condition="contains">hid.dll</CallTrace> -->
+			<!-- <CallTrace condition="contains">samlib.dll</CallTrace> -->
+			<!-- <CallTrace condition="contains">vaultcli.dll</CallTrace> -->
+			<!-- <CallTrace condition="contains">WMINet_Utils.dll</CallTrace> -->
+			<!-- END: Mimikatz Detection -->		
+		<!--</ProcessAccess> -->
+		<!--<ProcessAccess onmatch="exclude"> -->
+			<!-- <SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage> -->
+			<!-- <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage> -->
+			<!-- <TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage> -->
+			<!-- <TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage> -->
+			<!-- ShellCode Spawned from Office Macros: Credit: @JohnLaTwC -->
+			<!-- <CallTrace condition="excludes">UNKNOWN</CallTrace> -->
+			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
+			<!-- <SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage> -->
+		<!--</ProcessAccess> -->
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED -->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->

From 3e90beaff80e2338f43c3930864ce01f894be198 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 12 Mar 2017 14:40:21 -0400
Subject: [PATCH 145/471] Add Autoupdater for Sysmon to auto update my sysmon
 config Hourly

---
 Auto_Update.bat | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 Auto_Update.bat

diff --git a/Auto_Update.bat b/Auto_Update.bat
new file mode 100644
index 00000000..1e5aac6c
--- /dev/null
+++ b/Auto_Update.bat
@@ -0,0 +1,5 @@
+@echo on
+cd C:\ProgramData\sysmon\
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+sysmon64 -c sysmonconfig-export.xml
+exit
\ No newline at end of file

From 6ddbc751634b1c91c81b572e256c34a7fb6ae027 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 12 Mar 2017 14:40:59 -0400
Subject: [PATCH 146/471] Add Auto Update scheduling to install process

---
 Install Sysmon.bat | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index bf253675..9b419d1e 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -1,11 +1,28 @@
 @echo off
+setlocal
+set hour=%time:~0,2%
+set minute=%time:~3,2%
+set /A minute+=2
+if %minute% GTR 59 (
+ set /A minute-=60
+ set /A hour+=1
+)
+if %hour%==24 set hour=00
+if "%hour:~0,1%"==" " set hour=0%hour:~1,1%
+if "%hour:~1,1%"=="" set hour=0%hour%
+if "%minute:~1,1%"=="" set minute=0%minute%
+set tasktime=%hour%:%minute%
 mkdir C:\ProgramData\sysmon
 cd C:\ProgramData\sysmon\
 echo [+] Downloading Sysmon...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe','C:\ProgramData\sysmon\sysmon64.exe')"
 echo [+] Downloading Sysmon config...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
 sysmon64.exe -accepteula -i sysmonconfig-export.xml
+sc failure Sysmon actions= restart/10000/restart/10000// reset= 120
 echo [+] Sysmon Successfully Installed!
+echo [+] Creating Auto Update Task set to Hourly..
+SchTasks /Create /RU "NT AUTHORITY\LOCALSERVICE" /SC HOURLY /TN Update_Sysmon_Rules /TR C:ProgramData\sysmon\Auto_Update.bat /ST %tasktime%
 timeout /t 10
 exit
\ No newline at end of file

From bbdec6087aa350c9c968ace4fe1306a62ad58299 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 12 Mar 2017 14:51:17 -0400
Subject: [PATCH 147/471] Fix typo's

---
 Install Sysmon.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index 9b419d1e..43649db0 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -23,6 +23,6 @@ sysmon64.exe -accepteula -i sysmonconfig-export.xml
 sc failure Sysmon actions= restart/10000/restart/10000// reset= 120
 echo [+] Sysmon Successfully Installed!
 echo [+] Creating Auto Update Task set to Hourly..
-SchTasks /Create /RU "NT AUTHORITY\LOCALSERVICE" /SC HOURLY /TN Update_Sysmon_Rules /TR C:ProgramData\sysmon\Auto_Update.bat /ST %tasktime%
+SchTasks /Create /RU "NT AUTHORITY\LOCALSERVICE" /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR C:\ProgramData\sysmon\Auto_Update.bat /ST %tasktime%
 timeout /t 10
 exit
\ No newline at end of file

From 9f427190f600a7b5321610d8b954885b1cce0d95 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 12 Mar 2017 14:59:41 -0400
Subject: [PATCH 148/471] Update Readme

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ee5cd3ad..4670bf13 100644
--- a/README.md
+++ b/README.md
@@ -12,9 +12,11 @@ Pull requests and issue tickets are welcome, and new additions will be credited
 
 Note: Exact syntax and filtering choices are deliberate to catch appropriate entries and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area.
 
+This now has an Auto Updater script to update to the latest Sysmon config hourly.  This is great for mass deployments without having to manually update thousands of systems.
+
 ## Use ##
 
-### Auto-Install ###
+### Auto-Install with Auto Update Script:###
 ~~~~
 Install Sysmon.bat
 ~~~~

From 7c3bcb8e1953c115da07e131647d488073c3455e Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 13 Mar 2017 20:48:12 -0400
Subject: [PATCH 149/471] Exclusions to lower noise in large environment
 w/servers.

---
 sysmonconfig-export.xml | 57 +++++++++++++++++++++++++++++++++++------
 1 file changed, 49 insertions(+), 8 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b30c4d1f..9b834fc6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -393,6 +393,7 @@
 		<NetworkConnect onmatch="exclude">
 			<!--SECTION: Microsoft -->
 			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
 			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
@@ -1036,18 +1037,22 @@
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
 			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
-			<!--SECTION: 3rd party-->
+			<!--SECTION: Labtech-->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\LTSvcMon\Start</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\LTService\Start</TargetObject>
+			<!--SECTION: ShadowProtect-->
+			<TargetObject condition="begin with">HKCR\Wow6432Node\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InprocServer32</TargetObject>
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
 			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates\Disallowed</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\Disallowed</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed</TargetObject>
-			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed</TargetObject>
-			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\SystemCertificates\Disallowed</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\</TargetObject>
+			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates\</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
+			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\</TargetObject>
 			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED-->
@@ -1122,6 +1127,40 @@
 				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
 				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
 			<!--SECTION: Microsoft-->
+			<PipeName condition="is">\lsass</PipeName>
+			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
+			<!--SECTION: Microsoft IIS -->
+			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
+			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
+			<Image condition="is">C:\Windows\syswow64\snmp.exe</Image>
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
+			<!--SECTION: Microsoft Exchange Server -->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe</Image>
+			<!--SECTION: Microsoft DNS Server -->
+			<Image condition="is">C:\Windows\system32\dns.exe</Image>
+			<!--SECTION: Microsoft SQL Server -->
+			<Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
+			<!--SECTION: Microsoft Skype For Business Server -->
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe</Image>
+			<!--SECTION: Microsoft DFS Replication -->
+			<Image condition="is">C:\Windows\system32\DFSRs.exee</Image>
 			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
 			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
@@ -1182,6 +1221,8 @@
 			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
 			<!--SECTION: Labtech-->
 			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
+			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
+			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>

From dcedbd30e1955125fabdde8a16a66e19fe9eda2a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 13 Mar 2017 21:02:26 -0400
Subject: [PATCH 150/471] Add Powershell network logging

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9b834fc6..262b4304 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -297,6 +297,7 @@
 			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
 			<Image condition="image">mshta.exe</Image>
 			<Image condition="image">python.exe</Image>
+			<Image condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
 			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
 			<Image condition="contains">pskill</Image><!--Detect pskill-->
 			<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->

From af991b2d8d5ae18de4e4062f1e5ce52dd3beaadc Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 13 Mar 2017 21:05:28 -0400
Subject: [PATCH 151/471] Update Readme

---
 README.md | 169 +-----------------------------------------------------
 1 file changed, 1 insertion(+), 168 deletions(-)

diff --git a/README.md b/README.md
index 4670bf13..ec05f5e0 100644
--- a/README.md
+++ b/README.md
@@ -50,171 +50,4 @@ sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B
 
 ### Graylog Configuration ###
 
-
-### Sysmon Pipeline Rules ###
-
-## Stage -1 ##
-# sysmon cleanup (gl2_source_fix) #
-~~~~
-// This rule is cleaning up the message
-// -- It addresses an issue with older filebeat versions, which can have trouble with the 'source' field 
-// -- The rule will not cause any trouble with filebeat versions that do not have that issue
-rule "sysmon cleanup (gl2_source_fix)"
-when
-    is_not_null($message.winlogbeat_fields_gl2_source_collector)
-then
-    set_field("gl2_source_collector", to_string($message.winlogbeat_fields_gl2_source_collector));
-    remove_field("winlogbeat_fields_gl2_source_collector");
-end
-~~~~
-
-# sysmon cleanup #
-~~~~
-// Sysmon Installation
-// -- Sysmon has to be installed on Windows, and be run with: sysmon –i –accepteula –h md5 –n -l 
-// -- Transport should be a winlogbeat
-// -- Consider using the Graylog Sidecar to manage winlogbeat remotely
-rule "sysmon cleanup"
-when
-    // Only run for Sysmon messages
-    has_field("winlogbeat_source_name") AND contains(to_string($message.winlogbeat_source_name), "Microsoft-Windows-Sysmon")
-then
-
-    // Rename some fields to clean up
-    rename_field("winlogbeat_computer_name", "sysmon_computer_name");
-    rename_field("winlogbeat_event_data_Image", "sysmon_data_process");
-    rename_field("winlogbeat_event_data_UtcTime", "sysmon_data_utc_time");
-    rename_field("winlogbeat_event_id", "sysmon_event_id");
-    rename_field("winlogbeat_level", "sysmon_data_level");
-    rename_field("winlogbeat_task", "sysmon_task");
-    rename_field("winlogbeat_event_data_User", "sysmon_data_user");
-    rename_field("winlogbeat_event_data_TargetFilename", "sysmon_data_file_created");
-    rename_field("winlogbeat_event_data_CreationUtcTime", "sysmon_data_file_created_time");
-    rename_field("winlogbeat_event_data_PreviousCreationUtcTime", "sysmon_data_file_created_time_previous");
-    rename_field("winlogbeat_user_name", "sysmon_data_user_name");
-    rename_field("winlogbeat_thread_id", "sysmon_thread_id"); 
-    rename_field("winlogbeat_user_domain", "sysmon_user_domain");
-    rename_field("winlogbeat_user_identifier", "sysmon_user_identifier");
-    rename_field("winlogbeat_user_type", "sysmon_user_type");
-    rename_field("winlogbeat_event_data_DestinationHostname", "sysmon_dns_lookup");
-    rename_field("winlogbeat_event_data_DestinationIp", "sysmon_dns_lookup_ip");
-    rename_field("winlogbeat_event_data_DestinationPort", "sysmon_dest_port");
-    rename_field("winlogbeat_event_data_DestinationPortName", "sysmon_dest_port_name");
-    rename_field("winlogbeat_event_data_Initiated", "sysmon_con_initiated");
-    rename_field("winlogbeat_event_data_Protocol", "sysmon_con_proto");
-    rename_field("winlogbeat_event_data_SourceHostname", "sysmon_src_name");
-    rename_field("winlogbeat_event_data_SourceIp", "sysmon_src_ip");
-    rename_field("winlogbeat_event_data_SourcePort", "sysmon_src_port");
-    rename_field("winlogbeat_event_data_SourcePortName", "sysmon_src_port_name");
-    rename_field("winlogbeat_event_data_CommandLine", "sysmon_cmd_event");
-    rename_field("winlogbeat_event_data_CurrentDirectory", "sysmon_cmd_location");
-    rename_field("winlogbeat_event_data_Hashes", "sysmon_cmd_hash");
-    rename_field("winlogbeat_event_data_IntegrityLevel", "sysmon_cmd_integrity");
-    rename_field("winlogbeat_event_data_LogonId", "sysmon_cmd_logon_id");
-    rename_field("winlogbeat_event_data_ParentCommandLine", "sysmon_cmd_parent_cmd");
-    rename_field("winlogbeat_event_data_ParentImage", "sysmon_cmd_parent_file");
-    rename_field("winlogbeat_event_data_ParentProcessId", "sysmon_cmd_parent_pid");
-    rename_field("winlogbeat_event_data_TerminalSessionId", "sysmon_cmd_terminal_pid");
-    rename_field("winlogbeat_event_data_LogonGuid", "sysmon_cmd_logon_guid");
-    rename_field("winlogbeat_event_data_ParentProcessGuid", "sysmon_cmd_parent_guid");
-    rename_field("winlogbeat_event_data_TargetObject", "sysmon_registry_object");
-    rename_field("winlogbeat_event_EventType", "sysmon_registry_Type");
-    rename_field("winlogbeat_event_data_Details", "sysmon_registry_set");
-    rename_field("winlogbeat_event_data_SourceImage", "sysmon_paccess_source_img");
-    rename_field("winlogbeat_event_data_SourceProcessGUID", "sysmon_paccess_pguid");
-    rename_field("winlogbeat_event_data_SourceProcessId", "sysmon_paccess_pid");
-    rename_field("winlogbeat_event_data_SourceThreadId", "sysmon_paccess_threadid");
-    rename_field("winlogbeat_event_data_TargetImage", "sysmon_paccess_target_image");
-    rename_field("winlogbeat_event_data_TargetProcessGUID", "sysmon_paccess_target_guid");
-    rename_field("winlogbeat_event_data_TargetProcessid", "sysmon_paccess_target_pid");
-    rename_field("winlogbeat_event_data_DestinationIp_geolocation", "sysmon_dns_lookup_ip_geolocation");
-    rename_field("winlogbeat_event_data_PipeName", "sysmon_pipe_name");
-    rename_field("winlogbeat_event_data_ProcessId", "sysmon_pipe_pid");
-    rename_field("winlogbeat_process_id", "sysmon_img_pid");
-    rename_field("winlogbeat_event_data_ImageLoaded", "sysmon_imgloaded");
-    rename_field("winlogbeat_event_data_SignatureStatus", "sysmon_signatureStatus");
-    rename_field("winlogbeat_event_data_Signed", "sysmon_signed");
-
-    // Remove clutter.
-    let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_event_data_ProcessGuid));
-    set_field("sysmon_data_process_guid", to_string(fix["0"]));
-    remove_field("winlogbeat_event_data_ProcessGuid");
-
-    let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_provider_guid));
-    set_field("sysmon_data_provider_gui", to_string(fix["0"]));
-    remove_field("winlogbeat_provider_guid");
-
-
-    // Remove unwanted fields
-    remove_field("name");
-    remove_field("tags");
-    remove_field("type");
-
-    // Remove winlogbeats fields we don't need
-    //remove_field("winlogbeat_event_data_ProcessId");
-    //remove_field("winlogbeat_log_name");
-    //remove_field("winlogbeat_opcode");
-    //remove_field("winlogbeat_process_id");
-    //remove_field("winlogbeat_record_number");
-    //remove_field("winlogbeat_source_name");
-    //remove_field("winlogbeat_tags");
-    //remove_field("winlogbeat_type");
-    //remove_field("winlogbeat_version");
-    //remove_field("winlogbeat_event_data_SourceIsIpv6");
-    //remove_field("winlogbeat_event_data_DestinationIsIpv6");
-end
-~~~~
-
-# Stage 0 #
-~~~~
-// Threat Intelligence enrichment
-// --- Needs installed Graylog Threat Intel plugin : https://github.com/Graylog2/graylog-plugin-threatintel
-rule "sysmon threatintel"
-when
-   // To save CPU cycles, only run if there is something to look up
-   has_field("sysmon_dns_lookup") OR has_field("sysmon_dns_lookup_ip") OR has_field("sysmon_src_ip")
-then
-
-    // look up the requested DNS captured by sysmon
-    // this will be the most fired rule
-    let sysmon_dns_lookup_intel = threat_intel_lookup_domain(to_string($message.sysmon_dns_lookup), "sysmon_dns_lookup");
-    set_fields(sysmon_dns_lookup_intel);
-
-    // look up the ip from the DNS answer
-    // if we do not monitor the dns, then this might be nice to have
-    let sysmon_lookup_ip_answer_intel = threat_intel_lookup_ip(to_string($message.sysmon_dns_lookup_ip), "sysmon_dns_lookup_ip");
-    set_fields(sysmon_lookup_ip_answer_intel);
-
-    // look up the requesting IP 
-    // this is useful if dealing with non internal IPs 
-    // so you know if your IP is seen as a problem
-    let sysmon_src_ip_answer_intel = threat_intel_lookup_ip(to_string($message.sysmon_src_ip), "sysmon_src_ip");
-    set_fields(sysmon_src_ip_answer_intel);
-
-    // WHOIS lookup. This is disabled by default. Enable and carefully watch latency and performance.
-    let sysmon_dns_lookup_ip_whois = whois_lookup_ip(to_string($message.sysmon_dns_lookup_ip), "sysmon_dns_lookup_ip");
-    set_fields(sysmon_dns_lookup_ip_whois);
-    
-    //AlienVault OTX
-    let intel = otx_lookup_ip(to_string($message.sysmon_src_ip));
-    let intel = otx_lookup_domain(to_string($message.sysmon_dns_lookup_ip));
-    set_field("otx_threat_indicated", intel.otx_threat_indicated);
-    set_field("otx_threat_ids", intel.otx_threat_ids);
-    set_field("otx_threat_names", intel.otx_threat_names);
-
-end
-~~~~
-
-# Stage 1 #
-~~~~
-rule "sysmon threatintel inflate"
-when
-    // run only if one of the fields is true
-    to_bool($message.sysmon_dns_lookup_ip_threat_indicated) OR to_bool($message.sysmon_dns_lookup_threat_indicated) OR to_bool($message.sysmon_src_ip_threat_indicated) OR to_bool($message.otx_threat_indicated)
-then
-
-    // This is to make Graylog searches easy
-    // -- Enables searches like threat_indicated:true
-    set_field("threat_indicated", true);
-end
-~~~~
+(https://github.com/ion-storm/Graylog_Sysmon)
\ No newline at end of file

From 66a59e732e2ceb26102d4ed7f79695ba3d31d473 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 13 Mar 2017 22:37:51 -0400
Subject: [PATCH 152/471] Use pushd in case launching from other drive letter

---
 Install Sysmon.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index 43649db0..f79162e0 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -13,7 +13,7 @@ if "%hour:~1,1%"=="" set hour=0%hour%
 if "%minute:~1,1%"=="" set minute=0%minute%
 set tasktime=%hour%:%minute%
 mkdir C:\ProgramData\sysmon
-cd C:\ProgramData\sysmon\
+pushd "C:\ProgramData\sysmon\"
 echo [+] Downloading Sysmon...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe','C:\ProgramData\sysmon\sysmon64.exe')"
 echo [+] Downloading Sysmon config...

From 4c546f2a9a251b62e7f28d8752228ab29dc27db4 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 17 Mar 2017 13:53:46 -0400
Subject: [PATCH 153/471] Installer Exclusions

---
 sysmonconfig-export.xml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 262b4304..cf946be1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -220,7 +220,9 @@
 			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
+			<ParentImage condition="contains">C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
+			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
@@ -260,6 +262,10 @@
 			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
 			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
+			<CommandLine condition="contains">sysmonconfig-export.xml</CommandLine> <!-- Ignore my Auto Updater -->
+			<ParentCommandLine condition="contains">C:\Windows\SYSTEM32\cmd.exe /c "C:\ProgramData\sysmon\Auto_Update.bat"</ParentCommandLine> <!-- Ignore my Auto Updater -->
+			<ParentCommandLine condition="contains">Install_Sidecar_w_Sysmon.bat</ParentCommandLine> <!-- Ignore my Installer -->
+			<CommandLine condition="contains">Sysmon actions</CommandLine> <!-- Ignore my Installer -->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->

From 5a45d8919175fcf09e42cd217d086ebdca6c485c Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 17 Mar 2017 13:57:28 -0400
Subject: [PATCH 154/471] exclusion for efolder server

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index cf946be1..13c70066 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -434,6 +434,7 @@
 			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
 			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
+			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From 1201e4239fe33867ebfe0406fc6b012b4fac5a7b Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 17 Mar 2017 15:18:18 -0400
Subject: [PATCH 155/471] more noise reduction

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 13c70066..4acbe493 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -235,6 +235,8 @@
 			<CommandLine condition="contains">Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">Get-WmiObject -Namespace Root\CimV2\TerminalServices</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">vssadmin list writers</ParentCommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">vssadmin list writers</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">net view \\localhost | find " Print</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">net view \\localhost | find " Disk</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->

From f8360ee25363eab4b3af52a3ddc4d47e23a59821 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 17 Mar 2017 15:30:24 -0400
Subject: [PATCH 156/471] eFolder exclusions

---
 sysmonconfig-export.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4acbe493..09a42ffe 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -268,6 +268,10 @@
 			<ParentCommandLine condition="contains">C:\Windows\SYSTEM32\cmd.exe /c "C:\ProgramData\sysmon\Auto_Update.bat"</ParentCommandLine> <!-- Ignore my Auto Updater -->
 			<ParentCommandLine condition="contains">Install_Sidecar_w_Sysmon.bat</ParentCommandLine> <!-- Ignore my Installer -->
 			<CommandLine condition="contains">Sysmon actions</CommandLine> <!-- Ignore my Installer -->
+			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
+			<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
+			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
+			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->

From 59f102c0713dcf94a9c0752922b58e9caaf57901 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 17 Mar 2017 15:58:49 -0400
Subject: [PATCH 157/471] ProxyBypass, way too much noise, Outlook regularly
 bypasses proxy settings.

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 09a42ffe..7ab8bed2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -865,7 +865,6 @@
 			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject condition="contains">\ProxyBypass</TargetObject> <!-- Detects Malware Bypassing Proxy Settings Credit: @SwiftOnSecurity -->
 			<!--Magic registry keys-->
 			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
 			<!--Infection artifacts-->

From 3d9cb1b121eb2beb532362761314e82f5a41d78b Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 17 Mar 2017 22:27:03 -0400
Subject: [PATCH 158/471] switch to contains for anchor server

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7ab8bed2..e1b8d338 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -440,7 +440,7 @@
 			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
 			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
-			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
+			<Image condition="contains">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->
@@ -864,8 +864,8 @@
 			<!--IE-->
 			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
 			<!--Magic registry keys-->
+			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
 			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
 			<!--Infection artifacts-->
 			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->

From 7074269ef98a42c410da9a26896dc91ec0d15249 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 17 Mar 2017 22:46:27 -0400
Subject: [PATCH 159/471] postgres exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e1b8d338..1eca16e3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -540,6 +540,7 @@
 			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
 			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
 			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
+			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
 		</ImageLoad>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->

From 31f283519feaafceac9132855df3853e6e21c8c2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 18 Mar 2017 12:14:58 -0400
Subject: [PATCH 160/471] lower efolder noise

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1eca16e3..429cbcd9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -441,6 +441,8 @@
 			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
 			<Image condition="contains">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
+			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
+			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From 7c1371bfa8fa1deb432b7f3d66439d433fa7f4d9 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 18 Mar 2017 12:19:55 -0400
Subject: [PATCH 161/471] silence ldap noise

---
 sysmonconfig-export.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 429cbcd9..220cef64 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -424,7 +424,8 @@
 			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
 			<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
 			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
-			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
+			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
+			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
 			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
 			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
 			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->

From ac6d7c20c5ca3ddb31406334f38e579a1397fd0f Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 18 Mar 2017 12:22:00 -0400
Subject: [PATCH 162/471] silence ntp

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 220cef64..c3f19f3c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -426,6 +426,8 @@
 			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
 			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
 			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
+			<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
+			<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
 			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
 			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
 			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->

From 110ee6d35b35c22a9cdee0e19e40e42cb7ea583d Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 18 Mar 2017 17:58:44 -0400
Subject: [PATCH 163/471] Exclude exchange transport

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c3f19f3c..18844892 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -407,6 +407,7 @@
 			<!--SECTION: Microsoft -->
 			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
 			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From 7af40f5c335f19f3756b141d7b407e2b839672ff Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 18 Mar 2017 18:12:40 -0400
Subject: [PATCH 164/471] lower shadowprotect & labtech service noise

---
 sysmonconfig-export.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 18844892..0a0ddf4e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1058,10 +1058,10 @@
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
 			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
 			<!--SECTION: Labtech-->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\LTSvcMon\Start</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\LTService\Start</TargetObject>
+			<TargetObject condition="end with">\LTSvcMon\Start</TargetObject>
+			<TargetObject condition="end with">\LTService\Start</TargetObject>
 			<!--SECTION: ShadowProtect-->
-			<TargetObject condition="begin with">HKCR\Wow6432Node\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InprocServer32</TargetObject>
+			<TargetObject condition="contains">{F2C2787D-95AB-40D4-942D-298F5F757874}</TargetObject>
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
 			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\</TargetObject>

From a811050d6983f475822c4854a0e18a2ca5b29998 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 18 Mar 2017 18:23:53 -0400
Subject: [PATCH 165/471] Exclude spooled print job file extensions.

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0a0ddf4e..aab07ea9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -739,6 +739,8 @@
 			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
 			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
 			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
+			<TargetFilename condition="end with">.SPL</TargetFilename> <!-- Ignore Spooled Print Jobs -->
+			<TargetFilename condition="end with">.SHD</TargetFilename> <!-- Ignore Spooled Print Jobs -->
 			<!--SECTION: Microsoft:Windows:Updates-->
 			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
 			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->

From 83be15c986f0039fa68e0d0550ce4f9c63093200 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 18 Mar 2017 21:24:36 -0400
Subject: [PATCH 166/471] update exclusions

---
 sysmonconfig-export.xml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index aab07ea9..c9447a43 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -59,6 +59,7 @@
 			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
 			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
 			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
+			<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
 			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
@@ -236,7 +237,7 @@
 			<CommandLine condition="contains">Get-WmiObject -Namespace Root\CimV2\TerminalServices</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">vssadmin list writers</ParentCommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">vssadmin list writers</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">vssadmin  list writers</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">net view \\localhost | find " Print</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">net view \\localhost | find " Disk</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
@@ -265,7 +266,7 @@
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
 			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
 			<CommandLine condition="contains">sysmonconfig-export.xml</CommandLine> <!-- Ignore my Auto Updater -->
-			<ParentCommandLine condition="contains">C:\Windows\SYSTEM32\cmd.exe /c "C:\ProgramData\sysmon\Auto_Update.bat"</ParentCommandLine> <!-- Ignore my Auto Updater -->
+			<ParentCommandLine condition="contains">Auto_Update.bat</ParentCommandLine> <!-- Ignore my Auto Updater -->
 			<ParentCommandLine condition="contains">Install_Sidecar_w_Sysmon.bat</ParentCommandLine> <!-- Ignore my Installer -->
 			<CommandLine condition="contains">Sysmon actions</CommandLine> <!-- Ignore my Installer -->
 			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->

From 9e6e405384fb2ab133e328debc53c35ec7bc716c Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 18 Mar 2017 21:29:06 -0400
Subject: [PATCH 167/471] ignore self

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c9447a43..123132ff 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -267,6 +267,8 @@
 			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
 			<CommandLine condition="contains">sysmonconfig-export.xml</CommandLine> <!-- Ignore my Auto Updater -->
 			<ParentCommandLine condition="contains">Auto_Update.bat</ParentCommandLine> <!-- Ignore my Auto Updater -->
+			<CommandLine condition="begin with">Sysmon64</CommandLine> <!-- Ignore self -->
+			<CommandLine condition="begin with">Sysmon</CommandLine> <!-- Ignore self -->
 			<ParentCommandLine condition="contains">Install_Sidecar_w_Sysmon.bat</ParentCommandLine> <!-- Ignore my Installer -->
 			<CommandLine condition="contains">Sysmon actions</CommandLine> <!-- Ignore my Installer -->
 			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->

From c8f893dac5d9ca769fd141191849800cf08c73e6 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 19 Mar 2017 13:54:17 -0400
Subject: [PATCH 168/471] update exclusions

---
 sysmonconfig-export.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 123132ff..cc143f2a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -222,7 +222,8 @@
 			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentImage condition="contains">C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
+			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
+			<ParentImage condition="contains">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
 			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
@@ -311,7 +312,6 @@
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
 			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
 			<Image condition="image">mshta.exe</Image>
-			<Image condition="image">python.exe</Image>
 			<Image condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
 			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
 			<Image condition="contains">pskill</Image><!--Detect pskill-->
@@ -447,7 +447,7 @@
 			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
 			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
-			<Image condition="contains">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
+			<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
 			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
 			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
 		</NetworkConnect>

From 1925219eb70c673a08f1fc2f6ec014ee62ec67c1 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 20 Mar 2017 13:52:21 -0400
Subject: [PATCH 169/471] Add Quickbooks pipe exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index cc143f2a..6d6cc40d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1272,6 +1272,7 @@
 			<Image condition="is">C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
+			<PipeName condition="contains">SQLAnywhereLRM</PipeName> <!-- Quickbooks -->
 		</PipeEvent>
 
 	</EventFiltering>

From 7cd0c83e5b81cd5a3b3d59913c87a1ba94c972bd Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 20 Mar 2017 13:55:57 -0400
Subject: [PATCH 170/471] SQL Pipe Exclusions

---
 sysmonconfig-export.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6d6cc40d..8e1adf69 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1273,6 +1273,10 @@
 			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
 			<PipeName condition="contains">SQLAnywhereLRM</PipeName> <!-- Quickbooks -->
+			<PipeName condition="contains">pgsignal</PipeName> <!-- Postgres SQL -->
+			<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft SQL writer-->
+			<PipeName condition="contains">TSVCPIPE-</PipeName> <!-- Terminal Services Pipe-->
+
 		</PipeEvent>
 
 	</EventFiltering>

From f1223c602329d91dc1ea892743b18f891099bfd9 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 20 Mar 2017 13:59:25 -0400
Subject: [PATCH 171/471] Exchange filecreate exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8e1adf69..ec8aeef5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -742,6 +742,7 @@
 			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
 			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
 			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
+			<TargetFilename condition="end with">.SQM</TargetFilename> <!-- Ignore Exchange files created -->
 			<TargetFilename condition="end with">.SPL</TargetFilename> <!-- Ignore Spooled Print Jobs -->
 			<TargetFilename condition="end with">.SHD</TargetFilename> <!-- Ignore Spooled Print Jobs -->
 			<!--SECTION: Microsoft:Windows:Updates-->

From a1213ea443b8183f8f676e1aa99a6e9e2fffaf8f Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 20 Mar 2017 14:16:32 -0400
Subject: [PATCH 172/471] Exchange Exclusions

---
 sysmonconfig-export.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ec8aeef5..f9b39acb 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -411,6 +411,10 @@
 			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
 			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From cb1916e0fb82c25c186027bd46075fc31ac84341 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 20 Mar 2017 14:20:23 -0400
Subject: [PATCH 173/471] gotomeeting exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f9b39acb..37d7d9bb 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -454,6 +454,7 @@
 			<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
 			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
 			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
+			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From c867e4306da38e7ce9c777cbf3e3c0ccddd95957 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 09:15:49 -0400
Subject: [PATCH 174/471] too much noise from helpdesk using mmc

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 37d7d9bb..146283fa 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -332,7 +332,6 @@
 			<Image condition="image">tftp.exe</Image><!-- TFTP -->
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
 			<Image condition="image">net.exe</Image><!-- net use/net view-->
-			<Image condition="image">C:\windows\system32\mmc.exe</Image><!-- Microsoft Management Console -->
 			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
 			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
 			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->

From 2065dea453e078f26abb704acc30e42ac7eba81a Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 13:28:11 -0400
Subject: [PATCH 175/471] additional exclusions and fixes

---
 sysmonconfig-export.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 146283fa..eb6c336d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -223,8 +223,9 @@
 			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentImage condition="contains">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
+			<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
 			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
+			<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
@@ -276,6 +277,7 @@
 			<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
 			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
+			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->

From ae116f3de17a0ca978b441e451a76651116df542 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 14:01:24 -0400
Subject: [PATCH 176/471] Add Additional UAC thanks to Florian Roth

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index eb6c336d..357a1a1a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -980,8 +980,10 @@
 			<TargetObject condition="contains">\batfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
 			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
 			<TargetObject condition="contains">\exefile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> <!-- Detect: UAC Bypass via sdclt: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -->
 			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
 			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\mscfile\shell\open\command</TargetObject> <!-- Detect: Event Viewer UAC Bypass: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ -->
 			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->

From 3d6e45f2f051bbcd2735b36ed70c1e84902199ff Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 14:05:53 -0400
Subject: [PATCH 177/471] title: Suspicious Program Location with Network
 Connections status: experimental description: Detects programs with network
 connections running in suspicious files system locations reference:
 https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 Credit: Florian Roth date: 2017/03/19

---
 sysmonconfig-export.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 357a1a1a..1454fca3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -303,6 +303,11 @@
 			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
 			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
+			<Image condition="begin with">C:\Perflogs\</Image>
+			<Image condition="contains">config\systemprofile\</Image>
+			<Image condition="contains">\Windows\Fonts\</Image>
+			<Image condition="contains">\Windows\IME\<Image>
+			<Image condition="contains">\Windows\addins\</Image>
 			<!--Suspicious Windows tools-->
 			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
 			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->

From dc28c8c7faf3ea2ea7c1552c94f0fd9c25291c02 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 14:20:18 -0400
Subject: [PATCH 178/471] title: Suspicious Typical Malware Back Connect Ports
 status: experimental description: Detects programs that connect to typical
 malware back connetc ports based on statistical analysis from two different
 sandbox system databases reference:
 https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 author: Florian Roth date: 2017/03/19

---
 sysmonconfig-export.xml | 55 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 53 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1454fca3..be41d166 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -306,7 +306,7 @@
 			<Image condition="begin with">C:\Perflogs\</Image>
 			<Image condition="contains">config\systemprofile\</Image>
 			<Image condition="contains">\Windows\Fonts\</Image>
-			<Image condition="contains">\Windows\IME\<Image>
+			<Image condition="contains">\Windows\IME\</Image>
 			<Image condition="contains">\Windows\addins\</Image>
 			<!--Suspicious Windows tools-->
 			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
@@ -410,7 +410,57 @@
 			<DestinationPort condition="is">3128</DestinationPort> <!--Socks Port-->
 			<DestinationPort condition="is">9001</DestinationPort> <!--Tor Port-->
 			<DestinationPort condition="is">9030</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">53</DestinationPort> <!--Log DNS for Graylog threat discovery-->
+			<DestinationPort condition="is">4443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">2448</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">8143</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">243</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">65535</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13506</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">200</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">198</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">49180</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13507</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">6625</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4444</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4438</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1904</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13505</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13504</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">12102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">9631</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">5445</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">2443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13394</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13145</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">12103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">5552</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">3939</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">3675</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">666</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">473</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">5649</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4455</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4433</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1817</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">100</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">65520</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1960</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1515</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">743</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">700</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">14154</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">14103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">14102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">12322</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">10101</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">7210</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4040</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">9943</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<!--SECTION: Microsoft -->
@@ -511,6 +561,7 @@
 			<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
 			<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
 			<ImageLoaded condition="is">WMINet_Utils.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
 			<!-- END: Mimikatz Detection -->
 		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
 			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->

From 7237476c94badc54e9b1b701eed84db0ba6e1f70 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 16:18:30 -0400
Subject: [PATCH 179/471] test load with 80/443

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index be41d166..1f2e9d37 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -391,6 +391,8 @@
 			<DestinationHostname condition="end with">tor-gateways.de</DestinationHostname>
 			<DestinationHostname condition="end with">hiddenservice.net</DestinationHostname>
 			<!--Ports-->
+			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->
+			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->
 			<DestinationPort condition="is">3389</DestinationPort> <!--RDP Port-->
 			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
 			<DestinationPort condition="is">22</DestinationPort>   <!--SSH Port-->

From a5bf0f53dd569890a51e1ffb4612ebdab0b55167 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 16:24:49 -0400
Subject: [PATCH 180/471] I want to see when everything Updates, can use
 graylog to filter it out.

---
 sysmonconfig-export.xml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1f2e9d37..ba7f8594 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -267,12 +267,6 @@
 			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
 			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
-			<CommandLine condition="contains">sysmonconfig-export.xml</CommandLine> <!-- Ignore my Auto Updater -->
-			<ParentCommandLine condition="contains">Auto_Update.bat</ParentCommandLine> <!-- Ignore my Auto Updater -->
-			<CommandLine condition="begin with">Sysmon64</CommandLine> <!-- Ignore self -->
-			<CommandLine condition="begin with">Sysmon</CommandLine> <!-- Ignore self -->
-			<ParentCommandLine condition="contains">Install_Sidecar_w_Sysmon.bat</ParentCommandLine> <!-- Ignore my Installer -->
-			<CommandLine condition="contains">Sysmon actions</CommandLine> <!-- Ignore my Installer -->
 			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
 			<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->

From 281170e6427b0ce5925b3a220213ac3eef717a03 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 16:56:14 -0400
Subject: [PATCH 181/471] lets test log all web browsing connectivity for
 graylog threat detection

---
 sysmonconfig-export.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ba7f8594..824513f2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -302,6 +302,12 @@
 			<Image condition="contains">\Windows\Fonts\</Image>
 			<Image condition="contains">\Windows\IME\</Image>
 			<Image condition="contains">\Windows\addins\</Image>
+			<Image condition="contains">chrome.exe</Image>
+			<Image condition="contains">iexplore.exe</Image>
+			<Image condition="contains">firefox.exe</Image>
+			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
+			<Image condition="contains">MicrosoftEdge.exe</Image>
+			<Image condition="contains">explorer.exe</Image>
 			<!--Suspicious Windows tools-->
 			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
 			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->

From 55f23ea1c9f342f8aedadcbe6172a037d8ed7762 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 17:03:21 -0400
Subject: [PATCH 182/471] exclude Labtech connectivity

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 824513f2..101ef6a2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -513,6 +513,8 @@
 			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
 			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
 			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
+			<Image condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
+			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From 62254ac33434d3574730eefe7b37bf7b36c3bd03 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 17:04:17 -0400
Subject: [PATCH 183/471] Exclude webroot calling home

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 101ef6a2..9e05094c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -515,6 +515,7 @@
 			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
 			<Image condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
 			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From bcf3103e9089edfbbacbcf09e1f561209092398b Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 17:05:42 -0400
Subject: [PATCH 184/471] exclude search protocol host

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9e05094c..47d0a9be 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -473,6 +473,7 @@
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
+			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
 			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->

From 34f3ff619468395cd0594c1c6a3f78d17c609466 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 21 Mar 2017 17:06:35 -0400
Subject: [PATCH 185/471] add smartgit exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 47d0a9be..974764dc 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -517,6 +517,7 @@
 			<Image condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
 			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
+			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From 5215027b7facf5063a6b24f0c8825c00f9732a93 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 24 Mar 2017 09:27:48 -0400
Subject: [PATCH 186/471] Localservice didnt have enough rights, SYSTEM ensures
 file gets updated.

---
 Install Sysmon.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index f79162e0..fb5a3034 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -23,6 +23,6 @@ sysmon64.exe -accepteula -i sysmonconfig-export.xml
 sc failure Sysmon actions= restart/10000/restart/10000// reset= 120
 echo [+] Sysmon Successfully Installed!
 echo [+] Creating Auto Update Task set to Hourly..
-SchTasks /Create /RU "NT AUTHORITY\LOCALSERVICE" /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR C:\ProgramData\sysmon\Auto_Update.bat /ST %tasktime%
+SchTasks /Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR C:\ProgramData\sysmon\Auto_Update.bat /F /ST %tasktime%
 timeout /t 10
 exit
\ No newline at end of file

From 35d79d57970a05ab49e7a00f952114a712b07418 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 24 Mar 2017 17:02:05 -0400
Subject: [PATCH 187/471] exchange exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 974764dc..c8d483dc 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -114,6 +114,7 @@
 			<!--SECTION: Microsoft Exchange-->
 			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
 			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
+			<CommandLine condition="contains">C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1</CommandLine>
 			<!--SECTION: Microsoft Misc-->
 			<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
 			<!--SECTION: Google-->

From 96f0409a6dbf09b5de44428a60e34b1e2843b4d6 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 28 Mar 2017 13:21:20 -0400
Subject: [PATCH 188/471] exclusions

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c8d483dc..e0dc8610 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -89,6 +89,7 @@
 			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k GPSvcGroup</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k tapisrv</CommandLine><!--Microsoft:Windows Network Services-->
 			<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
 			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
 			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
@@ -220,6 +221,7 @@
 			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">interface tcp show global</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
@@ -519,6 +521,7 @@
 			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
+			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
 		</NetworkConnect>
 
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->

From 313108838f36c4113d8ae5c346665e82fcb35f5d Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 29 Mar 2017 15:58:18 -0400
Subject: [PATCH 189/471] no longer needed, check other repo

---
 Graylog_Content_Pack/new_content_pack.json | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 Graylog_Content_Pack/new_content_pack.json

diff --git a/Graylog_Content_Pack/new_content_pack.json b/Graylog_Content_Pack/new_content_pack.json
deleted file mode 100644
index ba945195..00000000
--- a/Graylog_Content_Pack/new_content_pack.json
+++ /dev/null
@@ -1 +0,0 @@
-{"name":"Sysmon Threat Intelligence","description":"Threat intelligence with Sysmon","category":"threat intel, dfir, sysmon","inputs":[],"streams":[],"outputs":[],"dashboards":[{"title":"Sysmon Threat Intelligence","description":"Windows Information Board","dashboard_widgets":[{"description":"Task (registered 24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_task","show_pie_chart":false,"query":"_exists_:sysmon_task","show_data_table":true},"col":4,"row":3,"height":2,"width":1},{"description":"Target Location (24h)","type":"org.graylog.plugins.map.widget.strategy.MapWidgetStrategy","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_dns_lookup_ip_geolocation","query":"_exists_:sysmon_dns_lookup_ip_geolocation"},"col":2,"row":1,"height":2,"width":2},{"description":"Integrity (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_cmd_integrity","show_pie_chart":false,"query":"_exists_:sysmon_cmd_integrity","show_data_table":true},"col":4,"row":5,"height":2,"width":1},{"description":"DNS Lookup (24h)","type":"QUICKVALUES","cache_time":100,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_dns_lookup","show_pie_chart":false,"query":"_exists_:sysmon_dns_lookup","show_data_table":true},"col":1,"row":4,"height":3,"width":1},{"description":"Event ID (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_event_id","show_pie_chart":true,"query":"_exists_:sysmon_event_id","show_data_table":false},"col":1,"row":2,"height":2,"width":1},{"description":"Programs (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_data_process","show_pie_chart":false,"query":"_exists_:sysmon_data_process","show_data_table":true},"col":2,"row":3,"height":3,"width":1},{"description":"Threat Lookups (24h)","type":"SEARCH_RESULT_COUNT","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"trend":true,"query":"_exists_:sysmon_task AND _exists_:sysmon_dns_lookup_ip_threat_indicated"},"col":4,"row":1,"height":1,"width":1},{"description":"User Acting (24h)","type":"QUICKVALUES","cache_time":1000,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_user_type","show_pie_chart":false,"query":"_exists_: sysmon_user_type","show_data_table":true},"col":4,"row":2,"height":1,"width":1},{"description":"Threat Indicated (24h)","type":"SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":true,"trend":true,"query":"_exists_:sysmon_task AND sysmon_src_ip_threat_indicated:true"},"col":1,"row":1,"height":1,"width":1},{"description":"Unidentified Files Created","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_data_file_created","show_pie_chart":false,"query":"_exists_:sysmon_data_file_created","show_data_table":true},"col":5,"row":1,"height":3,"width":1},{"description":"Registry Change Locations","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_registry_object","show_pie_chart":false,"query":"_exists_:sysmon_registry_object","show_data_table":true},"col":5,"row":4,"height":3,"width":1},{"description":"Top Command Line Events","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_cmd_event","show_pie_chart":false,"query":"_exists_:sysmon_cmd_event","show_data_table":true},"col":3,"row":3,"height":3,"width":1},{"description":"Alternate Data Streams Detected","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"sysmon_data_file_created","show_pie_chart":false,"query":"_exists_:sysmon_data_file_created AND sysmon_task:\"File stream created (rule: FileCreateStreamHash)\"","show_data_table":true},"col":2,"row":6,"height":3,"width":1}]}],"grok_patterns":[]}
\ No newline at end of file

From cf252ee57fe8e77737964134f477690500063043 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 31 Mar 2017 08:43:25 -0400
Subject: [PATCH 190/471] exclusions

---
 sysmonconfig-export.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e0dc8610..672850c2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -251,6 +251,8 @@
 			<ParentCommandLine condition="contains">C:\Windows\LTSvc\LTSvcMon.exe -sLTService</ParentCommandLine>
 			<ParentImage condition="is">C:\Windows\LTSvc\LTSvcMon.exe</ParentImage>
 			<Image condition="is">C:\Windows\LTSvc\LTTray.exe</Image>
+			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall</ParentCommandLine>
+			<CommandLine condition="contains">interface tcp show global</CommandLine>
 			<!--END: Labtech-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
@@ -1057,6 +1059,11 @@
 			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
 			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 			-->

From 650fc77750bfc794600470e92193bcb0974ff52a Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 31 Mar 2017 10:05:48 -0400
Subject: [PATCH 191/471] pipe exclusions

---
 sysmonconfig-export.xml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 672850c2..7d02aff3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1235,7 +1235,7 @@
 				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
 				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
 			<!--SECTION: Microsoft-->
-			<PipeName condition="is">\lsass</PipeName>
+			<PipeName condition="contains">lsass</PipeName>
 			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
 			<!--SECTION: Microsoft IIS -->
 			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
@@ -1359,7 +1359,10 @@
 			<PipeName condition="contains">pgsignal</PipeName> <!-- Postgres SQL -->
 			<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft SQL writer-->
 			<PipeName condition="contains">TSVCPIPE-</PipeName> <!-- Terminal Services Pipe-->
-
+			<PipeName condition="contains">BB4BB19A178C25D1</PipeName>
+			<PipeName condition="contains">SQLAnywhereLRM</PipeName>
+			<PipeName condition="contains">SQLLocal</PipeName>
+			<PipeName condition="contains">DropboxPipe_</PipeName>
 		</PipeEvent>
 
 	</EventFiltering>

From 90582eb4a71d25fec56d16ba3240dff61343f779 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 31 Mar 2017 10:12:20 -0400
Subject: [PATCH 192/471] pipe exclusions

---
 sysmonconfig-export.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7d02aff3..076c9d70 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1267,6 +1267,7 @@
 			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe</Image>
 			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe</Image>
 			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe</Image>
 			<!--SECTION: Microsoft DFS Replication -->
 			<Image condition="is">C:\Windows\system32\DFSRs.exee</Image>
 			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
@@ -1357,12 +1358,22 @@
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
 			<PipeName condition="contains">SQLAnywhereLRM</PipeName> <!-- Quickbooks -->
 			<PipeName condition="contains">pgsignal</PipeName> <!-- Postgres SQL -->
+			<Image condition="is">postgres.exe</Image>
 			<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft SQL writer-->
 			<PipeName condition="contains">TSVCPIPE-</PipeName> <!-- Terminal Services Pipe-->
 			<PipeName condition="contains">BB4BB19A178C25D1</PipeName>
 			<PipeName condition="contains">SQLAnywhereLRM</PipeName>
 			<PipeName condition="contains">SQLLocal</PipeName>
 			<PipeName condition="contains">DropboxPipe_</PipeName>
+			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe</Image>
+			<Image condition="is">C:\Pfx Engagement\WM\PFXEngagement.exe</Image>
+			<Image condition="is">C:\Pfx Engagement\WM\PfxEngagement.exe</Image>
+			<Image condition="is">C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe</Image>
+			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
+			<Image condition="is">ScreenConnect.ClientService.exe</Image>
+			<Image condition="is">QBW32.EXE</Image>
 		</PipeEvent>
 
 	</EventFiltering>

From cfd4f2089a2bb4e273d29ff1e57b8e5a64515017 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Fri, 31 Mar 2017 11:05:21 -0400
Subject: [PATCH 193/471] silence domain login scripts

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 076c9d70..4547617a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -60,6 +60,7 @@
 			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
 			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
 			<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
+			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
 			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->

From 17934779552e21224c7ccffd57c38df6dc37a2d8 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 12 Apr 2017 10:47:42 -0400
Subject: [PATCH 194/471] Fix Webroot threat detection

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4547617a..c5974061 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -999,8 +999,8 @@
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			<!--Detect Threats from Webroot Antivirus-->
 			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
-			<TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
-			<TargetObject condition="contains">HKLM\SOFTWARE\WOW6432Node\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
+			<TargetObject condition="contains">\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
+			<TargetObject condition="contains">\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
 			<!--Detect Changes to Proxy Server Setting-->
 			<TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
 			<!--Detect Browser Hijackers-->

From 9284c0caff438e109bcd7955153c5f5d9a8ff05d Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Tue, 8 Aug 2017 08:41:01 -0400
Subject: [PATCH 195/471] update

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c5974061..669403a0 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -725,6 +725,8 @@
 			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
 			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
 			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.*proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
+			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
 			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
 			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->

From 873e28c1d81235bfd54efec0599b0c28deedec07 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Wed, 13 Sep 2017 10:08:59 -0400
Subject: [PATCH 196/471] Initial WMI Filtering

---
 sysmonconfig-export.xml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 669403a0..6f8eecc5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -26,9 +26,11 @@
   NOTE:	"Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
 		"ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches.
 		"LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions.
+
+  FILTER REFERENCE: is,is not,contains,excludes,begin with,end with,less than,more than,image
 -->
 
-<Sysmon schemaversion="3.30">
+<Sysmon schemaversion="3.4">
 	<HashAlgorithms>sha256,imphash</HashAlgorithms>
 	<EventFiltering>
 
@@ -1378,6 +1380,11 @@
 			<Image condition="is">ScreenConnect.ClientService.exe</Image>
 			<Image condition="is">QBW32.EXE</Image>
 		</PipeEvent>
-
+	<!--SYSMON EVENT ID 19 / 20 / 21: WMI Filter / WMI Consumer / WMI Binding -->
+		<!--WMI Filter: UtcTime, EventType, Operation, User, EventNameSpace, Name, Query-->
+		<!--WMI Consumer: UtcTime, EventType, Operation, User, EventNameSpace, Name, Query, Type, Destination-->
+		<!--WMI Binding: UtcTime, EventType, Operation, User, Consumer, Filter-->
+		<WmiEvent onmatch="exclude">
+		</WmiEvent>
 	</EventFiltering>
 </Sysmon>

From c2023f7b5643606c0ce5dfe7ae9e0605813d95f1 Mon Sep 17 00:00:00 2001
From: def ccon <defconoii@gmail.com>
Date: Mon, 18 Sep 2017 14:05:01 -0400
Subject: [PATCH 197/471] Exclude: Trusted Driver/Library Loads.

---
 sysmonconfig-export.xml | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6f8eecc5..ee1c9bf2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -546,6 +546,7 @@
 		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
 				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
 			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
+			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft drivers-->
 			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
 			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel drivers-->
 			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
@@ -559,7 +560,16 @@
 			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
 			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
 			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
-			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI drivers-->
+			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed Fortinet drivers-->
+			<Signature condition="contains">Webroot</Signature> <!--Exclude signed Webroot drivers-->
+			<Signature condition="is">NoVirusThanks Company Srl</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">Invincea</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">ShoreTel</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">Synology</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">Citrix</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">SonicWall</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">Sophos</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">OpenVPN</Signature> <!--Exclude signed drivers-->
 		</DriverLoad>
 
 	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
@@ -614,7 +624,23 @@
 			<Signature condition="contains">Fortinet</Signature> -->
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
+			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
+			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
+			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
+			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
+			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
+			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
+			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
+			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
+			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
+			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
+			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
+			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
 			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
 			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
 			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->

From d15a85f9e7979ef9d5adc34c432886cc3210ff72 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 4 Dec 2017 09:48:38 -0500
Subject: [PATCH 198/471] Misc updates

---
 sysmonconfig-export.xml | 73 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 64 insertions(+), 9 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ee1c9bf2..5ca43ea8 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -281,7 +281,6 @@
 			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
 		</ProcessCreate>
-
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
 		<FileCreateTime onmatch="include">
@@ -581,12 +580,12 @@
 			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll </ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
 			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
 			<!-- Mimikatz Detection -->
-			<ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<ImageLoaded condition="is">WMINet_Utils.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">WMINet_Utils.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
 			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
 			<!-- END: Mimikatz Detection -->
 		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
@@ -639,11 +638,19 @@
 			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
 			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
 			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
-			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
 			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
+			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
+			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
+			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
 			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
 			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
+			<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
+			<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
+			<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
 			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
 			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
 			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
@@ -729,17 +736,29 @@
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
+			<TargetFilename condition="end with">.ocx</TargetFilename>
 			<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->
 			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
 			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
 			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
 			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+			<TargetFilename condition="end with">.com</TargetFilename> <!--Batch scripting: Batch scripts can also use the .com extension -->
+			<TargetFilename condition="end with">.btm</TargetFilename> <!--Batch scripting: Batch scripts can also use the .btm extension -->
 			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
 			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
 			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
 			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.ws</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.wsh</TargetFilename> <!--Scripting-->
 			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
 			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
+			<TargetFilename condition="end with">.ps1xml</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.psc1</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.psd1</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.psm1</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.pssc</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.cdxml</TargetFilename> <!--PowerShell's other file extensions: -->
 			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
 			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
 			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
@@ -753,6 +772,9 @@
 			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
 			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
 			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.vbsript</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
 			<TargetFilename condition="end with">.*proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
 			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
@@ -769,6 +791,23 @@
 			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
 			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
+			<!--SECTION: Other suspicious file types to monitor-->
+			<TargetFilename condition="end with">.ICL</TargetFilename>
+			<TargetFilename condition="end with">.FON</TargetFilename>
+			<TargetFilename condition="end with">.FOT</TargetFilename>
+			<TargetFilename condition="end with">.ico</TargetFilename>
+			<TargetFilename condition="end with">.lnk</TargetFilename>
+			<TargetFilename condition="end with">.eml</TargetFilename>
+			<TargetFilename condition="end with">.msg</TargetFilename>
+			<TargetFilename condition="end with">.msg</TargetFilename>
+			<TargetFilename condition="end with">.SCT</TargetFilename>
+			<TargetFilename condition="end with">.SCR</TargetFilename>
+			<TargetFilename condition="end with">.SHB</TargetFilename>
+			<TargetFilename condition="end with">.SHS</TargetFilename>
+			<TargetFilename condition="end with">.PAF</TargetFilename>
+			<TargetFilename condition="end with">.JSE</TargetFilename>
+			<TargetFilename condition="end with">.gadget</TargetFilename>
+			<TargetFilename condition="end with">.cpl</TargetFilename>
 			<!--SECTION: Ransomware-->
 			<TargetFilename condition="contains">help_decrypt</TargetFilename>
 			<TargetFilename condition="contains">help_restore</TargetFilename>
@@ -1058,6 +1097,8 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject> <!-- Detect disabling of machine password change -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject> <!-- Causes the domain controller to refuse password change requests only from workstations or member servers -->
 			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
 			<!-- Lots of noise from multiple locations, need a better monitor
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
@@ -1095,6 +1136,7 @@
 			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
 			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
 			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> <!-- Detect: Dns Server dll injection -->
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 			-->
@@ -1349,16 +1391,29 @@
 			<!--SECTION: EnPass-->
 			<PipeName condition="contains">qtsingleapp-enpass-</PipeName>
 			<Image condition="contains">qtsingleapp-enpass-</Image>
+			<!--SECTION: RoyalTS-->
+			<PipeName condition="contains">eo.ipc.</PipeName>
+			<!--SECTION: Windows Firewall Control-->
+			<Image condition="is">C:\Program Files\Windows Firewall Control\wfc.exe</Image>
 			<!--SECTION: Everything Search-->
 			<PipeName condition="contains">Everything Service</PipeName>
 			<PipeName condition="contains">anchor_gui_agent</PipeName>
+			<!--SECTION: Adobe-->
+			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image>
 			<!--SECTION: Lenovo-->
 			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
 			<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
 			<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
 			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
+			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE</Image>
 			<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
+			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\TPOSD.EXE</Image>
+			<Image condition="is">C:\Program Files (x86)\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
+			<!--SECTION: Fortinet-->
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe</Image>
+			<!--SECTION: Sophos VPN Client-->
+			<Image condition="is">c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe</Image>
 			<!--SECTION: Labtech-->
 			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>

From d7eb8c9be7b621a286a4e6497a9bef3dc51b2575 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 4 Dec 2017 10:26:28 -0500
Subject: [PATCH 199/471] Misc Updates

---
 sysmonconfig-export.xml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5ca43ea8..482c4745 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -577,7 +577,7 @@
 			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
 			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
 			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
-			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll </ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
+			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
 			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
 			<!-- Mimikatz Detection -->
 			<!-- <ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
@@ -623,6 +623,8 @@
 			<Signature condition="contains">Fortinet</Signature> -->
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
+			<SignatureStatus condition="is">Valid</SignatureStatus>
+			<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!-- Spam -->
 			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
 			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
 			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
@@ -747,6 +749,7 @@
 			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
 			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
 			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.msc</TargetFilename> <!--Executable-->
 			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
 			<TargetFilename condition="end with">.ws</TargetFilename> <!--Scripting-->
 			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting-->
@@ -775,6 +778,8 @@
 			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting-->
 			<TargetFilename condition="end with">.vbsript</TargetFilename> <!--VisualBasicScripting-->
 			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.js</TargetFilename> <!--Java Scripting-->
+			<TargetFilename condition="end with">.jse</TargetFilename> <!--Java Scripting-->
 			<TargetFilename condition="end with">.*proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
 			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
@@ -808,6 +813,7 @@
 			<TargetFilename condition="end with">.JSE</TargetFilename>
 			<TargetFilename condition="end with">.gadget</TargetFilename>
 			<TargetFilename condition="end with">.cpl</TargetFilename>
+			<TargetFilename condition="end with">.inf</TargetFilename>
 			<!--SECTION: Ransomware-->
 			<TargetFilename condition="contains">help_decrypt</TargetFilename>
 			<TargetFilename condition="contains">help_restore</TargetFilename>

From c948ae1db58cb86be7b6d32285b46cab09fadb3b Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 25 Jan 2018 08:03:33 -0500
Subject: [PATCH 200/471] Misc updates

---
 sysmonconfig-export.xml | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 482c4745..6e107541 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -30,8 +30,8 @@
   FILTER REFERENCE: is,is not,contains,excludes,begin with,end with,less than,more than,image
 -->
 
-<Sysmon schemaversion="3.4">
-	<HashAlgorithms>sha256,imphash</HashAlgorithms>
+<Sysmon schemaversion="4.0">
+	<HashAlgorithms>SHA256,IMPHASH</HashAlgorithms>
 	<EventFiltering>
 
 	<!--SYSMON EVENT ID 1 : PROCESS CREATION-->
@@ -285,6 +285,7 @@
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
 		<FileCreateTime onmatch="include">
 			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
+			<Image condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
 		</FileCreateTime>
 		<FileCreateTime onmatch="exclude">
 			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
@@ -537,6 +538,9 @@
 		<ProcessTerminate onmatch="include">
 		<!--COMMENT:	Useful data in building infection timelines.-->
 			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
+			<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
+			<Image condition="begin with">C:\Windows\Temp</Image> <!--Process terminations by user binaries-->
+			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
 		</ProcessTerminate>
 
 	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL-->
@@ -624,7 +628,8 @@
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
 			<SignatureStatus condition="is">Valid</SignatureStatus>
-			<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!-- Spam -->
+			<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
+			<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
 			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
 			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
 			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
@@ -929,6 +934,7 @@
 			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new</TargetFilename>
 			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new</TargetFilename>
 			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new</TargetFilename>
+			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION-->
@@ -948,6 +954,8 @@
 				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
 				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
 				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject condition="contains">SysmonDrv</TargetObject> <!--Add additional logging to self to see modifications -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters\Rules</TargetObject> <!--Add additional logging to self to see modifications -->
 			<TargetObject condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
 			<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
@@ -1244,11 +1252,14 @@
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED-->
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
-		<FileCreateStreamHash onmatch="include">
 		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
 				[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
 				ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
 				[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
+		<FileCreateStreamHash onmatch="exclude">
+			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
+		</FileCreateStreamHash>
+		<FileCreateStreamHash onmatch="include">
 			<TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
 			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
@@ -1405,7 +1416,7 @@
 			<PipeName condition="contains">Everything Service</PipeName>
 			<PipeName condition="contains">anchor_gui_agent</PipeName>
 			<!--SECTION: Adobe-->
-			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image>
+			<Image condition="end with">Adobe\ARM\1.0\AdobeARM.exe</Image>
 			<!--SECTION: Lenovo-->
 			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
 			<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
@@ -1424,6 +1435,9 @@
 			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
 			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
+			<!--SECTION: N-Able -->
+			<Image condition="end with">N-able Technologies\Windows Agent\bin\agent.exe</Image>
+			<Image condition="end with">N-able Technologies\AVDefender\EPIntegrationService.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>

From cb360262380758c4cbd547c3c4447c5635aac0d8 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 25 Jan 2018 09:19:52 -0500
Subject: [PATCH 201/471] Massive Update

---
 sysmonconfig-export.xml | 332 ++++++++++++++++++++++++++++++++--------
 1 file changed, 265 insertions(+), 67 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6e107541..60ae92a6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5,41 +5,72 @@
   Master project:	https://github.com/SwiftOnSecurity/sysmon-config
   Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
-  Fork version:	100
+  Fork version:	150
   Fork author:	ionstorm
   Fork project:	https://github.com/ion-storm/sysmon-config
   Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
-  REQUIRED: Sysmon version 6.00 or higher (due to changes in registry syntax)
-	https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
+  REQUIRED: Sysmon version 7.01 or higher (due to changes in registry syntax and bug-fixes)
+	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
+	Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated.
 
-  NOTE: Although this is stable and inclusive, you should periodically check for new versions to ensure best coverage.
+  NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF. Will need to run command to allow log access to the Network Service:
+	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
 
-  NOTE: Do not let the imposing size and complexity of this configuration scare you off building your own or customizing it.
-	This configuration is based around known high-quality event tracing, and thus looks extremely complicated.
-	Sysmon configurations only have to be a few lines, but significant effort has been invested in front-loading as
-	much filtering as possible onto the client. This is to make analysis of intrusions possible by hand, and try to
-	surface anomalous activity as quickly as possible to any technician armed only with Event Viewer.
-  
-  NOTE: There is best-effort support for 32-bit systems, but it's not a test scenario and will require your own tuning.
+  NOTE: Do not let the size and complexity of this configuration discourage you from customizing this or building your own.
+	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very
+	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
+	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
+	as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
 
-  NOTE:	"Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
-		"ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches.
-		"LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions.
+  NOTE: Sysmon is NOT a whitelist solution or HIDS engine, it is a computer change and event logging tool with very basic exclude rules.
+	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
+	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
 
-  FILTER REFERENCE: is,is not,contains,excludes,begin with,end with,less than,more than,image
+  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
+	to study it, many ways to evade some of the logging. If you are in a high-threat environment, you should consider a much broader
+	log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which
+	this configuration monitors, especially in the first minutes.
+
+  TECHNICAL:
+  - Run sysmon.exe -? for a briefing on Sysmon configuration.
+  - Sysmon does not support nested/multi-conditional rules. There are only blanket INCLUDE and EXCLUDE. "Exclude" rules override "Include" rules.
+  - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
+  - Some Sysmon monitoring abilities are not meant for general-purpose use due to their large performance impact, such as ProcessAccess.
+  - Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
+  - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
+  - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
+  - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
+  - "ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches. Cleared on service restart.
+  - "LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions. Cleared on service restart.
+  - Sysmon does not track which rule caused an event to be logged.
+
+  TECHNICAL: Filter conditions available for use are: is, is not, contains, excludes, begin with, end with, less than, more than, image
+  - The "image" filter is usable with any field. Same as "is" but can either match the entire string, or only the text after the last "\" in the string. Credit: @mattifestation
+
+  PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier.
 -->
 
-<Sysmon schemaversion="4.0">
-	<HashAlgorithms>SHA256,IMPHASH</HashAlgorithms>
+<Sysmon schemaversion="4.00">
+	<!--SYSMON META CONFIG-->
+	<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
+	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
+
+	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
+	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
+	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
+
 	<EventFiltering>
 
-	<!--SYSMON EVENT ID 1 : PROCESS CREATION-->
-		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
-		<ProcessCreate onmatch="exclude">
+	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
 		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
-				avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
-				Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.-->
+			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
+			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
+			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
+			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
+		<ProcessCreate onmatch="exclude">
 			<!--SECTION: Microsoft Windows-->
 			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
 			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
@@ -86,7 +117,48 @@
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Microsoft:Windows:Network: BitLocker Drive Encryption-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Microsoft:Windows:Network: Background Intelligent File Transfer (BITS) -->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Microsoft:Windows: Windows Management Instrumentation (WMI) -->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc</CommandLine> <!--Microsoft:Windows:Network: Group Policy -->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Microsoft:Windows:Network: DNS caching, other uses -->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Microsoft:Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Microsoft:Windows:Network: Network Location Awareness-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Microsoft:Windows:Network: Terminal Services (RDP)-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows 10-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
 			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
@@ -114,7 +186,13 @@
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
 			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
 			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<!--SECTION: Microsoft:Windows: Media player-->
+			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
 			<!--SECTION: Microsoft Exchange-->
 			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
 			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
@@ -136,6 +214,15 @@
 			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
+			<!--SECTION: Adobe:Acrobat DC-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<!--SECTION: Adobe:Acrobat 2015-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<!--SECTION: Adobe:Acrobat Reader DC-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
 			<!--SECTION: Adobe:Flash-->
 			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
 			<!--SECTION: Adobe:Updater-->
@@ -152,6 +239,8 @@
 			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
 			<!--SECTION: Adobe:Creative Cloud-->
+			<!--SECTION: Cisco-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
 			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
 			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
@@ -170,6 +259,10 @@
 			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
 			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
 			<!--SECTION: Dell-->
+			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
+			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
+			<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
+			<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine>			
 			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
 			<!--SECTION: Lenovo-->
 			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
@@ -281,13 +374,19 @@
 			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
 		</ProcessCreate>
-	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->
+
+	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->
+
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
 		<FileCreateTime onmatch="include">
 			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
 		</FileCreateTime>
+
 		<FileCreateTime onmatch="exclude">
+			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
+			<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
 			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
 			<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
 			<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->
@@ -295,13 +394,16 @@
 			<Image condition="contains">setup</Image> <!--Ignore setups-->
 		</FileCreateTime>
 
-	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED-->
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIP, DestinationHostname, DestinationPort, DestinationPortName-->
+	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
+		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
+		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
+		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
+		<!--TECHNICAL:	These exe do not initiate their connections, and thus including does not work in this section: BITSADMIN.exe-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
 		<NetworkConnect onmatch="include">
-		<!--COMMENT:	Takes a very conservative approach to network logging, limit to extremely high-signal events.-->
-		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which may not always have the information or may be a CDN. Using that field is best-effort only.-->
-		<!--TECHNICAL:	These exe's do not initiate their connections, and cannot be included: BITSADMIN-->
-			<!--Suspicious sources-->
+			<!--Suspicious sources for network-connecting binaries-->
 			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
 			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
@@ -325,6 +427,7 @@
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
 			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
 			<Image condition="image">mshta.exe</Image>
 			<Image condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
@@ -334,6 +437,7 @@
 			<Image condition="contains">psservice</Image><!--Detect PsService-->
 			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
 			<Image condition="image">java.exe</Image>
+			<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
 			<Image condition="image">installutil.exe</Image>
 			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
 			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
@@ -350,10 +454,13 @@
 			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
 			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
 			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
 			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
 			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
 			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
 			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
+			<!--Tor-->
+			<Image condition="image">tor.exe</Image><!-- Tor-->
 			<!--Hack tools hosting-->
 			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
@@ -471,6 +578,10 @@
 			<DestinationPort condition="is">7210</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
 			<DestinationPort condition="is">4040</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
 			<DestinationPort condition="is">9943</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<!--Ports: Threats-->
+			<DestinationPort condition="is">7777</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:7777 -->
+			<DestinationPort condition="is">9943</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:9943 -->
+			<DestinationPort condition="is">666</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:666 -->
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<!--SECTION: Microsoft -->
@@ -527,13 +638,19 @@
 			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
 			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
+			<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
+			<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
+			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
 		</NetworkConnect>
 
-	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->
+	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
+
 		<!--DATA: UtcTime, State, Version, SchemaVersion-->
 		<!--Cannot be filtered.-->
 
-	<!--SYSMON EVENT ID 5 : PROCESS ENDED-->
+	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
+		<!--COMMENT:	Useful data in building infection timelines.-->
+
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
 		<ProcessTerminate onmatch="include">
 		<!--COMMENT:	Useful data in building infection timelines.-->
@@ -543,7 +660,12 @@
 			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
 		</ProcessTerminate>
 
-	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL-->
+	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
+		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
+			about what you exclude from monitoring. Low event volume, little incentive to exclude.
+			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
+		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
+
 		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 		<DriverLoad onmatch="exclude">
 		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
@@ -575,7 +697,10 @@
 			<Signature condition="contains">OpenVPN</Signature> <!--Exclude signed drivers-->
 		</DriverLoad>
 
-	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
+	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
+
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 		<ImageLoad onmatch="include">
 			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
@@ -669,7 +794,11 @@
 			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
 			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
 		</ImageLoad>
-	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
+
+	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
+		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
+		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
+
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
 		<CreateRemoteThread onmatch="exclude">
 		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions.
@@ -684,18 +813,22 @@
 			<StartModule condition="is">C:\windows\system32\kernel32.dll</StartModule>
 			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
 			<SourceImage condition="contains">FireSvc.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
 		</CreateRemoteThread>
 
-	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS-->
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
-		<RawAccessRead onmatch="include">
+	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
+		<!--EVENT 9: "RawAccessRead detected"-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
 		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
-				Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
-				Encourage you to experiment with this feature yourself.-->
+			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
+			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
 		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
-		</RawAccessRead>
 
-	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS-->
+	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
+		<!--EVENT 10: "Process accessed"-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
+
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
 		<!--<ProcessAccess onmatch="include"> -->
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
@@ -735,7 +868,11 @@
 			<!-- <SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage> -->
 		<!--</ProcessAccess> -->
 
-	<!--SYSMON EVENT ID 11 : FILE CREATED -->
+	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
+		<!--EVENT 11: "File created"-->
+		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
+		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
+
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">
 			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
@@ -785,8 +922,11 @@
 			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
 			<TargetFilename condition="end with">.js</TargetFilename> <!--Java Scripting-->
 			<TargetFilename condition="end with">.jse</TargetFilename> <!--Java Scripting-->
-			<TargetFilename condition="end with">.*proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
+			<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
 			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
+			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
+			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
+			<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
 			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
 			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
@@ -799,6 +939,7 @@
 			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
 			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
 			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
 			<!--SECTION: Other suspicious file types to monitor-->
@@ -901,6 +1042,11 @@
 			<TargetFilename condition="end with">.SQM</TargetFilename> <!-- Ignore Exchange files created -->
 			<TargetFilename condition="end with">.SPL</TargetFilename> <!-- Ignore Spooled Print Jobs -->
 			<TargetFilename condition="end with">.SHD</TargetFilename> <!-- Ignore Spooled Print Jobs -->
+			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
+			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
+			<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
+			<!--SECTION: Microsoft:Office-->
+			<TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
 			<!--SECTION: Microsoft:Windows:Updates-->
 			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
 			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
@@ -935,20 +1081,31 @@
 			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new</TargetFilename>
 			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new</TargetFilename>
 			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
+			<!--SECTION: Adobe-->
+			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
+			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
 		</FileCreate>
 
-	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION-->
-		<!--NOTE:	It may appear this section is missing important entries, but many of them match multiple areas, so look carefully to see if something is already covered.-->
+	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
+		<!--EVENT 12: "Registry object added or deleted"-->
+		<!--EVENT 13: "Registry value set-->
+		<!--EVENT 14: "Registry objected renamed"-->
+		
 		<!--NOTE:	"contains" conditions below are formatted to reduce CPU load, so they may appear written inconsistently, but this is on purpose from tuning.-->
-		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurance as possible.-->
-		<!--NOTE:	Writing to GUID's is very common, and they contain 0-9 and A-F so slightly try to avoid those in the first few positions. [ https://en.wikipedia.org/wiki/Universally_unique_identifier ] -->
-		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing stuff, doesn't mean these rules aren't being run.-->
-		<!--NOTE:	You don't have to spend a lot of time worrying about this, CPUs are fast, but it's something to consider. Every rule and condition type has a cost.-->
+		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
+		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
+		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
+		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->
 
-		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details, NewName-->
-		<!--TECHNICAL:	Possible prefixes are HKLM, HKCU, HKCR, and HKEY_USERS-->
-		<!--CRITICAL:	Schema version 3.30 and higher use HKLM and HKCU and HKCR and CurrentControlSet instead of REGISTRY\MACHINE\ and \REGISTRY\USER\ and ControlSet001-->
-		
+		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
+		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
+		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
+		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
+		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
+
+		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.-->
+
+		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
 		<RegistryEvent onmatch="include">
 			<!--Autorun or Startups-->
 				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
@@ -978,7 +1135,6 @@
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Microsoft:Windows: Legacy driver loading | Credit @ion-storm -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
@@ -986,6 +1142,8 @@
 			<TargetObject condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
 			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
+			<TargetObject condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
@@ -1008,6 +1166,8 @@
 			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<TargetObject condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
 			<!--AppPaths hijacking-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
@@ -1018,13 +1178,20 @@
 			<!--Winsock and Winsock2-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
 			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
+			<TargetObject condition="begin with">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride - Threats sometimes change proxy server -->
+			<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
 			<!--Credential providers-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
 			<!--Networking-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
+			<TargetObject condition="end with">EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
 			<!--DLLs that get injected into every process launch-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
@@ -1057,6 +1224,10 @@
 			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
 			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
+			<TargetObject condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
+			<TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
+			<TargetObject condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
+			<TargetObject condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
 			<!--Group Policy Scripts-->
 			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
 			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
@@ -1105,6 +1276,7 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject condition="end with">\HideSCAHealth</TargetObject> <!--Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
 			<!--Detect if Windows Defender is Disabled-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
@@ -1151,10 +1323,17 @@
 			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
 			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> <!-- Detect: Dns Server dll injection -->
+			<!--Windows application compatibility shims-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<!--Microsoft Office-->
+			<TargetObject condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 			-->
 		</RegistryEvent>
+
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise-->
 			<!--SECTION: Microsoft binaries-->
@@ -1250,12 +1429,15 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
 		</RegistryEvent>
 
-	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED-->
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
+	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
+		<!--EVENT 15: "File stream created"-->
 		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
-				[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
-				ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
-				[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
+			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
+			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
+			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
+		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
 		<FileCreateStreamHash onmatch="exclude">
 			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
 		</FileCreateStreamHash>
@@ -1314,11 +1496,17 @@
 			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
 		</FileCreateStreamHash>
 
-	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->
+	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
+		<!--EVENT 16: "Sysmon config state changed"-->
+		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
+		
 		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
 		<!--Cannot be filtered.-->
 
-	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED-->
+	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
+		<!--EVENT 17: "Pipe Created"-->
+		<!--EVENT 18: "Pipe Connected"-->
+
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
 		<PipeEvent onmatch="exclude">
 		<!--COMMENT: Exclude known-good pipe users-->
@@ -1481,11 +1669,21 @@
 			<Image condition="is">ScreenConnect.ClientService.exe</Image>
 			<Image condition="is">QBW32.EXE</Image>
 		</PipeEvent>
-	<!--SYSMON EVENT ID 19 / 20 / 21: WMI Filter / WMI Consumer / WMI Binding -->
-		<!--WMI Filter: UtcTime, EventType, Operation, User, EventNameSpace, Name, Query-->
-		<!--WMI Consumer: UtcTime, EventType, Operation, User, EventNameSpace, Name, Query, Type, Destination-->
-		<!--WMI Binding: UtcTime, EventType, Operation, User, Consumer, Filter-->
-		<WmiEvent onmatch="exclude">
+
+	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
+		<!--EVENT 19: "WmiEventFilter activity detected"-->
+		<!--EVENT 20: "WmiEventConsumer activity detected"-->
+		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
+
+		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
+		<WmiEvent onmatch="include">
 		</WmiEvent>
+
+	<!--SYSMON EVENT ID 255 : ERROR-->
+		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
+			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
+			Sysinternals forum or over Twitter (@markrussinovich)."-->
+		<!--Cannot be filtered.-->
+
 	</EventFiltering>
 </Sysmon>

From c4506a3b5897605fe635a5567364bd6d2df266d5 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 25 Jan 2018 09:40:26 -0500
Subject: [PATCH 202/471] more updates

---
 sysmonconfig-export.xml | 55 ++++++++++++++++++++++++++++++++---------
 1 file changed, 43 insertions(+), 12 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 60ae92a6..8858626e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -801,16 +801,15 @@
 
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
 		<CreateRemoteThread onmatch="exclude">
-		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions.
-				Exclude mostly-safe sources and log anything else.-->
-			<SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage>
-			<StartModule condition="is">C:\windows\system32\kernel32.dll</StartModule>
+			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
+			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
+			<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>
 			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
 			<SourceImage condition="contains">FireSvc.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
@@ -824,6 +823,10 @@
 			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
 		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
 
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
+		<RawAccessRead onmatch="include">
+		</RawAccessRead>
+
 	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
 		<!--EVENT 10: "Process accessed"-->
 		<!--COMMENT:	Can cause high system load, disabled by default.-->
@@ -1335,7 +1338,7 @@
 		</RegistryEvent>
 
 		<RegistryEvent onmatch="exclude">
-		<!--COMMENT:	Remove low-information noise-->
+		<!--COMMENT:	Remove low-information noise. Often these hide a procress recreating an empty key and do not hide the values created subsequently.-->
 			<!--SECTION: Microsoft binaries-->
 			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
 			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
@@ -1354,8 +1357,10 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->
 			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
 			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
 			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
 			<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
 			<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
@@ -1403,9 +1408,32 @@
 			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
 			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
 			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
+			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
+			<!--Group Policy noise-->
+			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Microsoft:Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it--> <!--OPTIONAL FILTER-->
+			<!--Autoruns noise-->
+			<!--<Details condition="is">c:\program files (x86)\microsoft office\office16\lync.exe</Details> Microsoft:Office: SkypeForBusiness autorun--> 
+			<!--<Details condition="is">"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized</Details> Cisco: AnyConnect autorun-->
+			<!--<Details condition="contains">ScanToPCActivationApp.exe" -deviceID "</Details> HP: Printer-->
+			<!--SECTION: 3rd party-->
 			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
-			<!--SECTION: 3rd party-->
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
 			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
@@ -1427,6 +1455,8 @@
 			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
+			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
+			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
@@ -1445,6 +1475,7 @@
 			<TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
 			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
+			<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
 			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
 			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
 			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->

From 4f4553909fe541f0b432f5694320a5bcee94685d Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 26 Jan 2018 10:13:31 -0500
Subject: [PATCH 203/471] Noise Reduction

---
 sysmonconfig-export.xml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8858626e..105f0075 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -191,6 +191,7 @@
 			<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
 			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
 			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<Image condition="is">C:\Windows\splwow64.exe</Image> <!--Microsoft:Office: Print Driver Host spam -->
 			<!--SECTION: Microsoft:Windows: Media player-->
 			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
 			<!--SECTION: Microsoft Exchange-->
@@ -349,6 +350,7 @@
 			<Image condition="is">C:\Windows\LTSvc\LTTray.exe</Image>
 			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall</ParentCommandLine>
 			<CommandLine condition="contains">interface tcp show global</CommandLine>
+			<Image condition="is">nslookup.exe</Image><!--Labtech NStest.bat lookups-->
 			<!--END: Labtech-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
@@ -803,6 +805,7 @@
 		<CreateRemoteThread onmatch="exclude">
 			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
 			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>			
 			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
@@ -813,6 +816,7 @@
 			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
 			<SourceImage condition="contains">FireSvc.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
+			<TargetImage condition="end with">controls\cef\ConnectWise.exe</TargetImage>
 		</CreateRemoteThread>
 
 	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
@@ -1087,6 +1091,8 @@
 			<!--SECTION: Adobe-->
 			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
 			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
+			<!--SECTION: Connectwise-->
+			<Image condition="is">C:\Program Files (x86)\ConnectWise\PSA.net\ConnectWise.exe</Image>
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
@@ -1328,6 +1334,7 @@
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> <!-- Detect: Dns Server dll injection -->
 			<!--Windows application compatibility shims-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
 			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
 			<!--Microsoft Office-->
@@ -1360,7 +1367,9 @@
 			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
 			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
 			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Adobe PDF Browser Toolbar-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\{724D43A0-0D85-11D4-9908-00400523E39A}</TargetObject> <!--RoboForms Browser toolbar-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Misc IE Activity-->
 			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
 			<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
 			<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
@@ -1457,6 +1466,8 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
 			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
 			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
+			<!--SECTION: Nitro Pro Spam-->
+			<TargetObject condition="contains">\Software\NITRO\PRO</TargetObject>
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->

From 15a51fa88c774b3d6e3e7528f94444caea565de4 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 13 Feb 2018 08:32:45 -0500
Subject: [PATCH 204/471] Update Auto_Update.bat

---
 Auto_Update.bat | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Auto_Update.bat b/Auto_Update.bat
index 1e5aac6c..39d3b0cc 100644
--- a/Auto_Update.bat
+++ b/Auto_Update.bat
@@ -1,5 +1,5 @@
 @echo on
 cd C:\ProgramData\sysmon\
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
 sysmon64 -c sysmonconfig-export.xml
-exit
\ No newline at end of file
+exit

From 305b45ec31c561fac79d744cb1d60b862959db5b Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 16 Feb 2018 21:54:06 -0500
Subject: [PATCH 205/471] add ads exclusions

---
 sysmonconfig-export.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 105f0075..22327537 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -779,6 +779,12 @@
 			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
 			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
 			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
+			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
 			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
 			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
 			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->

From f5e918e6aa4ae70bfb64519fcce0f9b1d90ee9b1 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 16 Feb 2018 22:02:11 -0500
Subject: [PATCH 206/471] add sysmon exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 22327537..df114639 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -779,6 +779,7 @@
 			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
 			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
 			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
+			<Image condition="is">C:\Windows\sysmon64.exe</Image>
 			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>

From 74e5f40cff2a81ad556c6faeef7f01a9d68c41cb Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 16 Feb 2018 22:15:36 -0500
Subject: [PATCH 207/471] ImageLoad causing too much load in production for now

---
 sysmonconfig-export.xml | 99 +----------------------------------------
 1 file changed, 2 insertions(+), 97 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index df114639..7fc159a6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -704,105 +704,10 @@
 		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
 
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
-		<ImageLoad onmatch="include">
-			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
-			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
-			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
-			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
-			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
-			<!-- Mimikatz Detection -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">WMINet_Utils.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
-			<!-- END: Mimikatz Detection -->
-		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
-			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">vbscript.dll</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">javascript.dll</ImageLoaded> -->
-			<!-- <ImageLoaded condition="contains">msxml4</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">hal.dll</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">scrrun.dll</ImageLoaded> -->
-			<!-- <ImageLoaded condition="contains">npjpi</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">jp2iexp.dll</ImageLoaded> -->
-			<!-- Mimikatz -->
-			<!--NOTES: [ https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ ] -->
-			<!-- <ImageLoaded condition="image">wdigest.dll</ImageLoaded> -->
-			<!-- Microsoft & Common Computer Vendor Exclusions -->
-			<!-- Here are the exclude rules, were using include now :)
-			<Signature condition="contains">Microsoft</Signature>
-			<Signature condition="contains">Windows</Signature>
-			<Signature condition="contains">Dell</Signature>
-			<Signature condition="contains">Lenovo</Signature>
-			<Signature condition="contains">HP</Signature>
-			<Signature condition="contains">Micro-Star</Signature>
-			<Signature condition="contains">MSI</Signature>
-			<Signature condition="contains">Intel</Signature>
-			<Signature condition="contains">AMD</Signature>
-			<Signature condition="contains">Advanced Micro Devices</Signature>
-			<Signature condition="contains">Broadcom</Signature>
-			<Signature condition="contains">Realtek</Signature>
-			<Signature condition="contains">VMware</Signature>
-			<Signature condition="contains">Synaptic</Signature>
-			<Signature condition="contains">Logitech</Signature>
-			<Signature condition="contains">Steelseries</Signature>
-			<Signature condition="contains">Cisco</Signature>
-			<Signature condition="contains">Fortinet</Signature> -->
+		<!--<ImageLoad onmatch="include">
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
-			<SignatureStatus condition="is">Valid</SignatureStatus>
-			<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
-			<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
-			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
-			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
-			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
-			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
-			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
-			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
-			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
-			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
-			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
-			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
-			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
-			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
-			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
-			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
-			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
-			<Image condition="is">C:\Windows\sysmon64.exe</Image>
-			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
-			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
-			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
-			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
-			<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
-			<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
-			<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
-			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
-			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
-			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
-			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
-			<!-- Custom App Exclusions -->
-			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
-			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
-			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
-			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
-		</ImageLoad>
+		</ImageLoad>-->
 
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
 		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.

From 8b582ee3919955739e7925e007937de89045ffaf Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 17 Feb 2018 09:15:05 -0500
Subject: [PATCH 208/471] add spoolss exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7fc159a6..fb00036f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1469,6 +1469,7 @@
 			<!--SECTION: Microsoft-->
 			<PipeName condition="contains">lsass</PipeName>
 			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
+			<PipeName condition="is">\spoolss</PipeName>
 			<!--SECTION: Microsoft IIS -->
 			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
 			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>

From 7fbbb0230c1829d668eb52bcfd0f460f2d665ef6 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 17 Feb 2018 14:04:58 -0500
Subject: [PATCH 209/471] typo and media filexts exclusions

---
 sysmonconfig-export.xml | 45 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index fb00036f..38bdc95a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1312,7 +1312,7 @@
 			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
 			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
 			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<!--Sevices autostart noise-->
+			<!--Services autostart noise-->
 			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
 			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
 			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
@@ -1330,6 +1330,49 @@
 			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
 			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
 			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jxr</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf</TargetObject>
 			<!--Group Policy noise-->
 			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
 			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->

From e87ff3fb668d956c3ba16d1af046ab614db57fec Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 17 Feb 2018 14:12:48 -0500
Subject: [PATCH 210/471] Add Toshiba Print Driver exclusion

---
 sysmonconfig-export.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 38bdc95a..f72a333f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1005,6 +1005,11 @@
 			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
 			<!--SECTION: Connectwise-->
 			<Image condition="is">C:\Program Files (x86)\ConnectWise\PSA.net\ConnectWise.exe</Image>
+			<!--SECTION: Datto-->
+			<Image condition="is">C:\Program Files\Datto\Datto Windows Agent\DattoBackupAgent.exe</Image>
+			<!--SECTION: Toshiba Print Drivers-->
+			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\TOSHIBA\</TargetFilename>
+
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->

From ea195dfcabad1ded0cc8a8d26d1e363c0efc0363 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 20 Feb 2018 12:00:46 -0500
Subject: [PATCH 211/471] more toshiba exclusions

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f72a333f..15c06661 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1009,7 +1009,7 @@
 			<Image condition="is">C:\Program Files\Datto\Datto Windows Agent\DattoBackupAgent.exe</Image>
 			<!--SECTION: Toshiba Print Drivers-->
 			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\TOSHIBA\</TargetFilename>
-
+			<TargetFilename condition="contains">TOSHIBA\eSTUDIOX\UNIDRV</TargetFilename>
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->

From 47811f36b58e861a884724fde78fbd0acb345e34 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 23 Feb 2018 11:09:47 -0500
Subject: [PATCH 212/471] Removed Sysmon config changes because I update the
 config hourly, creates too much spam. Additional Exclusions to cut down on
 spam

---
 sysmonconfig-export.xml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 15c06661..f7ae01ee 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -588,6 +588,7 @@
 		<NetworkConnect onmatch="exclude">
 			<!--SECTION: Microsoft -->
 			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
+			<Image condition="is">C:\Windows\System32\find.exe</Image><!-- Oddly find.exe connects to localhost and creates spam -->
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
@@ -1037,8 +1038,6 @@
 				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
 				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
 				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject condition="contains">SysmonDrv</TargetObject> <!--Add additional logging to self to see modifications -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters\Rules</TargetObject> <!--Add additional logging to self to see modifications -->
 			<TargetObject condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
 			<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
@@ -1428,6 +1427,8 @@
 			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
 			<!--SECTION: Nitro Pro Spam-->
 			<TargetObject condition="contains">\Software\NITRO\PRO</TargetObject>
+			<!--SECTION: Webroot Spam-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\WRData\Status</TargetObject>
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->

From 34669c5cc8821e6635c1ab92292d3d7039182811 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 23 Feb 2018 11:38:42 -0500
Subject: [PATCH 213/471] More Labtech Exclusions

---
 sysmonconfig-export.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f7ae01ee..2b560199 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -312,9 +312,15 @@
 			<!--TODO: Will define these more in the future-->
 			<ParentCommandLine condition="is">C:\Windows\LTSvc\LTSVC.exe -sLTService</ParentCommandLine> <!--Labtech Agent-->
 			<ParentImage condition="is">C:\Windows\LTSvc\LTSVC.exe</ParentImage> <!--Labtech Agent-->
+			<CurrentDirectory condition="is">C:\Windows\LTSvc\</CurrentDirectory><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">find /i "Listening"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">netstat -an</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">nslookup</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">nbtstat.exe</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">dsquery</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">sc query</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">sc query</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
@@ -375,6 +381,7 @@
 			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
 			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
+			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 0a04f334637a94db8ffeb5b21a292e0f33cbef4c Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 24 Feb 2018 14:56:07 -0500
Subject: [PATCH 214/471] ImageLoad causing too much load in production for now
 (reverted from commit 74e5f40cff2a81ad556c6faeef7f01a9d68c41cb)

Added Exclusions to prevent high cpu load
---
 Install Sysmon.bat      |  4 +-
 sysmonconfig-export.xml | 99 ++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 99 insertions(+), 4 deletions(-)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index fb5a3034..c6cc844c 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -17,8 +17,8 @@ pushd "C:\ProgramData\sysmon\"
 echo [+] Downloading Sysmon...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe','C:\ProgramData\sysmon\sysmon64.exe')"
 echo [+] Downloading Sysmon config...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
 sysmon64.exe -accepteula -i sysmonconfig-export.xml
 sc failure Sysmon actions= restart/10000/restart/10000// reset= 120
 echo [+] Sysmon Successfully Installed!
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2b560199..354437eb 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -712,10 +712,105 @@
 		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
 
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
-		<!--<ImageLoad onmatch="include">
+		<ImageLoad onmatch="include">
+			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
+			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
+			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
+			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
+			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
+			<!-- Mimikatz Detection -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<!-- <ImageLoaded condition="is">WMINet_Utils.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
+			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
+			<!-- END: Mimikatz Detection -->
+		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
+			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
+			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
+			<!-- <ImageLoaded condition="image">vbscript.dll</ImageLoaded> -->
+			<!-- <ImageLoaded condition="image">javascript.dll</ImageLoaded> -->
+			<!-- <ImageLoaded condition="contains">msxml4</ImageLoaded> -->
+			<!-- <ImageLoaded condition="image">hal.dll</ImageLoaded> -->
+			<!-- <ImageLoaded condition="image">scrrun.dll</ImageLoaded> -->
+			<!-- <ImageLoaded condition="contains">npjpi</ImageLoaded> -->
+			<!-- <ImageLoaded condition="image">jp2iexp.dll</ImageLoaded> -->
+			<!-- Mimikatz -->
+			<!--NOTES: [ https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ ] -->
+			<!-- <ImageLoaded condition="image">wdigest.dll</ImageLoaded> -->
+			<!-- Microsoft & Common Computer Vendor Exclusions -->
+			<!-- Here are the exclude rules, were using include now :)
+			<Signature condition="contains">Microsoft</Signature>
+			<Signature condition="contains">Windows</Signature>
+			<Signature condition="contains">Dell</Signature>
+			<Signature condition="contains">Lenovo</Signature>
+			<Signature condition="contains">HP</Signature>
+			<Signature condition="contains">Micro-Star</Signature>
+			<Signature condition="contains">MSI</Signature>
+			<Signature condition="contains">Intel</Signature>
+			<Signature condition="contains">AMD</Signature>
+			<Signature condition="contains">Advanced Micro Devices</Signature>
+			<Signature condition="contains">Broadcom</Signature>
+			<Signature condition="contains">Realtek</Signature>
+			<Signature condition="contains">VMware</Signature>
+			<Signature condition="contains">Synaptic</Signature>
+			<Signature condition="contains">Logitech</Signature>
+			<Signature condition="contains">Steelseries</Signature>
+			<Signature condition="contains">Cisco</Signature>
+			<Signature condition="contains">Fortinet</Signature> -->
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
-		</ImageLoad>-->
+			<SignatureStatus condition="is">Valid</SignatureStatus>
+			<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
+			<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
+			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
+			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
+			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
+			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
+			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
+			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
+			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
+			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
+			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
+			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
+			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
+			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
+			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
+			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
+			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
+			<Image condition="is">C:\Windows\sysmon64.exe</Image>
+			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
+			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
+			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
+			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
+			<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
+			<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
+			<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
+			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
+			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
+			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
+			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
+			<!-- Custom App Exclusions -->
+			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
+			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
+			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
+			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
+		</ImageLoad>
 
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
 		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.

From f8e61313b56d0721cbd03d54e14b009d65a3d1ad Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 24 Feb 2018 15:03:46 -0500
Subject: [PATCH 215/471] add find.exe as imageloaded exclusion

---
 sysmonconfig-export.xml | 63 ++++++++++++++---------------------------
 1 file changed, 22 insertions(+), 41 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 354437eb..228a1217 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -718,48 +718,7 @@
 			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
 			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
 			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
-			<!-- Mimikatz Detection -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <ImageLoaded condition="is">WMINet_Utils.dll</ImageLoaded> --> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
 			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
-			<!-- END: Mimikatz Detection -->
-		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
-			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">vbscript.dll</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">javascript.dll</ImageLoaded> -->
-			<!-- <ImageLoaded condition="contains">msxml4</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">hal.dll</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">scrrun.dll</ImageLoaded> -->
-			<!-- <ImageLoaded condition="contains">npjpi</ImageLoaded> -->
-			<!-- <ImageLoaded condition="image">jp2iexp.dll</ImageLoaded> -->
-			<!-- Mimikatz -->
-			<!--NOTES: [ https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ ] -->
-			<!-- <ImageLoaded condition="image">wdigest.dll</ImageLoaded> -->
-			<!-- Microsoft & Common Computer Vendor Exclusions -->
-			<!-- Here are the exclude rules, were using include now :)
-			<Signature condition="contains">Microsoft</Signature>
-			<Signature condition="contains">Windows</Signature>
-			<Signature condition="contains">Dell</Signature>
-			<Signature condition="contains">Lenovo</Signature>
-			<Signature condition="contains">HP</Signature>
-			<Signature condition="contains">Micro-Star</Signature>
-			<Signature condition="contains">MSI</Signature>
-			<Signature condition="contains">Intel</Signature>
-			<Signature condition="contains">AMD</Signature>
-			<Signature condition="contains">Advanced Micro Devices</Signature>
-			<Signature condition="contains">Broadcom</Signature>
-			<Signature condition="contains">Realtek</Signature>
-			<Signature condition="contains">VMware</Signature>
-			<Signature condition="contains">Synaptic</Signature>
-			<Signature condition="contains">Logitech</Signature>
-			<Signature condition="contains">Steelseries</Signature>
-			<Signature condition="contains">Cisco</Signature>
-			<Signature condition="contains">Fortinet</Signature> -->
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
 			<SignatureStatus condition="is">Valid</SignatureStatus>
@@ -788,18 +747,23 @@
 			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
 			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
 			<Image condition="is">C:\Windows\sysmon64.exe</Image>
+			<ImageLoaded condition="is">C:\Windows\sysmon64.exe</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\conhost.exe</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
+			<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
 			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
 			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
 			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
 			<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
 			<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
 			<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll</ImageLoaded>
 			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
 			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
 			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
@@ -810,6 +774,23 @@
 			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
 			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
 			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
+			<Image condition="is">C:\Windows\System32\VSSVC.</Image>
+			<Image condition="is">C:\Windows\System32\conhost.exe</Image>
+			<Image condition="is">C:\Windows\System32\NETSTAT.EXE</Image>
+			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
+			<Image condition="is">C:\Windows\System32\tasklist.exe</Image>
+			<Image condition="is">C:\Windows\System32\nslookup.exe</Image>
+			<Image condition="is">C:\Windows\System32\find.exe</Image>
+			<Image condition="is">C:\cs\tools\php\php-cgi.exe</Image>
+			<Image condition="is">C:\Windows\System32\nbtstat.exe</Image>
+			<Image condition="is">C:\Windows\System32\dsquery.exe</Image>
+			<Image condition="is">C:\Windows\System32\netsh.exe</Image>
+			<Image condition="is">C:\Windows\System32\taskeng.exe</Image>
+			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image>
+			<Image condition="contains">SQL Server</Image>
+			<ImageLoaded condition="contains">SQL Server</ImageLoaded>
+			<Image condition="contains">Exchange Server</Image>
+			<ImageLoaded condition="contains">Exchange Server</ImageLoaded>
 		</ImageLoad>
 
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->

From a6401694778b18bfc10067b2858e2cc182f73051 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 24 Feb 2018 15:05:46 -0500
Subject: [PATCH 216/471] add svchost imgloaded exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 228a1217..3048cc35 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -776,6 +776,7 @@
 			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
 			<Image condition="is">C:\Windows\System32\VSSVC.</Image>
 			<Image condition="is">C:\Windows\System32\conhost.exe</Image>
+			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
 			<Image condition="is">C:\Windows\System32\NETSTAT.EXE</Image>
 			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
 			<Image condition="is">C:\Windows\System32\tasklist.exe</Image>

From d1ace347d8533e04eed18d5d8b71861d83512f3f Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 24 Feb 2018 15:19:11 -0500
Subject: [PATCH 217/471] more exclusions for imgload

---
 sysmonconfig-export.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3048cc35..92db4ac1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -756,6 +756,13 @@
 			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\pcwum.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\kernel32.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\user32.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\dns.exe</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\zvprtmon5.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\termsrv.dll</ImageLoaded>
 			<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
 			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
 			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->

From 21d0962e31ddda5db57e902c4f780abebd1fe349 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 24 Feb 2018 15:48:23 -0500
Subject: [PATCH 218/471] more imgloaded exclusions

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 92db4ac1..8defc261 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -747,6 +747,7 @@
 			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
 			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
 			<Image condition="is">C:\Windows\sysmon64.exe</Image>
+			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
 			<ImageLoaded condition="is">C:\Windows\sysmon64.exe</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\conhost.exe</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>

From 278e23fa7de6b6340f6bc03517a9d2b64c52bd50 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 24 Feb 2018 15:57:51 -0500
Subject: [PATCH 219/471] Add testing Company/Product condition filtering

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8defc261..162f5877 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -740,6 +740,8 @@
 			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
 			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
 			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
+			<Company condition="contains">Microsoft</Company>
+			<Product condition="contains">Microsoft</Product>
 			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
 			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
 			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>

From c4c6cac7731449122f54a42d94086c6f19c8664a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 27 Feb 2018 10:42:12 -0500
Subject: [PATCH 220/471] Add SQL Server Pipename exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 162f5877..5a2f60f3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1627,6 +1627,7 @@
 			<!--SECTION: Microsoft DNS Server -->
 			<Image condition="is">C:\Windows\system32\dns.exe</Image>
 			<!--SECTION: Microsoft SQL Server -->
+			<PipeName condition="is">\sql\query</PipeName>
 			<Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
 			<!--SECTION: Microsoft Skype For Business Server -->
 			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee</Image>

From 0ad4b9971f5dfd82add7a2e6b4a8b1a21314d70a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 8 Mar 2018 09:36:44 -0500
Subject: [PATCH 221/471] silence epmap traffic

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5a2f60f3..7fc23c07 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -622,6 +622,8 @@
 			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
 			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
 			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
+			<DestinationPortName condition="is">epmap</DestinationPortName> <!--Silence LDAP-->
+			<SourcePortName condition="is">epmap</SourcePortName> <!--Silence LDAP-->
 			<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
 			<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
 			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->

From 5852d77035b542c5c4e0eca767124c813d554fbf Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 8 Mar 2018 09:44:16 -0500
Subject: [PATCH 222/471] add port 135 exclude

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7fc23c07..70d5cb56 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -624,6 +624,8 @@
 			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
 			<DestinationPortName condition="is">epmap</DestinationPortName> <!--Silence LDAP-->
 			<SourcePortName condition="is">epmap</SourcePortName> <!--Silence LDAP-->
+			<SourcePort condition="is">135</SourcePort>  <!--epmap Port-->
+			<DestinationPort condition="is">135</DestinationPort>  <!--epmap Port-->
 			<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
 			<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
 			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->

From 84ce0c34e5bbe796488bc0026f5663fc2111a53a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 9 Mar 2018 12:40:30 -0500
Subject: [PATCH 223/471] Enable RDP History Tracking

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 70d5cb56..2337c929 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1274,6 +1274,8 @@
 			<!--Detect User Activity-->
 			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<!--RDP History Tracking-->
+			<TargetObject condition="begin with">HKCU\Software\Microsoft\Terminal Server Client</TargetObject>
 			<!--Detect Threats from Webroot Antivirus-->
 			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
 			<TargetObject condition="contains">\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->

From bd3688bd816f7d2f673339eac21c33399624c60b Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 9 Mar 2018 12:56:32 -0500
Subject: [PATCH 224/471] remove HKCU

---
 sysmonconfig-export.xml | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2337c929..1039d5a5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1241,23 +1241,23 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
 			<!--Common Malware Persistence locations-->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
 			<TargetObject condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
 			<TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
 			<TargetObject condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
 			<TargetObject condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
 			<!--Group Policy Scripts-->
-			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
 			<!--Detect Network History-->
@@ -1272,20 +1272,20 @@
 			<TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
 			<TargetObject condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
 			<!--Detect User Activity-->
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			<!--RDP History Tracking-->
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Terminal Server Client</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
 			<!--Detect Threats from Webroot Antivirus-->
 			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
 			<TargetObject condition="contains">\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
 			<TargetObject condition="contains">\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
 			<!--Detect Changes to Proxy Server Setting-->
-			<TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
 			<!--Detect Browser Hijackers-->
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>
+			<TargetObject condition="contains">\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>
 			<!--Detect Unauthorized Firewall Changes-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Check for apps added to Firewall Auth List-->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering-->
@@ -1313,16 +1313,16 @@
 			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
 			<!-- Lots of noise from multiple locations, need a better monitor
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates</TargetObject>
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
-			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
 			-->
 			<!-- Other Stuff -->	
-			<TargetObject condition="begin with">HKCU\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
+			<TargetObject condition="contains">\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject><!--Identify Rogue Scheduled Task ID's added to Boot -->
@@ -1515,10 +1515,10 @@
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
 			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\</TargetObject>
-			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates\</TargetObject>
+			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates\</TargetObject>
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
-			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\</TargetObject>
 			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->

From 6bbb856a481cffcbab638e3f40a8b27095387b40 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 13 Mar 2018 01:12:02 -0400
Subject: [PATCH 225/471] Remove Duplicates

---
 sysmonconfig-export.xml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1039d5a5..b8f3b8b8 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -173,7 +173,6 @@
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
 			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
-			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
 			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
 			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
@@ -320,7 +319,6 @@
 			<CommandLine condition="contains">nbtstat.exe</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">dsquery</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<CommandLine condition="contains">sc query</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">sc query</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
@@ -639,7 +637,6 @@
 			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
 			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
 			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
-			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
 			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
 			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
@@ -968,7 +965,6 @@
 			<TargetFilename condition="end with">.lnk</TargetFilename>
 			<TargetFilename condition="end with">.eml</TargetFilename>
 			<TargetFilename condition="end with">.msg</TargetFilename>
-			<TargetFilename condition="end with">.msg</TargetFilename>
 			<TargetFilename condition="end with">.SCT</TargetFilename>
 			<TargetFilename condition="end with">.SCR</TargetFilename>
 			<TargetFilename condition="end with">.SHB</TargetFilename>
@@ -1744,7 +1740,6 @@
 			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
 			<PipeName condition="contains">Anonymous Pipe</PipeName> <!-- NOTICE: Comment this out if you dont use Labtech, labtech nests processes and causes excessive noise -->
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
@@ -1767,7 +1762,6 @@
 			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe</Image>
 			<Image condition="is">C:\Pfx Engagement\WM\PFXEngagement.exe</Image>
-			<Image condition="is">C:\Pfx Engagement\WM\PfxEngagement.exe</Image>
 			<Image condition="is">C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe</Image>
 			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>

From 34c6c164fabaff413c7add3802baac66f5a33ebe Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 14 Mar 2018 10:23:48 -0400
Subject: [PATCH 226/471] cleanup

---
 sysmonconfig-export.xml | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b8f3b8b8..64478cbe 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1180,11 +1180,6 @@
 			<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
 			<TargetObject condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
 			<TargetObject condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
 			<TargetObject condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
 			<!--AppPaths hijacking-->
@@ -1227,7 +1222,7 @@
 			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
 			<!--Infection artifacts-->
 			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and componenent installations-->
+			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
 			<!--Windows internals integrity monitoring-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
@@ -1338,11 +1333,6 @@
 			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
 			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> <!-- Detect: Dns Server dll injection -->
 			<!--Windows application compatibility shims-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
@@ -1473,6 +1463,11 @@
 			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf</TargetObject>
 			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac</TargetObject>
 			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf</TargetObject>
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
 			<!--Group Policy noise-->
 			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
 			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->

From 8f1524d15152e0539c23b47dff76a841149e50a2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 11:46:24 -0400
Subject: [PATCH 227/471] processaccess test

---
 sysmonconfig-export.xml | 42 +++++++++--------------------------------
 1 file changed, 9 insertions(+), 33 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 64478cbe..4cfd97b5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -843,45 +843,21 @@
 		<!--EVENT 10: "Process accessed"-->
 		<!--COMMENT:	Can cause high system load, disabled by default.-->
 		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
-
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
-		<!--<ProcessAccess onmatch="include"> -->
+		<ProcessAccess onmatch="include">
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
 				Disabled by default since including even one entry here activates this component. Reward/performance decision.
 				Encourage you to experiment with this feature yourself.
 				Uses 4mbs+ IO -->
-			<!-- Hancitor process hollowing -->
-			<!-- <SourceImage condition="image">winword.exe</SourceImage> -->
-			<!-- <SourceImage condition="image">excel.exe</SourceImage> -->
-			<!-- <SourceImage condition="image">mspub.exe</SourceImage> -->
-			<!-- <SourceImage condition="image">msbuild.exe</SourceImage> -->
-			<!-- <SourceImage condition="image">powerpnt.exe</SourceImage> -->
-			<!-- <SourceImage condition="contains">powershell.exe</SourceImage> -->
-			<!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
-			<!-- <CallTrace condition="contains">VBE7.dll</CallTrace> -->
-			<!-- <CallTrace condition="contains">VBE6.dll</CallTrace> -->
- 			<!--Include mimikatz-specific events.-->
-			<!-- <TargetImage condition="contains">C:\Windows\System32\lsass.exe</TargetImage> -->
-			<!-- <TargetImage condition="contains">C:\Windows\System32\winlogon.exe</TargetImage> -->
-			<!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
-			<!-- <CallTrace condition="contains">WinSCard.dll</CallTrace>  -->
-			<!-- <CallTrace condition="contains">cryptdll.dll</CallTrace> -->
-			<!-- <CallTrace condition="contains">hid.dll</CallTrace> -->
-			<!-- <CallTrace condition="contains">samlib.dll</CallTrace> -->
-			<!-- <CallTrace condition="contains">vaultcli.dll</CallTrace> -->
-			<!-- <CallTrace condition="contains">WMINet_Utils.dll</CallTrace> -->
-			<!-- END: Mimikatz Detection -->		
-		<!--</ProcessAccess> -->
-		<!--<ProcessAccess onmatch="exclude"> -->
-			<!-- <SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage> -->
-			<!-- <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage> -->
-			<!-- <TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage> -->
-			<!-- <TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage> -->
-			<!-- ShellCode Spawned from Office Macros: Credit: @JohnLaTwC -->
-			<!-- <CallTrace condition="excludes">UNKNOWN</CallTrace> -->
+		</ProcessAccess>
+		<ProcessAccess onmatch="exclude">
+			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
+			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
+			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
 			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
-			<!-- <SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage> -->
-		<!--</ProcessAccess> -->
+			<SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage>
+		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
 		<!--EVENT 11: "File created"-->

From b4a632eaa94aa85004733e21ae903eb74d2c6565 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 11:49:39 -0400
Subject: [PATCH 228/471] sysmon exclusion

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4cfd97b5..6e5c6f2e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -855,6 +855,8 @@
 			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
 			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
 			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
+			<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
+			<SourceImage condition="is">C:\Windows\Sysmon64.exe</SourceImage>
 			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
 			<SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage>
 		</ProcessAccess>

From 2ce2cfd7afd81d24e836027cbf4f611be53984a3 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 12:53:57 -0400
Subject: [PATCH 229/471] mimikatz detection

---
 sysmonconfig-export.xml | 47 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6e5c6f2e..231c06e8 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -845,12 +845,52 @@
 		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
 		<ProcessAccess onmatch="include">
+			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
+			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
+			<SourceImage condition="contains">Microsoft Office</SourceImage>
+			<SourceImage condition="contains">powershell.exe</SourceImage>
+			<TargetImage condition="contains">verclsid.exe</TargetImage>
+			<CallTrace condition="contains">UNKNOWN</CallTrace>
+			<CallTrace condition="contains">VBE</CallTrace>
+			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
 				Disabled by default since including even one entry here activates this component. Reward/performance decision.
 				Encourage you to experiment with this feature yourself.
 				Uses 4mbs+ IO -->
 		</ProcessAccess>
 		<ProcessAccess onmatch="exclude">
+			<!-- Filter out common access masks
+			A reference is available here for the mask: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880%28v=vs.85%29.aspx
+			Ideally an access mask with any of the following is useful:
+			PROCESS_VM_WRITE (0x0020)
+			PROCESS_VM_READ (0x0010)
+			PROCESS_VM_OPERATION (0x0008)
+          
+			0x1410 (potential memory read) is common activity. E.g. by taskmgr.exe. We only want to capture this against lsass.exe and winlogon.exe, but this logic is in the subscription.
+			-->
+			<GrantedAccess condition="is">0x40</GrantedAccess>
+			<GrantedAccess condition="is">0x101000</GrantedAccess>
+			<GrantedAccess condition="is">0x1000</GrantedAccess>
+			<GrantedAccess condition="is">0x1400</GrantedAccess>
+			<GrantedAccess condition="is">0x100000</GrantedAccess>
+			<GrantedAccess condition="is">0x3200</GrantedAccess>
+			<GrantedAccess condition="is">0x101400</GrantedAccess>
+			<GrantedAccess condition="is">0x101001</GrantedAccess>
+			
+			<!-- These binaries appear to access lsass legitimately -->
+			<SourceImage condition="contains">taskmgr</SourceImage>
+			<SourceImage condition="end with">:\Windows\System32\wbem\wmiprvse.exe</SourceImage>
+			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
+			<SourceImage condition="end with">\EMET_GUI.exe</SourceImage>
+			<SourceImage condition="end with">\procexp64.exe</SourceImage>
+			<SourceImage condition="contains">processhacker</SourceImage>
+			<SourceImage condition="end with">\Bin\FMS.exe</SourceImage> <!-- Exchange Process -->
+			<SourceImage condition="contains">\Exchange Server\</SourceImage>
+			<SourceImage condition="contains">SQL</SourceImage>
+			<SourceImage condition="end with">:\Windows\System32\smss.exe</SourceImage>
+			<SourceImage condition="end with">:\Windows\system32\csrss.exe</SourceImage>
+			<SourceImage condition="end with">:\Windows\system32\wininit.exe</SourceImage>
+			<SourceImage condition="end with">\Google\Update\GoogleUpdate.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
 			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
@@ -858,7 +898,12 @@
 			<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
 			<SourceImage condition="is">C:\Windows\Sysmon64.exe</SourceImage>
 			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
-			<SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage>
+			<SourceImage condition="contains">ScreenConnect</SourceImage>
+			<!-- These binaries get or access processes running .NET -->
+			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
+			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
+			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
+			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->

From 81ce48dd0a786a8e811e9d9e7127baaab0c4ee19 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 13:00:32 -0400
Subject: [PATCH 230/471] sysmon exclusion (reverted from commit
 b4a632eaa94aa85004733e21ae903eb74d2c6565)

---
 sysmonconfig-export.xml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 231c06e8..e458b4f0 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -895,8 +895,6 @@
 			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
 			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
 			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
-			<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
-			<SourceImage condition="is">C:\Windows\Sysmon64.exe</SourceImage>
 			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
 			<SourceImage condition="contains">ScreenConnect</SourceImage>
 			<!-- These binaries get or access processes running .NET -->

From 11b3db7eb69204f7446acab75b3e3e0aa77e1450 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 13:07:15 -0400
Subject: [PATCH 231/471] revert

---
 sysmonconfig-export.xml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e458b4f0..9db0c642 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -845,14 +845,6 @@
 		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
 		<ProcessAccess onmatch="include">
-			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
-			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
-			<SourceImage condition="contains">Microsoft Office</SourceImage>
-			<SourceImage condition="contains">powershell.exe</SourceImage>
-			<TargetImage condition="contains">verclsid.exe</TargetImage>
-			<CallTrace condition="contains">UNKNOWN</CallTrace>
-			<CallTrace condition="contains">VBE</CallTrace>
-			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
 				Disabled by default since including even one entry here activates this component. Reward/performance decision.
 				Encourage you to experiment with this feature yourself.

From 30a7650465956207b0999dd7959ec92da7e11fba Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 15:46:18 -0400
Subject: [PATCH 232/471] Named Pipe Cleanup

---
 sysmonconfig-export.xml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9db0c642..1ca9b01a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1629,11 +1629,7 @@
 			<Image condition="is">C:\Windows\syswow64\snmp.exe</Image>
 			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
 			<!--SECTION: Microsoft Exchange Server -->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe</Image>
+			<Image condition="contains">Exchange Server</Image>
 			<!--SECTION: Microsoft DNS Server -->
 			<Image condition="is">C:\Windows\system32\dns.exe</Image>
 			<!--SECTION: Microsoft SQL Server -->
@@ -1775,6 +1771,11 @@
 			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
 			<Image condition="is">ScreenConnect.ClientService.exe</Image>
 			<Image condition="is">QBW32.EXE</Image>
+			<Image condition="end with">EXCEL.EXE</Image>
+			<Image condition="end with">ADCUpdate.exe</Image>
+			<Image condition="end with">Hydrous.Host.exe</Image>
+			<Image condition="end with">TNSLSNR.exe</Image>
+			<Image condition="contains">ShoreWare Server</Image>
 		</PipeEvent>
 
 	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->

From ea06a5b21ef770ae3059406c043a3df75902ca9a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 15:48:45 -0400
Subject: [PATCH 233/471] revert (reverted from commit
 11b3db7eb69204f7446acab75b3e3e0aa77e1450)

just monitor lsass and winlogon
---
 sysmonconfig-export.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1ca9b01a..9f4c225c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -845,6 +845,14 @@
 		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
 		<ProcessAccess onmatch="include">
+			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
+			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
+			<SourceImage condition="contains">Microsoft Office</SourceImage>
+			<SourceImage condition="contains">powershell.exe</SourceImage>
+			<TargetImage condition="contains">verclsid.exe</TargetImage>
+			<CallTrace condition="contains">UNKNOWN</CallTrace>
+			<CallTrace condition="contains">VBE</CallTrace>
+			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
 				Disabled by default since including even one entry here activates this component. Reward/performance decision.
 				Encourage you to experiment with this feature yourself.

From 5d054a297464ea2d0fc124f82efe6521f5d4aec7 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 15:49:19 -0400
Subject: [PATCH 234/471] remove unknown, edit vbe7

---
 sysmonconfig-export.xml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9f4c225c..85f26ba3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -847,11 +847,9 @@
 		<ProcessAccess onmatch="include">
 			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
 			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
-			<SourceImage condition="contains">Microsoft Office</SourceImage>
 			<SourceImage condition="contains">powershell.exe</SourceImage>
 			<TargetImage condition="contains">verclsid.exe</TargetImage>
-			<CallTrace condition="contains">UNKNOWN</CallTrace>
-			<CallTrace condition="contains">VBE</CallTrace>
+			<CallTrace condition="contains">VBE7.dll</CallTrace>
 			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
 		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
 				Disabled by default since including even one entry here activates this component. Reward/performance decision.

From be53ff139b62742ac5487383710e57fd56c4cf03 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 15:52:51 -0400
Subject: [PATCH 235/471] Add shadowprotect exclusion

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 85f26ba3..1decd108 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -893,6 +893,7 @@
 			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
 			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
 			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
+			<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
 			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
 			<SourceImage condition="contains">ScreenConnect</SourceImage>
 			<!-- These binaries get or access processes running .NET -->
@@ -900,6 +901,7 @@
 			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
 			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
+			<SourceImage condition="contains">ShadowProtect</SourceImage>
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->

From 941938240162baca1617ce3e526ce886cdfe00b1 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 15:56:07 -0400
Subject: [PATCH 236/471] add additional exclusions

---
 sysmonconfig-export.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1decd108..34a14d38 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -890,6 +890,7 @@
 			<SourceImage condition="end with">:\Windows\system32\wininit.exe</SourceImage>
 			<SourceImage condition="end with">\Google\Update\GoogleUpdate.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files\Webroot\WRSA.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
 			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
 			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
@@ -902,6 +903,14 @@
 			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
 			<SourceImage condition="contains">ShadowProtect</SourceImage>
+			<SourceImage condition="contains">ShadowProtect</SourceImage>
+			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
+			
+			<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
+			
+			
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->

From b3db166a9737f0b7069668ca2bdd22c17061ca36 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 15:57:11 -0400
Subject: [PATCH 237/471] exclusions

---
 sysmonconfig-export.xml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 34a14d38..1bd82eb0 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -876,6 +876,9 @@
 			<GrantedAccess condition="is">0x101001</GrantedAccess>
 			
 			<!-- These binaries appear to access lsass legitimately -->
+			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
 			<SourceImage condition="contains">taskmgr</SourceImage>
 			<SourceImage condition="end with">:\Windows\System32\wbem\wmiprvse.exe</SourceImage>
 			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
@@ -903,14 +906,8 @@
 			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
 			<SourceImage condition="contains">ShadowProtect</SourceImage>
-			<SourceImage condition="contains">ShadowProtect</SourceImage>
-			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
-			
 			<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
-			
-			
+			<SourceImage condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->

From 1323a4677699ea285d2127e1a97ccb419518a1a7 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 16:01:27 -0400
Subject: [PATCH 238/471] add additional legit exclusions

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1bd82eb0..bbc8c7d4 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -908,6 +908,9 @@
 			<SourceImage condition="contains">ShadowProtect</SourceImage>
 			<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
+			<SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
+			<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->

From 6880c641992e188c4cdf91ec2330bfae7369ed39 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 16:05:16 -0400
Subject: [PATCH 239/471] add labtech from paccess

---
 sysmonconfig-export.xml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bbc8c7d4..e2f9ed36 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -907,10 +907,11 @@
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
 			<SourceImage condition="contains">ShadowProtect</SourceImage>
 			<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
+			<SourceImage condition="end with">Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
+			<SourceImage condition="end with">Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
 			<SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
 			<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
+			<SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage>
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->

From daaa5dd8142ca80c53ed57f18005d00dc166cdbb Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 16:10:51 -0400
Subject: [PATCH 240/471] add trusteer rapport exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e2f9ed36..839dd888 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -912,6 +912,7 @@
 			<SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
 			<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
 			<SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage>
+			<SourceImage condition="end with">\Trusteer\Rapport\bin\RapportMgmtService.exe</SourceImage>
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->

From c54a65c96a860594958e5aeae7f1535319e2a650 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 16:12:06 -0400
Subject: [PATCH 241/471] adjust wmiprvse.exe

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 839dd888..9c3b2c61 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -880,7 +880,7 @@
 			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
 			<SourceImage condition="contains">taskmgr</SourceImage>
-			<SourceImage condition="end with">:\Windows\System32\wbem\wmiprvse.exe</SourceImage>
+			<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
 			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
 			<SourceImage condition="end with">\EMET_GUI.exe</SourceImage>
 			<SourceImage condition="end with">\procexp64.exe</SourceImage>

From d2a3079ceac360fb5fc7b6a6984be472aae4380d Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 15 Mar 2018 16:47:24 -0400
Subject: [PATCH 242/471] add spooler exclusions to paccess

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9c3b2c61..9ae42457 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -879,6 +879,7 @@
 			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
 			<SourceImage condition="contains">taskmgr</SourceImage>
 			<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
 			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>

From d0f022feb2f2147e74b2240bb106fda3a1a79479 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 19 Mar 2018 08:41:39 -0400
Subject: [PATCH 243/471] Big registry autorun additions

---
 sysmonconfig-export.xml | 46 +++++++++++++++++++++++++++++++++++------
 1 file changed, 40 insertions(+), 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9ae42457..83f35146 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1172,7 +1172,10 @@
 			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
 			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
 			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
+			<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers</TargetObject> <!-- Print Provider DLL's loaded at startup can be malicious, lets monitor those -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
@@ -1196,6 +1199,19 @@
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
 			<TargetObject condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
+			<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			<TargetObject condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject condition="contains">Desktop\Scrnsave.exe</TargetObject>
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
@@ -1204,6 +1220,17 @@
 			<!--Windows COM-->
 			<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
 			<!--Windows shell hijack-->
+			<TargetObject condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject condition="contains">\ShellServiceObjects</TargetObject>
+			<TargetObject condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject condition="contains">\SharedTaskScheduler</TargetObject>
 			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
 			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
@@ -1218,6 +1245,7 @@
 			<!--AppPaths hijacking-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<!--Terminal service boobytraps-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
@@ -1230,11 +1258,16 @@
 			<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
 			<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
 			<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
 			<!--Credential providers-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
 			<!--Networking-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
@@ -1243,10 +1276,13 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
 			<!--Office-->
-			<TargetObject condition="contains">\Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
-			<TargetObject condition="contains">\Microsoft\Office\Excel\Addins\</TargetObject> <!--Microsoft:Office: Excel add-ins-->
-			<TargetObject condition="contains">\Microsoft\Office\Word\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
-			<TargetObject condition="contains">\Microsoft\Office\Powerpoint\Addins\</TargetObject> <!--Microsoft:Office: Powerpoint add-ins-->
+			<!--Microsoft Office-->
+			<TargetObject condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<TargetObject condition="contains">\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
+			<TargetObject condition="contains">\Excel\Addins\</TargetObject> <!--Microsoft:Office: Excel add-ins-->
+			<TargetObject condition="contains">\Word\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
+			<TargetObject condition="contains">\Access\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
+			<TargetObject condition="contains">\Powerpoint\Addins\</TargetObject> <!--Microsoft:Office: Powerpoint add-ins-->
 			<!--IE-->
 			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
@@ -1372,8 +1408,6 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
 			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
-			<!--Microsoft Office-->
-			<TargetObject condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 			-->

From f76159ed991ff4fc66e43a142844346933820f78 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 19 Mar 2018 08:48:51 -0400
Subject: [PATCH 244/471] DOMStorage hijack detection is too costly for now
 until better targetting

---
 sysmonconfig-export.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 83f35146..ac209708 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1343,9 +1343,9 @@
 			<!--Detect Changes to Proxy Server Setting-->
 			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
 			<!--Detect Browser Hijackers-->
-			<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>
-			<TargetObject condition="contains">\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>
+			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>-->
+			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>-->
+			<!--<TargetObject condition="contains">\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>-->
 			<!--Detect Unauthorized Firewall Changes-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Check for apps added to Firewall Auth List-->
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering-->

From 7d8f595dd48af940f5c561bf377a4d8746e4448a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 19 Mar 2018 12:49:52 -0400
Subject: [PATCH 245/471] add ip-api detection

---
 sysmonconfig-export.xml | 83 +++++++++++++++++++++--------------------
 1 file changed, 42 insertions(+), 41 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ac209708..f908b2ca 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -469,49 +469,50 @@
 			<!--Tor-->
 			<Image condition="image">tor.exe</Image><!-- Tor-->
 			<!--Hack tools hosting-->
-			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
-			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
+			<DestinationHostname condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
+			<DestinationHostname condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<!--Suspicious destinations-->
-			<DestinationHostname condition="is">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="is">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="is">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="is">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="is">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="is">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="is">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="is">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="is">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="end with">goo.gl</DestinationHostname>
-			<DestinationHostname condition="end with">git.io</DestinationHostname>
-			<DestinationHostname condition="end with">bit.ly</DestinationHostname>
-			<DestinationHostname condition="end with">t.co</DestinationHostname>
-			<DestinationHostname condition="end with">ow.ly</DestinationHostname>
+			<DestinationHostname condition="contains">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">goo.gl</DestinationHostname>
+			<DestinationHostname condition="contains">git.io</DestinationHostname>
+			<DestinationHostname condition="contains">bit.ly</DestinationHostname>
+			<DestinationHostname condition="contains">t.co</DestinationHostname>
+			<DestinationHostname condition="contains">ow.ly</DestinationHostname>
+			<DestinationHostname condition="contains">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
 			<!--Dynamic DNS Providers-->
-			<DestinationHostname condition="end with">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="end with">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<!--Tor2Web Providers-->
-			<DestinationHostname condition="end with">onion.to</DestinationHostname>
-			<DestinationHostname condition="end with">onion.cab</DestinationHostname>
-			<DestinationHostname condition="end with">onion.sh</DestinationHostname>
-			<DestinationHostname condition="end with">onion.nu</DestinationHostname>
-			<DestinationHostname condition="end with">onion.direct</DestinationHostname>
-			<DestinationHostname condition="end with">tor2web.org</DestinationHostname>
-			<DestinationHostname condition="end with">tor2web.fi</DestinationHostname>
-			<DestinationHostname condition="end with">tor2web.blutmagie.de</DestinationHostname>
-			<DestinationHostname condition="end with">tor-gateways.de</DestinationHostname>
-			<DestinationHostname condition="end with">hiddenservice.net</DestinationHostname>
+			<DestinationHostname condition="contains">onion.to</DestinationHostname>
+			<DestinationHostname condition="contains">onion.cab</DestinationHostname>
+			<DestinationHostname condition="contains">onion.sh</DestinationHostname>
+			<DestinationHostname condition="contains">onion.nu</DestinationHostname>
+			<DestinationHostname condition="contains">onion.direct</DestinationHostname>
+			<DestinationHostname condition="contains">tor2web.org</DestinationHostname>
+			<DestinationHostname condition="contains">tor2web.fi</DestinationHostname>
+			<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
+			<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
+			<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
 			<!--Ports-->
 			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->
 			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->
@@ -1414,7 +1415,7 @@
 		</RegistryEvent>
 
 		<RegistryEvent onmatch="exclude">
-		<!--COMMENT:	Remove low-information noise. Often these hide a procress recreating an empty key and do not hide the values created subsequently.-->
+		<!--COMMENT:	Remove low-information noise. Often these hide a process recreating an empty key and do not hide the values created subsequently.-->
 			<!--SECTION: Microsoft binaries-->
 			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
 			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->

From fda483edf27bd9fe3f11e9f4a7f8ab6c5f9aec1b Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Apr 2018 16:28:22 -0400
Subject: [PATCH 246/471] add additional file created fields.

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f908b2ca..e4456f5a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -977,6 +977,8 @@
 			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
 			<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
+			<TargetFilename condition="contains">\Desktop</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
+			<TargetFilename condition="contains">\Documents</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
 			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
 			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
 			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->

From 3d228b02e837bd149ee9485778490991d12cc42a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Apr 2018 16:33:29 -0400
Subject: [PATCH 247/471] Persistence using GlobalFlags in Image File Execution
 Options: [
 https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e4456f5a..8ef47534 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1215,6 +1215,7 @@
 			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
 			<TargetObject condition="contains">Policies\System\Shell</TargetObject>
 			<TargetObject condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject> <!--Persistence using GlobalFlags in Image File Execution Options: [ https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ ] -->
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->

From 00ae987fec8a500a8643f384bd2f6cbb50c46865 Mon Sep 17 00:00:00 2001
From: ion-storm <defconoii@gmail.com>
Date: Sat, 14 Apr 2018 19:22:09 -0400
Subject: [PATCH 248/471] Updates from @olafhartong's config's (great work btw)

---
 sysmonconfig-export.xml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8ef47534..4e0a7b68 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -389,6 +389,7 @@
 		<FileCreateTime onmatch="include">
 			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
+			<Image condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
 		</FileCreateTime>
 
 		<FileCreateTime onmatch="exclude">
@@ -450,6 +451,8 @@
 			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
 			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
 			<Image condition="image">telnet.exe</Image><!-- Telnet -->
+			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
+			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
 			<Image condition="image">ssh.exe</Image><!-- SSH -->
 			<Image condition="image">putty.exe</Image><!-- SSH -->
 			<Image condition="image">kitty.exe</Image><!-- SSH -->
@@ -1385,7 +1388,11 @@
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
 			-->
-			<!-- Other Stuff -->	
+			<!-- Other Stuff -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
 			<TargetObject condition="contains">\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->

From bc11b8411790dc0c8589be2615b5a4e82675ff6e Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 16 Apr 2018 08:54:00 -0400
Subject: [PATCH 249/471] change wmi monitoring to exclude

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4e0a7b68..e6bd12eb 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1849,7 +1849,7 @@
 		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
 
 		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
-		<WmiEvent onmatch="include">
+		<WmiEvent onmatch="exclude">
 		</WmiEvent>
 
 	<!--SYSMON EVENT ID 255 : ERROR-->

From a7b71eb14b881ea41275ff1d07b674e9d371b055 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 26 Apr 2018 14:47:47 -0400
Subject: [PATCH 250/471] complements of @subTree for noticing this mistake,
 reverting noise reduction commit.

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e6bd12eb..f779ed41 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -824,7 +824,6 @@
 			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
-			<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>
 			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
 			<SourceImage condition="contains">FireSvc.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>

From 3b954469527dc7756edfdfb74f53175aaf869fe5 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 27 Jun 2018 16:54:28 -0400
Subject: [PATCH 251/471] added samsam ransomware file names

---
 sysmonconfig-export.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f779ed41..ad1197f5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -978,6 +978,7 @@
 			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
 			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
 			<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
+			<TargetFilename condition="end with">.SettingContent-ms</TargetFilename> <!--More info: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39-->
 			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
 			<TargetFilename condition="contains">\Desktop</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
 			<TargetFilename condition="contains">\Documents</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
@@ -1049,6 +1050,14 @@
 			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
 			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
 			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
+			<!--SamSam Ransomware File drops -->
+			<TargetFilename condition="contains">www.exe</TargetFilename>
+			<TargetFilename condition="contains">ps.exe</TargetFilename>
+			<TargetFilename condition="contains">nt.exe</TargetFilename>
+			<TargetFilename condition="contains">doliohdyjkajd.dll</TargetFilename>
+			<TargetFilename condition="contains">run2.exe</TargetFilename>
+			<TargetFilename condition="contains">ping2.exe</TargetFilename>
+			<!--END: SamSam Ransomware File drops -->
 			<!--SECTION: Certificates -->
 			<TargetFilename condition="contains">.pem</TargetFilename>
 			<TargetFilename condition="contains">.crt</TargetFilename>

From ef9cc7b32cea1900d0968832e2a876575200804c Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 30 Jun 2018 22:26:56 -0400
Subject: [PATCH 252/471] add nable exceptions

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ad1197f5..c32ba70b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -880,9 +880,12 @@
 			
 			<!-- These binaries appear to access lsass legitimately -->
 			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
+			<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe</SourceImage>
 			<SourceImage condition="contains">taskmgr</SourceImage>
 			<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
 			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>

From 777404d1e222cb09fb31c9ab2dc1a74c5b099d42 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 3 Jul 2018 15:38:15 -0400
Subject: [PATCH 253/471] add exclusions

---
 sysmonconfig-export.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c32ba70b..1b49b13a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -920,6 +920,9 @@
 			<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
 			<SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage>
 			<SourceImage condition="end with">\Trusteer\Rapport\bin\RapportMgmtService.exe</SourceImage>
+			<SourceImage condition="end with">Adobe\AdobeGCClient\AGMService.exe</SourceImage>
+			<SourceImage condition="end with">NT-ware Shared\MomAdmSvc\MomAdmSvc.exe</SourceImage>
+			<SourceImage condition="end with">\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe</SourceImage>
 		</ProcessAccess>
 
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
@@ -1155,6 +1158,10 @@
 			<!--SECTION: Toshiba Print Drivers-->
 			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\TOSHIBA\</TargetFilename>
 			<TargetFilename condition="contains">TOSHIBA\eSTUDIOX\UNIDRV</TargetFilename>
+			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\bdcore.dll</TargetFilename>
+			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\scanclient.dll</TargetFilename>
+			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\Repository\nagent</TargetFilename>
+			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\</TargetFilename>
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->

From 813277a11d068513bdd742273d4349cc00653ef6 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 3 Jul 2018 23:49:08 -0400
Subject: [PATCH 254/471] Update sysmon auto-installer for 64bit svc change

---
 Install Sysmon.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index c6cc844c..5c0a7572 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -20,7 +20,7 @@ echo [+] Downloading Sysmon config...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
 @powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
 sysmon64.exe -accepteula -i sysmonconfig-export.xml
-sc failure Sysmon actions= restart/10000/restart/10000// reset= 120
+sc failure Sysmon64 actions= restart/10000/restart/10000// reset= 120
 echo [+] Sysmon Successfully Installed!
 echo [+] Creating Auto Update Task set to Hourly..
 SchTasks /Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR C:\ProgramData\sysmon\Auto_Update.bat /F /ST %tasktime%

From cafb2b1378676df831ed82fb7e6f383db01d110f Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 6 Jul 2018 17:01:13 -0400
Subject: [PATCH 255/471] New Baseline

---
 Sysmon-config.xml | 1665 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 1665 insertions(+)
 create mode 100644 Sysmon-config.xml

diff --git a/Sysmon-config.xml b/Sysmon-config.xml
new file mode 100644
index 00000000..ef0ea29c
--- /dev/null
+++ b/Sysmon-config.xml
@@ -0,0 +1,1665 @@
+<!--
+  sysmon-config | A sysmon configuration focused on default high-quality event tracing and easy customization by the community
+  Master version:	50 | Date: 2017-03-02
+  Master author:	@SwiftOnSecurity, with contributors also credited in-line or on Git.
+  Master project:	https://github.com/SwiftOnSecurity/sysmon-config
+  Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+
+  Fork version:	150
+  Fork author:	ionstorm
+  Fork project:	https://github.com/ion-storm/sysmon-config
+  Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+
+  REQUIRED: Sysmon version 7.01 or higher (due to changes in registry syntax and bug-fixes)
+	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
+	Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated.
+
+  NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF. Will need to run command to allow log access to the Network Service:
+	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
+
+  NOTE: Do not let the size and complexity of this configuration discourage you from customizing this or building your own.
+	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very
+	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
+	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
+	as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
+
+  NOTE: Sysmon is NOT a whitelist solution or HIDS engine, it is a computer change and event logging tool with very basic exclude rules.
+	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
+	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
+
+  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
+	to study it, many ways to evade some of the logging. If you are in a high-threat environment, you should consider a much broader
+	log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which
+	this configuration monitors, especially in the first minutes.
+
+  TECHNICAL:
+  - Run sysmon.exe -? for a briefing on Sysmon configuration.
+  - Sysmon does not support nested/multi-conditional rules. There are only blanket INCLUDE and EXCLUDE. "Exclude" rules override "Include" rules.
+  - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
+  - Some Sysmon monitoring abilities are not meant for general-purpose use due to their large performance impact, such as ProcessAccess.
+  - Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
+  - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
+  - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
+  - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
+  - "ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches. Cleared on service restart.
+  - "LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions. Cleared on service restart.
+  - Sysmon does not track which rule caused an event to be logged.
+
+  TECHNICAL: Filter conditions available for use are: is, is not, contains, excludes, begin with, end with, less than, more than, image
+  - The "image" filter is usable with any field. Same as "is" but can either match the entire string, or only the text after the last "\" in the string. Credit: @mattifestation
+
+  PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier.
+-->
+
+<Sysmon schemaversion="4.1">
+	<!--SYSMON META CONFIG-->
+	<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
+	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
+
+	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
+	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
+	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
+
+	<EventFiltering>
+
+	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
+		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
+			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
+			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
+			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
+			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
+		<ProcessCreate onmatch="include">
+			<Image name="MitreRef='T0000','Technique='Command Line'" condition="end with">\cmd.exe</Image>
+			<Image name="MitreRef='T0000','Technique='Command Line'" condition="end with">\cmd.com</Image>
+			<Image name="MitreRef='T0000','Technique='Command Line'" condition="end with">.com</Image>
+			<Image name="MitreRef='T0000','Technique='Command Line'" condition="end with">\powershell.exe</Image>
+			<Image condition="end with">\control.exe</Image>
+			<Image condition="end with">\acrord32.exe</Image>
+			<Image condition="end with">\installutil.exe</Image>
+			<Image condition="end with">\reg.exe</Image>
+			<Image condition="end with">\net.exe</Image>
+			<Image condition="end with">\net1.exe</Image>
+			<Image condition="end with">\ipconfig.exe</Image>
+			<!--Mitre ATT&CK Rules-->
+			<!--Accessibility Features-->
+			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">osk.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">AtBroker.exe</ParentImage>
+	  		<!--Native Windows tools - Living off the land-->
+			<Image name="MitreRef='T1016','Technique=''" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef='T1057','Technique=''" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef='T1033','Technique=''" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef='T1016','Technique=''" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef='T1016','Technique=''" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef='','Technique=''" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef='','Technique=''" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
+			<Image name="MitreRef='T1201','Technique=''" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef='','Technique=''" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef='','Technique=''" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef='','Technique=''" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef='','Technique=''" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
+			<Image name="MitreRef='','Technique=''" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef='','Technique=''" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef='T1214','Technique=''" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<Image name="MitreRef='','Technique=''" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef='T1016','Technique=''" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
+			<Image name="MitreRef='','Technique=''" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef='T1070','Technique='" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
+			<Image name="MitreRef='T1053','Technique=''" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
+			<Image name="MitreRef='T1117','Technique=''" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<ParentImage name="MitreRef='','Technique=''" condition="end with">wmiprvse.exe</ParentImage>
+			<Image name="MitreRef='','Technique=''" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<Image name="MitreRef='T1059','Technique=''" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<Image name="MitreRef='T1086','Technique=''" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<Image name="MitreRef='T1202','Technique=''" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<Image name="MitreRef='','Technique='" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<Image name="MitreRef='T1202','Technique=''" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
+			<Image name="MitreRef='T1158','Technique=''" condition="end with">attrib.exe</Image>
+			<Image name="MitreRef='','Technique=''" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<!--appc shim-->
+			<Image name="MitreRef='T1138','Technique=''" condition="end with">sdbinst.exe</Image>
+			<!--BitsAdmin-->
+			<Image name="MitreRef='T1197','Technique=''" condition="end with">bitsadmin.exe</Image>
+			<!--UAC Bypass-->
+			<ParentImage name="MitreRef='T1088',Technique=''" condition="end with">eventvwr.exe</ParentImage>
+			<ParentImage name="MitreRef='T1088',Technique=''" condition="end with">fodhelper.exe</ParentImage>
+			<!--InstallUtil Abuse-->
+			<Image name="MitreRef='T1118',Technique=''" condition="end with">InstallUtil.exe</Image>
+			<CommandLine name="MitreRef='T1118','Technique=''" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
+			<!--Mavinject -->
+	        <Image name="MitreRef='T1218','Technique=''" condition="end with">Mavinject.exe</Image>
+			<Image name="MitreRef='T1191','Technique=''" condition="end with">CMSTP.exe</Image>
+			<!--MSBuild-->
+			<Image name="MitreRef='T1191','Technique=''" condition="end with">MSBuild.exe</Image>
+	        <Image name="MitreRef='T1121','Technique=''" condition="end with">regsvcs.exe</Image>
+			<Image name="MitreRef='T1121','Technique=''" condition="end with">regasm.exe</Image>
+			<Image name="MitreRef='T1218','Technique=''" condition="end with">SyncAppvPublishingServer.exe</Image>
+			<!--Control Panel-->
+			<Image name="MitreRef='T1218','Technique=''" condition="end with">control.exe</Image>
+	        <CommandLine name="MitreRef='T1196','Technique=''" condition="contains">control.exe /name</CommandLine>
+			<CommandLine name="MitreRef='T1196','Technique=''" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
+			<Image name="MitreRef='T1028','Technique='Windows Remote Management'" condition="end with">wsmprovhost.exe</Image>
+			<Image name="MitreRef='T1028','Technique='Windows Remote Management'" condition="end with">winrm.cmd</Image>
+			<!--Detect Spawned Adobe Parent Processes-->
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">acrobat.exe</ParentImage>
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">acrord32.exe</ParentImage>
+			<!--Detect Spawned Browser Parent Processes-->
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">chrome.exe</ParentImage>
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">firefox.exe</ParentImage>
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">iexplore.exe</ParentImage>
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">MicrosoftEdge.exe</ParentImage>
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">vivaldi.exe</ParentImage>
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">waterfox.exe</ParentImage>
+			<!--Detect Spawned Java Parent Processes-->
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">java.exe</ParentImage>
+			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">javaw.exe</ParentImage>
+			<!--Detect Spawned Office Parent Processes-->
+			<!--Detect Output Redirection-->
+			<CommandLine name="MitreRef='T0000','Technique=''" condition="contains">2></CommandLine>
+			<CommandLine name="MitreRef='T0000','Technique=''" condition="contains">></CommandLine>
+			<CommandLine name="MitreRef='T0000','Technique=''" condition="contains">>></CommandLine>
+		</ProcessCreate>
+
+	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
+		<FileCreateTime onmatch="include">
+			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
+			<Image condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
+			<Image condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
+		</FileCreateTime>
+
+		<FileCreateTime onmatch="exclude">
+			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
+			<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
+			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
+			<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
+			<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->
+			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Chrome constantly changes file times-->
+			<Image condition="contains">setup</Image> <!--Ignore setups-->
+		</FileCreateTime>
+
+	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
+		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
+		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
+		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
+		<!--TECHNICAL:	These exe do not initiate their connections, and thus including does not work in this section: BITSADMIN.exe-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
+		<NetworkConnect onmatch="include">
+			<!--Suspicious sources for network-connecting binaries-->
+			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
+			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
+			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
+			<Image condition="begin with">C:\Perflogs\</Image>
+			<Image condition="contains">config\systemprofile\</Image>
+			<Image condition="contains">\Windows\Fonts\</Image>
+			<Image condition="contains">\Windows\IME\</Image>
+			<Image condition="contains">\Windows\addins\</Image>
+			<Image condition="contains">chrome.exe</Image>
+			<Image condition="contains">iexplore.exe</Image>
+			<Image condition="contains">firefox.exe</Image>
+			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
+			<Image condition="contains">MicrosoftEdge.exe</Image>
+			<Image condition="contains">explorer.exe</Image>
+			<!--Suspicious Windows tools-->
+			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
+			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
+			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
+			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
+			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
+			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
+			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
+			<Image condition="image">mshta.exe</Image>
+			<Image condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
+			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
+			<Image condition="contains">pskill</Image><!--Detect pskill-->
+			<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
+			<Image condition="contains">psservice</Image><!--Detect PsService-->
+			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
+			<Image condition="image">java.exe</Image>
+			<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
+			<Image condition="image">installutil.exe</Image>
+			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
+			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
+			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
+			<Image condition="image">telnet.exe</Image><!-- Telnet -->
+			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
+			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
+			<Image condition="image">ssh.exe</Image><!-- SSH -->
+			<Image condition="image">putty.exe</Image><!-- SSH -->
+			<Image condition="image">kitty.exe</Image><!-- SSH -->
+			<Image condition="image">kitty_portable.exe</Image><!-- SSH -->
+			<Image condition="image">psftp.exe</Image><!-- SFTP -->
+			<Image condition="image">tftp.exe</Image><!-- TFTP -->
+			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
+			<Image condition="image">net.exe</Image><!-- net use/net view-->
+			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
+			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
+			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
+			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
+			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
+			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
+			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
+			<!--Tor-->
+			<Image condition="image">tor.exe</Image><!-- Tor-->
+			<!--Hack tools hosting-->
+			<DestinationHostname condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
+			<DestinationHostname condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
+			<!--Suspicious destinations-->
+			<DestinationHostname condition="contains">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname condition="contains">goo.gl</DestinationHostname>
+			<DestinationHostname condition="contains">git.io</DestinationHostname>
+			<DestinationHostname condition="contains">bit.ly</DestinationHostname>
+			<DestinationHostname condition="contains">t.co</DestinationHostname>
+			<DestinationHostname condition="contains">ow.ly</DestinationHostname>
+			<DestinationHostname condition="contains">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
+			<!--Dynamic DNS Providers-->
+			<DestinationHostname condition="contains">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<DestinationHostname condition="contains">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
+			<!--Tor2Web Providers-->
+			<DestinationHostname condition="contains">onion.to</DestinationHostname>
+			<DestinationHostname condition="contains">onion.cab</DestinationHostname>
+			<DestinationHostname condition="contains">onion.sh</DestinationHostname>
+			<DestinationHostname condition="contains">onion.nu</DestinationHostname>
+			<DestinationHostname condition="contains">onion.direct</DestinationHostname>
+			<DestinationHostname condition="contains">tor2web.org</DestinationHostname>
+			<DestinationHostname condition="contains">tor2web.fi</DestinationHostname>
+			<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
+			<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
+			<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
+			<!--Ports-->
+			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->
+			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->
+			<DestinationPort condition="is">3389</DestinationPort> <!--RDP Port-->
+			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
+			<DestinationPort condition="is">22</DestinationPort>   <!--SSH Port-->
+			<DestinationPort condition="is">23</DestinationPort>   <!--Telnet Port-->
+			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
+			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->
+			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
+			<DestinationPort condition="is">5800</DestinationPort> <!--VNC Port-->
+			<DestinationPort condition="is">5900</DestinationPort> <!--VNC Port-->
+			<DestinationPort condition="is">1194</DestinationPort> <!--OpenVPN Port-->
+			<DestinationPort condition="is">1701</DestinationPort> <!--L2TP Port-->
+			<DestinationPort condition="is">1723</DestinationPort> <!--Tor Port-->
+			<DestinationPort condition="is">1293</DestinationPort> <!--IPSec Nat Traversal Port-->
+			<DestinationPort condition="is">4500</DestinationPort> <!--Tor Port-->
+			<DestinationPort condition="is">1080</DestinationPort> <!--Socks Port-->
+			<DestinationPort condition="is">8080</DestinationPort> <!--Socks Port-->
+			<DestinationPort condition="is">3128</DestinationPort> <!--Socks Port-->
+			<DestinationPort condition="is">9001</DestinationPort> <!--Tor Port-->
+			<DestinationPort condition="is">9030</DestinationPort> <!--Tor Port-->
+			<DestinationPort condition="is">4443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">2448</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">8143</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">243</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">65535</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13506</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">200</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">198</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">49180</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13507</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">6625</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4444</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4438</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1904</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13505</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13504</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">12102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">9631</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">5445</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">2443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13394</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">13145</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">12103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">5552</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">3939</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">3675</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">666</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">473</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">5649</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4455</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4433</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1817</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">100</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">65520</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1960</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">1515</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">743</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">700</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">14154</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">14103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">14102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">12322</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">10101</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">7210</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">4040</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort condition="is">9943</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<!--Ports: Threats-->
+			<DestinationPort condition="is">7777</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:7777 -->
+			<DestinationPort condition="is">9943</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:9943 -->
+			<DestinationPort condition="is">666</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:666 -->
+		</NetworkConnect>
+		<NetworkConnect onmatch="exclude">
+			<!--SECTION: Microsoft -->
+			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
+			<Image condition="is">C:\Windows\System32\find.exe</Image><!-- Oddly find.exe connects to localhost and creates spam -->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
+			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
+			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
+			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
+			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
+			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
+			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
+			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
+			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
+			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
+			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
+			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
+			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
+			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
+			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname> <!--Bing & Cortana Searches-->
+			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
+			<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
+			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
+			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
+			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
+			<DestinationPortName condition="is">epmap</DestinationPortName> <!--Silence LDAP-->
+			<SourcePortName condition="is">epmap</SourcePortName> <!--Silence LDAP-->
+			<SourcePort condition="is">135</SourcePort>  <!--epmap Port-->
+			<DestinationPort condition="is">135</DestinationPort>  <!--epmap Port-->
+			<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
+			<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
+			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
+			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
+			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->
+			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
+			<DestinationPortName condition="is">netbios-ns</DestinationPortName> <!--Netbios DNS Resolution-->
+			<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
+			<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
+			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
+			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
+			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
+			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
+			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
+			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
+			<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
+			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
+			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
+			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
+			<Image condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
+			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
+			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
+			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
+			<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
+			<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
+			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
+		</NetworkConnect>
+
+	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
+
+		<!--DATA: UtcTime, State, Version, SchemaVersion-->
+		<!--Cannot be filtered.-->
+
+	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
+		<!--COMMENT:	Useful data in building infection timelines.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
+		<ProcessTerminate onmatch="include">
+		<!--COMMENT:	Useful data in building infection timelines.-->
+			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
+			<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
+			<Image condition="begin with">C:\Windows\Temp</Image> <!--Process terminations by user binaries-->
+			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
+		</ProcessTerminate>
+
+	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
+		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
+			about what you exclude from monitoring. Low event volume, little incentive to exclude.
+			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
+		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
+
+		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+		<DriverLoad onmatch="exclude">
+		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
+				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
+			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
+			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft drivers-->
+			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
+			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel drivers-->
+			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
+			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic drivers-->
+			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia drivers-->
+			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom drivers-->
+			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD drivers-->
+			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware drivers-->
+			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek drivers-->
+			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI drivers-->
+			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
+			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
+			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
+			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed Fortinet drivers-->
+			<Signature condition="contains">Webroot</Signature> <!--Exclude signed Webroot drivers-->
+			<Signature condition="is">NoVirusThanks Company Srl</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">Invincea</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">ShoreTel</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">Synology</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">Citrix</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">SonicWall</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">Sophos</Signature> <!--Exclude signed drivers-->
+			<Signature condition="contains">OpenVPN</Signature> <!--Exclude signed drivers-->
+		</DriverLoad>
+
+	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+		<ImageLoad onmatch="include">
+			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
+			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
+			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
+			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
+			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
+			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
+		</ImageLoad>
+		<ImageLoad onmatch="exclude">
+			<SignatureStatus condition="is">Valid</SignatureStatus>
+			<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
+			<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
+			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
+			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
+			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
+			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
+			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
+			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
+			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
+			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
+			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
+			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
+			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
+			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
+			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
+			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
+			<Company condition="contains">Microsoft</Company>
+			<Product condition="contains">Microsoft</Product>
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
+			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
+			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
+			<Image condition="is">C:\Windows\sysmon64.exe</Image>
+			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
+			<ImageLoaded condition="is">C:\Windows\sysmon64.exe</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\conhost.exe</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\pcwum.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\kernel32.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\user32.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\dns.exe</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\zvprtmon5.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\System32\termsrv.dll</ImageLoaded>
+			<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
+			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
+			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
+			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
+			<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
+			<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
+			<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll</ImageLoaded>
+			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
+			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
+			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
+			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
+			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
+			<!-- Custom App Exclusions -->
+			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
+			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
+			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
+			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
+			<Image condition="is">C:\Windows\System32\VSSVC.</Image>
+			<Image condition="is">C:\Windows\System32\conhost.exe</Image>
+			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
+			<Image condition="is">C:\Windows\System32\NETSTAT.EXE</Image>
+			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
+			<Image condition="is">C:\Windows\System32\tasklist.exe</Image>
+			<Image condition="is">C:\Windows\System32\nslookup.exe</Image>
+			<Image condition="is">C:\Windows\System32\find.exe</Image>
+			<Image condition="is">C:\cs\tools\php\php-cgi.exe</Image>
+			<Image condition="is">C:\Windows\System32\nbtstat.exe</Image>
+			<Image condition="is">C:\Windows\System32\dsquery.exe</Image>
+			<Image condition="is">C:\Windows\System32\netsh.exe</Image>
+			<Image condition="is">C:\Windows\System32\taskeng.exe</Image>
+			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image>
+			<Image condition="contains">SQL Server</Image>
+			<ImageLoaded condition="contains">SQL Server</ImageLoaded>
+			<Image condition="contains">Exchange Server</Image>
+			<ImageLoaded condition="contains">Exchange Server</ImageLoaded>
+		</ImageLoad>
+
+	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
+		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
+		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
+
+		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
+		<CreateRemoteThread onmatch="exclude">
+			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
+			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>			
+			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
+			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
+			<SourceImage condition="contains">FireSvc.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
+			<TargetImage condition="end with">controls\cef\ConnectWise.exe</TargetImage>
+		</CreateRemoteThread>
+
+	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
+		<!--EVENT 9: "RawAccessRead detected"-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
+			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
+			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
+		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
+		<RawAccessRead onmatch="include">
+		</RawAccessRead>
+
+	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
+		<!--EVENT 10: "Process accessed"-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
+		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
+		<ProcessAccess onmatch="include">
+			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
+			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
+			<SourceImage condition="contains">powershell.exe</SourceImage>
+			<TargetImage condition="contains">verclsid.exe</TargetImage>
+			<CallTrace condition="contains">VBE7.dll</CallTrace>
+			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
+		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
+				Disabled by default since including even one entry here activates this component. Reward/performance decision.
+				Encourage you to experiment with this feature yourself.
+				Uses 4mbs+ IO -->
+		</ProcessAccess>
+		<ProcessAccess onmatch="exclude">
+			<!-- Filter out common access masks
+			A reference is available here for the mask: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880%28v=vs.85%29.aspx
+			Ideally an access mask with any of the following is useful:
+			PROCESS_VM_WRITE (0x0020)
+			PROCESS_VM_READ (0x0010)
+			PROCESS_VM_OPERATION (0x0008)
+          
+			0x1410 (potential memory read) is common activity. E.g. by taskmgr.exe. We only want to capture this against lsass.exe and winlogon.exe, but this logic is in the subscription.
+			-->
+			<GrantedAccess condition="is">0x40</GrantedAccess>
+			<GrantedAccess condition="is">0x101000</GrantedAccess>
+			<GrantedAccess condition="is">0x1000</GrantedAccess>
+			<GrantedAccess condition="is">0x1400</GrantedAccess>
+			<GrantedAccess condition="is">0x100000</GrantedAccess>
+			<GrantedAccess condition="is">0x3200</GrantedAccess>
+			<GrantedAccess condition="is">0x101400</GrantedAccess>
+			<GrantedAccess condition="is">0x101001</GrantedAccess>
+			
+			<!-- These binaries appear to access lsass legitimately -->
+			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
+			<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe</SourceImage>
+			<SourceImage condition="contains">taskmgr</SourceImage>
+			<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
+			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
+			<SourceImage condition="end with">\EMET_GUI.exe</SourceImage>
+			<SourceImage condition="end with">\procexp64.exe</SourceImage>
+			<SourceImage condition="contains">processhacker</SourceImage>
+			<SourceImage condition="end with">\Bin\FMS.exe</SourceImage> <!-- Exchange Process -->
+			<SourceImage condition="contains">\Exchange Server\</SourceImage>
+			<SourceImage condition="contains">SQL</SourceImage>
+			<SourceImage condition="end with">:\Windows\System32\smss.exe</SourceImage>
+			<SourceImage condition="end with">:\Windows\system32\csrss.exe</SourceImage>
+			<SourceImage condition="end with">:\Windows\system32\wininit.exe</SourceImage>
+			<SourceImage condition="end with">\Google\Update\GoogleUpdate.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files\Webroot\WRSA.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
+			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
+			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
+			<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
+			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
+			<SourceImage condition="contains">ScreenConnect</SourceImage>
+			<!-- These binaries get or access processes running .NET -->
+			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
+			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
+			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
+			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
+			<SourceImage condition="contains">ShadowProtect</SourceImage>
+			<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
+			<SourceImage condition="end with">Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
+			<SourceImage condition="end with">Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
+			<SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
+			<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
+			<SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage>
+			<SourceImage condition="end with">\Trusteer\Rapport\bin\RapportMgmtService.exe</SourceImage>
+			<SourceImage condition="end with">Adobe\AdobeGCClient\AGMService.exe</SourceImage>
+			<SourceImage condition="end with">NT-ware Shared\MomAdmSvc\MomAdmSvc.exe</SourceImage>
+			<SourceImage condition="end with">\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe</SourceImage>
+		</ProcessAccess>
+
+	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
+		<!--EVENT 11: "File created"-->
+		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
+		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
+		<FileCreate onmatch="include">
+			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
+			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
+			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
+			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
+			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
+			<TargetFilename condition="end with">.ocx</TargetFilename>
+			<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->
+			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
+			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
+			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+			<TargetFilename condition="end with">.com</TargetFilename> <!--Batch scripting: Batch scripts can also use the .com extension -->
+			<TargetFilename condition="end with">.btm</TargetFilename> <!--Batch scripting: Batch scripts can also use the .btm extension -->
+			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.msc</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.ws</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.wsh</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
+			<TargetFilename condition="end with">.ps1xml</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.psc1</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.psd1</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.psm1</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.pssc</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.cdxml</TargetFilename> <!--PowerShell's other file extensions: -->
+			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
+			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
+			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
+			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.vbsript</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.js</TargetFilename> <!--Java Scripting-->
+			<TargetFilename condition="end with">.jse</TargetFilename> <!--Java Scripting-->
+			<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
+			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
+			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
+			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
+			<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
+			<TargetFilename condition="end with">.SettingContent-ms</TargetFilename> <!--More info: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39-->
+			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
+			<TargetFilename condition="contains">\Desktop</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
+			<TargetFilename condition="contains">\Documents</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
+			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
+			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
+			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
+			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
+			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks-->
+			<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
+			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
+			<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
+			<!--SECTION: Other suspicious file types to monitor-->
+			<TargetFilename condition="end with">.ICL</TargetFilename>
+			<TargetFilename condition="end with">.FON</TargetFilename>
+			<TargetFilename condition="end with">.FOT</TargetFilename>
+			<TargetFilename condition="end with">.ico</TargetFilename>
+			<TargetFilename condition="end with">.lnk</TargetFilename>
+			<TargetFilename condition="end with">.eml</TargetFilename>
+			<TargetFilename condition="end with">.msg</TargetFilename>
+			<TargetFilename condition="end with">.SCT</TargetFilename>
+			<TargetFilename condition="end with">.SCR</TargetFilename>
+			<TargetFilename condition="end with">.SHB</TargetFilename>
+			<TargetFilename condition="end with">.SHS</TargetFilename>
+			<TargetFilename condition="end with">.PAF</TargetFilename>
+			<TargetFilename condition="end with">.JSE</TargetFilename>
+			<TargetFilename condition="end with">.gadget</TargetFilename>
+			<TargetFilename condition="end with">.cpl</TargetFilename>
+			<TargetFilename condition="end with">.inf</TargetFilename>
+			<!--SECTION: Ransomware-->
+			<TargetFilename condition="contains">help_decrypt</TargetFilename>
+			<TargetFilename condition="contains">help_restore</TargetFilename>
+			<TargetFilename condition="contains">ReadDecryptFilesHere</TargetFilename>
+			<TargetFilename condition="contains">howto_recover_file</TargetFilename>
+			<TargetFilename condition="contains">recover_file_</TargetFilename>
+			<TargetFilename condition="contains">Recovery_file_</TargetFilename>
+			<TargetFilename condition="contains">how_to_decrypt</TargetFilename>
+			<TargetFilename condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
+			<TargetFilename condition="contains">_how_recover_</TargetFilename>
+			<TargetFilename condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
+			<TargetFilename condition="contains">help_my_files</TargetFilename>
+			<TargetFilename condition="contains">how_recover</TargetFilename>
+			<TargetFilename condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
+			<TargetFilename condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
+			<TargetFilename condition="contains">YOUR_FILES.url</TargetFilename>
+			<TargetFilename condition="contains">Coin.Locker.txt</TargetFilename>
+			<TargetFilename condition="contains">_secret_code.txt</TargetFilename>
+			<TargetFilename condition="contains">Decrypt_readme.txt</TargetFilename>
+			<TargetFilename condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
+			<TargetFilename condition="contains">FILESAREGONE.txt</TargetFilename>
+			<TargetFilename condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
+			<TargetFilename condition="contains">HELLOTHERE.TXT</TargetFilename>
+			<TargetFilename condition="contains">READTHISNOW!!!.txt</TargetFilename>
+			<TargetFilename condition="contains">SECRETIDHERE.KEY</TargetFilename>
+			<TargetFilename condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
+			<TargetFilename condition="contains">SECRET.KEY</TargetFilename>
+			<TargetFilename condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
+			<TargetFilename condition="contains">RECOVERY_FILES.TXT</TargetFilename>
+			<TargetFilename condition="contains">RECOVERY_FILE.</TargetFilename>
+			<TargetFilename condition="contains">HowtoRestore_Files</TargetFilename>
+			<TargetFilename condition="contains">restorefiles</TargetFilename>
+			<TargetFilename condition="contains">howrecover+</TargetFilename>
+			<TargetFilename condition="contains">recoveryfile</TargetFilename>
+			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
+			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
+			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
+			<!--SamSam Ransomware File drops -->
+			<TargetFilename condition="contains">www.exe</TargetFilename>
+			<TargetFilename condition="contains">ps.exe</TargetFilename>
+			<TargetFilename condition="contains">nt.exe</TargetFilename>
+			<TargetFilename condition="contains">doliohdyjkajd.dll</TargetFilename>
+			<TargetFilename condition="contains">run2.exe</TargetFilename>
+			<TargetFilename condition="contains">ping2.exe</TargetFilename>
+			<!--END: SamSam Ransomware File drops -->
+			<!--SECTION: Certificates -->
+			<TargetFilename condition="contains">.pem</TargetFilename>
+			<TargetFilename condition="contains">.crt</TargetFilename>
+			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
+			<TargetFilename condition="contains">.cer</TargetFilename>
+			<TargetFilename condition="contains">.csr</TargetFilename>
+			<TargetFilename condition="contains">.der</TargetFilename>
+			<TargetFilename condition="contains">.p7b</TargetFilename>
+			<TargetFilename condition="contains">.p7r</TargetFilename>
+			<TargetFilename condition="contains">.p7s</TargetFilename>
+			<TargetFilename condition="contains">.pfx</TargetFilename>
+			<TargetFilename condition="contains">.sto</TargetFilename>
+			<TargetFilename condition="contains">.p12</TargetFilename>
+			<TargetFilename condition="contains">.crl</TargetFilename>
+			<TargetFilename condition="contains">.sst</TargetFilename>
+			<TargetFilename condition="contains">.key</TargetFilename>
+			<!--SECTION: CIA Vault7 Leak -->
+			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Vault7 CIA Leak: Possible malformed file will escape IE sandbox -->
+			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
+			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
+			<TargetFilename condition="contains">.manifest</TargetFilename>
+			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
+			<TargetFilename condition="contains">HammerDrillStatus.dll</TargetFilename> <!-- Vault7 CIA Leak: HammerDrill DLL -->
+			<!--SECTION: Mimikatz-->
+			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
+		</FileCreate>
+		<FileCreate onmatch="exclude">
+			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\</TargetFilename> <!--Microsoft:Windows: taskhostw re-creates certificate store constantly-->
+			<TargetFilename condition="end with">\Downloads</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
+			<TargetFilename condition="end with">\Start Menu</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
+			<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
+			<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
+			<!--SECTION: Microsoft-->
+			<Image condition="contains">C:\Windows\System32\svchost.exe</Image> <!-- Microsoft:Windows: Svchost creating thousands of files, creating new profiles on TS's -->
+			<Image condition="contains">C:\Windows\System32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
+			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\IE</TargetFilename> <!-- Microsoft:Windows: Creates thousands of files including new profiles -->
+			<Image condition="is">\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates</Image>
+			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
+			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
+			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
+			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
+			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
+			<TargetFilename condition="end with">.SQM</TargetFilename> <!-- Ignore Exchange files created -->
+			<TargetFilename condition="end with">.SPL</TargetFilename> <!-- Ignore Spooled Print Jobs -->
+			<TargetFilename condition="end with">.SHD</TargetFilename> <!-- Ignore Spooled Print Jobs -->
+			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
+			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
+			<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
+			<!--SECTION: Microsoft:Office-->
+			<TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
+			<!--SECTION: Microsoft:Windows:Updates-->
+			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
+			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
+			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
+			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
+			<Image condition="begin with">Firefox Setup </Image> <!-- Firefox:Installer -->
+			<TargetFilename condition="is">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive</TargetFilename> <!--Powershell spam!-->
+			<TargetFilename condition="is">C:\Windows\System32\config\netlogon.ftl</TargetFilename> <!-- Microsoft:Windows: Domain login cache-->
+			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image><!-- Microsoft:Windows: WMI Performance updates-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image><!-- Microsoft:Office Click2Run-->
+			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
+			<Image condition="is">C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe</Image><!-- Microsoft:SQL Server: Creating tons of files-->
+			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
+			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image><!-- VMware:vSphere: Creates .cmdline apps in appdata\*\Temp-->
+			<!--SECTION: Dell-->
+			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
+			<!--SECTION: Intel-->
+			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
+			<!--SECTION: Chrome Noise-->
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlUws.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeExtMalware.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\IpMalware.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSubresourceFilter.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new</TargetFilename>
+			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new</TargetFilename>
+			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
+			<!--SECTION: Adobe-->
+			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
+			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
+			<!--SECTION: Connectwise-->
+			<Image condition="is">C:\Program Files (x86)\ConnectWise\PSA.net\ConnectWise.exe</Image>
+			<!--SECTION: Datto-->
+			<Image condition="is">C:\Program Files\Datto\Datto Windows Agent\DattoBackupAgent.exe</Image>
+			<!--SECTION: Toshiba Print Drivers-->
+			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\TOSHIBA\</TargetFilename>
+			<TargetFilename condition="contains">TOSHIBA\eSTUDIOX\UNIDRV</TargetFilename>
+			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\bdcore.dll</TargetFilename>
+			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\scanclient.dll</TargetFilename>
+			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\Repository\nagent</TargetFilename>
+			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\</TargetFilename>
+		</FileCreate>
+
+	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
+		<!--EVENT 12: "Registry object added or deleted"-->
+		<!--EVENT 13: "Registry value set-->
+		<!--EVENT 14: "Registry objected renamed"-->
+		
+		<!--NOTE:	"contains" conditions below are formatted to reduce CPU load, so they may appear written inconsistently, but this is on purpose from tuning.-->
+		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
+		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
+		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
+		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->
+
+		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
+		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
+		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
+		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
+		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
+
+		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.-->
+
+		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
+		<RegistryEvent onmatch="include">
+			<!--Autorun or Startups-->
+				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
+				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
+				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
+			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
+			<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
+			<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
+			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
+			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
+			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
+			<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers</TargetObject> <!-- Print Provider DLL's loaded at startup can be malicious, lets monitor those -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>  <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
+			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
+			<TargetObject condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
+			<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			<TargetObject condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject> <!--Persistence using GlobalFlags in Image File Execution Options: [ https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ ] -->
+			<!--CLSID launch commands and file association changes-->
+			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
+			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<!--Windows COM-->
+			<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
+			<!--Windows shell hijack-->
+			<TargetObject condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject condition="contains">\ShellServiceObjects</TargetObject>
+			<TargetObject condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject condition="contains">\SharedTaskScheduler</TargetObject>
+			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
+			<TargetObject condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<!--AppPaths hijacking-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<!--Terminal service boobytraps-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<!--Group Policy interity-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
+			<!--Winsock and Winsock2-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
+			<TargetObject condition="begin with">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride - Threats sometimes change proxy server -->
+			<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<!--Credential providers-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<!--Networking-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
+			<TargetObject condition="end with">EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
+			<!--DLLs that get injected into every process launch-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
+			<!--Office-->
+			<!--Microsoft Office-->
+			<TargetObject condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<TargetObject condition="contains">\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
+			<TargetObject condition="contains">\Excel\Addins\</TargetObject> <!--Microsoft:Office: Excel add-ins-->
+			<TargetObject condition="contains">\Word\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
+			<TargetObject condition="contains">\Access\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
+			<TargetObject condition="contains">\Powerpoint\Addins\</TargetObject> <!--Microsoft:Office: Powerpoint add-ins-->
+			<!--IE-->
+			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<!--Magic registry keys-->
+			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
+			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<!--Infection artifacts-->
+			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
+			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
+			<!--Windows internals integrity monitoring-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
+			<!--Common Malware Persistence locations-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
+			<TargetObject condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
+			<TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
+			<TargetObject condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
+			<TargetObject condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
+			<!--Group Policy Scripts-->
+			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<!--Detect Network History-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
+			<TargetObject condition="end with">DefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
+			<!--Detect User Activity-->
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<!--RDP History Tracking-->
+			<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
+			<!--Detect Threats from Webroot Antivirus-->
+			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
+			<TargetObject condition="contains">\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
+			<TargetObject condition="contains">\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
+			<!--Detect Changes to Proxy Server Setting-->
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<!--Detect Browser Hijackers-->
+			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>-->
+			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>-->
+			<!--<TargetObject condition="contains">\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>-->
+			<!--Detect Unauthorized Firewall Changes-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Check for apps added to Firewall Auth List-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering-->
+			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
+			<TargetObject condition="contains">\Security\Level</TargetObject>
+			<TargetObject condition="contains">\Security\Level1Remove</TargetObject>
+			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject condition="end with">\HideSCAHealth</TargetObject> <!--Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<!--Detect if Windows Defender is Disabled-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject> <!-- Detect disabling of machine password change -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject> <!-- Causes the domain controller to refuse password change requests only from workstations or member servers -->
+			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
+			<!-- Lots of noise from multiple locations, need a better monitor
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
+			-->
+			<!-- Other Stuff -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject condition="contains">\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject><!--Identify Rogue Scheduled Task ID's added to Boot -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject condition="contains">\comfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\htafile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\batfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\exefile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> <!-- Detect: UAC Bypass via sdclt: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -->
+			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
+			<TargetObject condition="contains">\mscfile\shell\open\command</TargetObject> <!-- Detect: Event Viewer UAC Bypass: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ -->
+			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
+			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> <!-- Detect: Dns Server dll injection -->
+			<!--Windows application compatibility shims-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
+			-->
+		</RegistryEvent>
+
+		<RegistryEvent onmatch="exclude">
+		<!--COMMENT:	Remove low-information noise. Often these hide a process recreating an empty key and do not hide the values created subsequently.-->
+			<!--SECTION: Microsoft binaries-->
+			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
+			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
+			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
+			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
+			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\</TargetObject> <!-- Edge Extensions Creating Reg entries on launch -->
+			<!--Misc-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->
+			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
+			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Adobe PDF Browser Toolbar-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\{724D43A0-0D85-11D4-9908-00400523E39A}</TargetObject> <!--RoboForms Browser toolbar-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Misc IE Activity-->
+			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
+			<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
+			<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
+			<TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\App Paths" wildcard-->
+			<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard-->
+			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
+			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
+			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
+			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join-->
+			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
+			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
+			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
+			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system-->
+			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
+			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
+			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
+			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
+			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Microsoft:Windows: SvcHost Noise-->
+			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Windows: Remove noise from Windows 10 Cortana | Credit @ion-storm--> <!--Win10-->
+			<!--Bootup Control noise-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<!--Services autostart noise-->
+			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
+			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
+			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
+			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
+			<TargetObject condition="end with">\services\DeviceAssociationService\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
+			<!--FileExts noise filtering-->
+			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
+			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
+			<TargetObject condition="end with">\UserChoice</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
+			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
+			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
+			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
+			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jxr</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac</TargetObject>
+			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf</TargetObject>
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
+			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
+			<!--Group Policy noise-->
+			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Microsoft:Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it--> <!--OPTIONAL FILTER-->
+			<!--Autoruns noise-->
+			<!--<Details condition="is">c:\program files (x86)\microsoft office\office16\lync.exe</Details> Microsoft:Office: SkypeForBusiness autorun--> 
+			<!--<Details condition="is">"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized</Details> Cisco: AnyConnect autorun-->
+			<!--<Details condition="contains">ScanToPCActivationApp.exe" -deviceID "</Details> HP: Printer-->
+			<!--SECTION: 3rd party-->
+			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
+			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
+			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
+			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
+			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
+			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
+			<!--SECTION: Labtech-->
+			<TargetObject condition="end with">\LTSvcMon\Start</TargetObject>
+			<TargetObject condition="end with">\LTService\Start</TargetObject>
+			<!--SECTION: ShadowProtect-->
+			<TargetObject condition="contains">{F2C2787D-95AB-40D4-942D-298F5F757874}</TargetObject>
+			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
+			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\</TargetObject>
+			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates\</TargetObject>
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\</TargetObject>
+			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
+			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
+			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
+			<!--SECTION: Nitro Pro Spam-->
+			<TargetObject condition="contains">\Software\NITRO\PRO</TargetObject>
+			<!--SECTION: Webroot Spam-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\WRData\Status</TargetObject>
+		</RegistryEvent>
+
+	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
+		<!--EVENT 15: "File stream created"-->
+		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
+			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
+			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
+			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
+		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
+		<FileCreateStreamHash onmatch="exclude">
+			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
+		</FileCreateStreamHash>
+		<FileCreateStreamHash onmatch="include">
+			<TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
+			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
+			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
+			<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
+			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
+			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
+			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
+			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.dll</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.sys</TargetFilename> <!--Executable-->
+			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
+			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
+			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
+			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
+			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
+			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.js</TargetFilename> <!--Java-->
+			<!--SECTION: Certificates -->
+			<TargetFilename condition="contains">.pem</TargetFilename>
+			<TargetFilename condition="contains">.crt</TargetFilename>
+			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
+			<TargetFilename condition="contains">.cer</TargetFilename>
+			<TargetFilename condition="contains">.csr</TargetFilename>
+			<TargetFilename condition="contains">.der</TargetFilename>
+			<TargetFilename condition="contains">.p7b</TargetFilename>
+			<TargetFilename condition="contains">.p7r</TargetFilename>
+			<TargetFilename condition="contains">.p7s</TargetFilename>
+			<TargetFilename condition="contains">.pfx</TargetFilename>
+			<TargetFilename condition="contains">.sto</TargetFilename>
+			<TargetFilename condition="contains">.p12</TargetFilename>
+			<TargetFilename condition="contains">.crl</TargetFilename>
+			<TargetFilename condition="contains">.sst</TargetFilename>
+			<TargetFilename condition="contains">.key</TargetFilename>
+			<!--SECTION: CIA Vault7 Leak -->
+			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
+			<TargetFilename condition="contains">.manifest</TargetFilename>
+			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
+			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
+			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
+		</FileCreateStreamHash>
+
+	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
+		<!--EVENT 16: "Sysmon config state changed"-->
+		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
+		
+		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
+		<!--Cannot be filtered.-->
+
+	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
+		<!--EVENT 17: "Pipe Created"-->
+		<!--EVENT 18: "Pipe Connected"-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
+		<PipeEvent onmatch="exclude">
+		<!--COMMENT: Exclude known-good pipe users-->
+				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+			<!--SECTION: Microsoft-->
+			<PipeName condition="contains">lsass</PipeName>
+			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
+			<PipeName condition="is">\spoolss</PipeName>
+			<!--SECTION: Microsoft IIS -->
+			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
+			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
+			<Image condition="is">C:\Windows\syswow64\snmp.exe</Image>
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
+			<!--SECTION: Microsoft Exchange Server -->
+			<Image condition="contains">Exchange Server</Image>
+			<!--SECTION: Microsoft DNS Server -->
+			<Image condition="is">C:\Windows\system32\dns.exe</Image>
+			<!--SECTION: Microsoft SQL Server -->
+			<PipeName condition="is">\sql\query</PipeName>
+			<Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
+			<!--SECTION: Microsoft Skype For Business Server -->
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe</Image>
+			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe</Image>
+			<!--SECTION: Microsoft DFS Replication -->
+			<Image condition="is">C:\Windows\system32\DFSRs.exee</Image>
+			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
+			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
+			<Image condition="is">C:\Windows\System32\LxRun.exe</Image> <!--Bash On Windows -->
+			<PipeName condition="contains">vmware-</PipeName>
+			<Image condition="is">\System</Image>
+			<PipeName condition="is">\InitShutdown</PipeName>
+			<Image condition="is">C:\Windows\System32\wininit.exe</Image>
+			<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="is">C:\Windows\System32\services.exe</Image>
+			<PipeName condition="is">\ntsvcs</PipeName>
+			<PipeName condition="is">\scerpc</PipeName>
+			<Image condition="is">C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe</Image>
+			<Image condition="is">C:\Windows\System32\smss.exe</Image>
+			<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
+			<PipeName condition="is">\epmapper</PipeName>
+			<PipeName condition="is">\atsvc</PipeName>
+			<PipeName condition="is">\browser</PipeName>
+			<PipeName condition="is">\srvsvc</PipeName>
+			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
+			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
+			<PipeName condition="is">\W32TIME_ALT</PipeName>
+			<PipeName condition="is">\eventlog</PipeName>
+			<PipeName condition="is">\wkssvc</PipeName>
+			<PipeName condition="contains">\TDLN-</PipeName>
+			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
+			<PipeName condition="is">\MsFteWds</PipeName>
+			<!--SECTION: Webroot-->
+			<PipeName condition="is">\WRSVCPipe</PipeName>
+			<PipeName condition="is">\WRSynUM2</PipeName>
+			<PipeName condition="is">\wrUrl</PipeName><!--Webroot Webfiltering Pipe-->
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
+			<!--SECTION: Google-->
+			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
+			<Image condition="contains">AppData\Local\Google\Chrome\User Data\SwReporter\</Image>
+			<PipeName condition="contains">mojo.</PipeName>
+			<PipeName condition="contains">crashpad_</PipeName>
+			<PipeName condition="contains">chrome.</PipeName>
+			<PipeName condition="contains">GoogleCrashServices</PipeName>
+			<!--SECTION: Other-->
+			<Image condition="end with">slack.exe</Image>
+			<!--SECTION: ConnectWise-->
+			<PipeName condition="contains">booma\</PipeName>
+			<!--SECTION: EnPass-->
+			<PipeName condition="contains">qtsingleapp-enpass-</PipeName>
+			<Image condition="contains">qtsingleapp-enpass-</Image>
+			<!--SECTION: RoyalTS-->
+			<PipeName condition="contains">eo.ipc.</PipeName>
+			<!--SECTION: Windows Firewall Control-->
+			<Image condition="is">C:\Program Files\Windows Firewall Control\wfc.exe</Image>
+			<!--SECTION: Everything Search-->
+			<PipeName condition="contains">Everything Service</PipeName>
+			<PipeName condition="contains">anchor_gui_agent</PipeName>
+			<!--SECTION: Adobe-->
+			<Image condition="end with">Adobe\ARM\1.0\AdobeARM.exe</Image>
+			<!--SECTION: Lenovo-->
+			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
+			<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
+			<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
+			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
+			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE</Image>
+			<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
+			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\TPOSD.EXE</Image>
+			<Image condition="is">C:\Program Files (x86)\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
+			<!--SECTION: Fortinet-->
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe</Image>
+			<!--SECTION: Sophos VPN Client-->
+			<Image condition="is">c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe</Image>
+			<!--SECTION: Labtech-->
+			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
+			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
+			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
+			<!--SECTION: N-Able -->
+			<Image condition="end with">N-able Technologies\Windows Agent\bin\agent.exe</Image>
+			<Image condition="end with">N-able Technologies\AVDefender\EPIntegrationService.exe</Image>
+			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
+			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
+			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>
+			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
+			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
+			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
+			<Image condition="contains">C:\Program Files\Lenovo\</Image>
+			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
+			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
+			<PipeName condition="contains">Anonymous Pipe</PipeName> <!-- NOTICE: Comment this out if you dont use Labtech, labtech nests processes and causes excessive noise -->
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
+			<PipeName condition="contains">SQLAnywhereLRM</PipeName> <!-- Quickbooks -->
+			<PipeName condition="contains">pgsignal</PipeName> <!-- Postgres SQL -->
+			<Image condition="is">postgres.exe</Image>
+			<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft SQL writer-->
+			<PipeName condition="contains">TSVCPIPE-</PipeName> <!-- Terminal Services Pipe-->
+			<PipeName condition="contains">BB4BB19A178C25D1</PipeName>
+			<PipeName condition="contains">SQLAnywhereLRM</PipeName>
+			<PipeName condition="contains">SQLLocal</PipeName>
+			<PipeName condition="contains">DropboxPipe_</PipeName>
+			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe</Image>
+			<Image condition="is">C:\Pfx Engagement\WM\PFXEngagement.exe</Image>
+			<Image condition="is">C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe</Image>
+			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
+			<Image condition="is">ScreenConnect.ClientService.exe</Image>
+			<Image condition="is">QBW32.EXE</Image>
+			<Image condition="end with">EXCEL.EXE</Image>
+			<Image condition="end with">ADCUpdate.exe</Image>
+			<Image condition="end with">Hydrous.Host.exe</Image>
+			<Image condition="end with">TNSLSNR.exe</Image>
+			<Image condition="contains">ShoreWare Server</Image>
+		</PipeEvent>
+
+	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
+		<!--EVENT 19: "WmiEventFilter activity detected"-->
+		<!--EVENT 20: "WmiEventConsumer activity detected"-->
+		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
+
+		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
+		<WmiEvent onmatch="exclude">
+		</WmiEvent>
+
+	<!--SYSMON EVENT ID 255 : ERROR-->
+		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
+			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
+			Sysinternals forum or over Twitter (@markrussinovich)."-->
+		<!--Cannot be filtered.-->
+
+	</EventFiltering>
+</Sysmon>

From 76bc020a982ff2bdc951068f4ff4a172deafc731 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sat, 7 Jul 2018 00:34:08 -0400
Subject: [PATCH 256/471] Big update, more todo, stay tuned

---
 Sysmon-config.xml | 538 +++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 481 insertions(+), 57 deletions(-)

diff --git a/Sysmon-config.xml b/Sysmon-config.xml
index ef0ea29c..46ab3d27 100644
--- a/Sysmon-config.xml
+++ b/Sysmon-config.xml
@@ -51,7 +51,7 @@
   PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier.
 -->
 
-<Sysmon schemaversion="4.1">
+<Sysmon schemaversion="4.10">
 	<!--SYSMON META CONFIG-->
 	<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
 	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
@@ -71,100 +71,524 @@
 
 		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
 		<ProcessCreate onmatch="include">
-			<Image name="MitreRef='T0000','Technique='Command Line'" condition="end with">\cmd.exe</Image>
-			<Image name="MitreRef='T0000','Technique='Command Line'" condition="end with">\cmd.com</Image>
-			<Image name="MitreRef='T0000','Technique='Command Line'" condition="end with">.com</Image>
-			<Image name="MitreRef='T0000','Technique='Command Line'" condition="end with">\powershell.exe</Image>
-			<Image condition="end with">\control.exe</Image>
-			<Image condition="end with">\acrord32.exe</Image>
-			<Image condition="end with">\installutil.exe</Image>
-			<Image condition="end with">\reg.exe</Image>
-			<Image condition="end with">\net.exe</Image>
-			<Image condition="end with">\net1.exe</Image>
-			<Image condition="end with">\ipconfig.exe</Image>
 			<!--Mitre ATT&CK Rules-->
 			<!--Accessibility Features-->
-			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">osk.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique=''" condition="end with">AtBroker.exe</ParentImage>
-	  		<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef='T1016','Technique=''" condition="end with">whoami.exe</Image>
-			<Image name="MitreRef='T1057','Technique=''" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef='T1033','Technique=''" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef='T1016','Technique=''" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef='T1016','Technique=''" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef='','Technique=''" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef='','Technique=''" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
+			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">osk.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">AtBroker.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
+			<!--Native Windows tools - Living off the land-->
+			<Image name="MitreRef='T1049','Technique='Discover'" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef='T1057','Technique='Discover'" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef='T1033','Technique='Discover'" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef='T1016','Technique='Discover'" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef='T1049','Technique='Discover'" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef='ToDo','Technique='Discover'" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef='T1049','Technique=''" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
 			<Image name="MitreRef='T1201','Technique=''" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef='','Technique=''" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef='','Technique=''" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef='','Technique=''" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
-			<Image name="MitreRef='','Technique=''" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
-			<Image name="MitreRef='','Technique=''" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef='','Technique=''" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef='T1201','Technique=''" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef='T1049','Technique='System Network Connections Discovery'" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef='ToDo','Technique=''" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef='ToDo','Technique=''" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef='ToDo','Technique=''" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
+			<Image name="MitreRef='T1016','Technique=''" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef='ToDo','Technique=''" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
 			<Image name="MitreRef='T1214','Technique=''" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef='','Technique=''" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef='ToDo','Technique=''" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
 			<Image name="MitreRef='T1016','Technique=''" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
-			<Image name="MitreRef='','Technique=''" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef='ToDo','Technique=''" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
 			<Image name="MitreRef='T1070','Technique='" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
 			<Image name="MitreRef='T1053','Technique=''" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
 			<Image name="MitreRef='T1117','Technique=''" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<ParentImage name="MitreRef='','Technique=''" condition="end with">wmiprvse.exe</ParentImage>
-			<Image name="MitreRef='','Technique=''" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<ParentImage name="MitreRef='T1028','Technique='Remote WMIC/Execution, Lateral Movement'" condition="end with">wmiprvse.exe</ParentImage>
+			<ParentImage name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="end with">psexesvc.exe</ParentImage>
+			<Description name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="end with">psexec.exe</ParentImage>
+			<Description name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="end with">pskill.exe</ParentImage>
+			<Image name="MitreRef='ToDo','Technique=''" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
 			<Image name="MitreRef='T1059','Technique=''" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<ParentImage name="MitreRef='T1059','Technique=''" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
 			<Image name="MitreRef='T1086','Technique=''" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<Description name="MitreRef='T1086','Technique=''" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
+			<ParentImage name="MitreRef='T1086','Technique=''" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
 			<Image name="MitreRef='T1202','Technique=''" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<Image name="MitreRef='','Technique='" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<ParentImage name="MitreRef='T1202','Technique=''" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<Image name="MitreRef='ToDo','Technique='" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
 			<Image name="MitreRef='T1202','Technique=''" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
 			<Image name="MitreRef='T1158','Technique=''" condition="end with">attrib.exe</Image>
-			<Image name="MitreRef='','Technique=''" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef='ToDo','Technique=''" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+	  		<!--                                                                                                                                            -->
 			<!--appc shim-->
 			<Image name="MitreRef='T1138','Technique=''" condition="end with">sdbinst.exe</Image>
+	  		<!--                                                                                                                                            -->
 			<!--BitsAdmin-->
-			<Image name="MitreRef='T1197','Technique=''" condition="end with">bitsadmin.exe</Image>
+			<Image name="MitreRef='T1197','Technique='Bitsadmin File Transfers'" condition="end with">bitsadmin.exe</Image>
+	  		<!--                                                                                                                                            -->
 			<!--UAC Bypass-->
-			<ParentImage name="MitreRef='T1088',Technique=''" condition="end with">eventvwr.exe</ParentImage>
-			<ParentImage name="MitreRef='T1088',Technique=''" condition="end with">fodhelper.exe</ParentImage>
+			<ParentImage name="MitreRef='T1088',Technique='UAC Bypass'" condition="end with">eventvwr.exe</ParentImage>
+			<ParentImage name="MitreRef='T1088',Technique='UAC Bypass'" condition="end with">fodhelper.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
 			<!--InstallUtil Abuse-->
 			<Image name="MitreRef='T1118',Technique=''" condition="end with">InstallUtil.exe</Image>
 			<CommandLine name="MitreRef='T1118','Technique=''" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
+	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
 	        <Image name="MitreRef='T1218','Technique=''" condition="end with">Mavinject.exe</Image>
 			<Image name="MitreRef='T1191','Technique=''" condition="end with">CMSTP.exe</Image>
+	  		<!--                                                                                                                                            -->
 			<!--MSBuild-->
 			<Image name="MitreRef='T1191','Technique=''" condition="end with">MSBuild.exe</Image>
 	        <Image name="MitreRef='T1121','Technique=''" condition="end with">regsvcs.exe</Image>
 			<Image name="MitreRef='T1121','Technique=''" condition="end with">regasm.exe</Image>
 			<Image name="MitreRef='T1218','Technique=''" condition="end with">SyncAppvPublishingServer.exe</Image>
+	  		<!--                                                                                                                                            -->
 			<!--Control Panel-->
 			<Image name="MitreRef='T1218','Technique=''" condition="end with">control.exe</Image>
 	        <CommandLine name="MitreRef='T1196','Technique=''" condition="contains">control.exe /name</CommandLine>
 			<CommandLine name="MitreRef='T1196','Technique=''" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Custom Mitre-->
 			<Image name="MitreRef='T1028','Technique='Windows Remote Management'" condition="end with">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef='T1028','Technique='Windows Remote Management'" condition="end with">wsmprovhost.exe</ParentImage>
 			<Image name="MitreRef='T1028','Technique='Windows Remote Management'" condition="end with">winrm.cmd</Image>
+			<CommandLine name="MitreRef='T1105','Technique='Command and Control/Lateral Movement'" condition="contains">certutil.exe -decode</CommandLine>
+			<CommandLine name="MitreRef='T1105','Technique='Command and Control/Lateral Movement'" condition="contains">certutil -decode</CommandLine>
+			<Image name="MitreRef='T1170','Technique='Defense Evasion/Execution'" condition="end with">mshta.exe</Image>
+			<Image name="MitreRef='T1070','Technique='Defense Evasion'" condition="end with">wevutil.exe</Image>
+			<CommandLine name="MitreRef='T1070','Technique='Defense Evasion'" condition="contains">wevutil cl</CommandLine>
+			<Image name="MitreRef='T1053','Technique='Execution/Persistence/Privledge Escalation'" condition="end with">schtasks.exe</Image>
+			<ParentImage name="MitreRef='T1053','Technique='Execution/Persistence/Privledge Escalation'" condition="end with">schtasks.exe</ParentImage>
+			<Image name="MitreRef='T1053','Technique='Execution/Persistence/Privledge Escalation'" condition="end with">at.exe</Image>
+			<ParentImage name="MitreRef='T1053','Technique='Execution/Persistence/Privledge Escalation'" condition="end with">at.exe</ParentImage>
+			<Image name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">forfiles.exe</Image>
+			<ParentImage name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">forfiles.exe</ParentImage>
+			<Image name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">pcalua.exe</Image>
+			<ParentImage name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">pcalua.exe</ParentImage>
+			<Image name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">bash.exe</Image>
+			<ParentImage name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">bash.exe</ParentImage>
+			<Image name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">bash.exe</Image>
+			<CommandLine name="MitreRef='ToDo','Technique='Powershell Injection Persistence Bypass - Execution, Lateral Movement'" condition="contains">System.Management.Automation</CommandLine>
+	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Adobe Parent Processes-->
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">acrobat.exe</ParentImage>
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">acrord32.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Acrobat'" condition="end with">acrobat.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Adobe Reader'" condition="end with">acrord32.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Browser Parent Processes-->
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">chrome.exe</ParentImage>
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">firefox.exe</ParentImage>
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">iexplore.exe</ParentImage>
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">MicrosoftEdge.exe</ParentImage>
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">vivaldi.exe</ParentImage>
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">waterfox.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned Process from Chrome'" condition="end with">chrome.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Firefox'" condition="end with">firefox.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Internet Explorer'" condition="end with">iexplore.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Edge Browser'" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Edge Browser'" condition="end with">MicrosoftEdge.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Vivaldi Browser'" condition="end with">vivaldi.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Waterfox Browser'" condition="end with">waterfox.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Java Parent Processes-->
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">java.exe</ParentImage>
-			<ParentImage name="MitreRef='T0000','Technique=''" condition="end with">javaw.exe</ParentImage>
-			<!--Detect Spawned Office Parent Processes-->
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">java.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">javaw.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
+			<!--Detect Spawned Office Parent Processes & Abuse-->
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">word.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">excel.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">POWERPNT.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">outlook.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">visio.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">msaccess.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">lync.exe</ParentImage>
+			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">skype.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
 			<!--Detect Output Redirection-->
-			<CommandLine name="MitreRef='T0000','Technique=''" condition="contains">2></CommandLine>
-			<CommandLine name="MitreRef='T0000','Technique=''" condition="contains">></CommandLine>
-			<CommandLine name="MitreRef='T0000','Technique=''" condition="contains">>></CommandLine>
+			<CommandLine name="Note='Output Redirection'" condition="contains">2></CommandLine>
+			<CommandLine name="Note='Output Redirection'" condition="contains">&lt;</CommandLine>
+			<CommandLine name="Note='Output Redirection'" condition="contains">></CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Detect Multiple Commands-->
+			<CommandLine name="Note='Multiple Commands'" condition="contains">&amp;</CommandLine>
+			<CommandLine name="Note='Multiple Commands'" condition="contains">;</CommandLine>
+			<CommandLine name="Note='Command Pipe'" condition="contains">|</CommandLine>
+			<CommandLine name="Note='interactive command to slow output'" condition="contains">more</CommandLine>
+			<CommandLine name="Note='Commands run from \\tsclient share ie: samsam ransomware'" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Note='DotDot Dirs'" condition="contains">..</CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Hack Command Line Events-->
+			<CommandLine name="Note='legacy hack command sometimes run by meterpreter or cobalt strike'" condition="contains">COMSPEC</CommandLine>
+			<CommandLine name="Note='Powershell Invoke-Expression'" condition="contains">iex</CommandLine>
+			<CommandLine name="Note='Powershell Invoke-Expression'" condition="contains">Invoke-Expression</CommandLine>
+			<CommandLine name="Note='Powershell Invoke-WebRequest'" condition="contains">iwr</CommandLine>
+			<CommandLine name="Note='Powershell Invoke-WebRequest'" condition="contains">Invoke-WebRequest</CommandLine>
+			<CommandLine name="Note='Powershell Download'" condition="contains">DownloadFile</CommandLine>
+			<CommandLine name="Note='Powershell Download'" condition="contains">DownloadString</CommandLine>
+			<CommandLine name="Note='Powershell Download'" condition="contains">Net.WebClient</CommandLine>
+			<CommandLine name="Note='Powershell Download'" condition="contains">System.Net.WebRequest</CommandLine>
+			<CommandLine name="Note='Powershell Download'" condition="contains">System.Net.SecurityProtocolType</CommandLine>
+			<CommandLine name="Note='invoke-shellcode'" condition="contains">Shellcode</CommandLine>
+			<CommandLine name="Note='Detect Base64 encoding'" condition="contains">FromBase64String</CommandLine>
+			<CommandLine name="Note='Detect Secure Strings'" condition="contains">convertto-securestring</CommandLine>
+			<CommandLine name="Note='Detect some more obfuscation'" condition="contains">VerbosePreference.ToString</CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Ofuscated Command Line arguments-->
+			<CommandLine name="Note='Detect Invoke-Obfuscation'" condition="contains">runtime.interopservices.marshal</CommandLine>
+			<CommandLine name="Note='Detect some more obfuscation'" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-windowstyle h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-windowstyl h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-windowsty h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-windowst h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-windows h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-window h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-windo h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-wind h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-win h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-wi h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-w h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-wi h</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-win hi</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-win hid</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-win hidd</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-win hidde</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-win hidden</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-Nop</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-Noni</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-ec</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">-en</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
+			<CommandLine name="Note='Obfuscation'" condition="contains">C^om^S^pEc</CommandLine>
+
+			<!--                                                                                                                                            -->
+			<!--Suspicious Command Line Locations-->
+			<Image name="MitreRef='ToDo','Technique='Command Line'" condition="end with">.com</Image>
+			<Image name="MitreRef='ToDo','Technique='Command Line'" condition="end with">powershell.exe</Image>
+			<Image name="Info='Executables Launched In Temp'" condition="contains">\temp\</Image>
+			<Image name="Info='Executables Launched In User Dirs'" condition="begin with">C:\users</Image>
+			<ParentImage condition="end with">explorer.exe</ParentImage>
+			<Image condition="end with">control.exe</Image>
+			<Image condition="end with">acrord32.exe</Image>
+			<Image condition="end with">installutil.exe</Image>
+			<Image name="Info='Registry modification/queries'" condition="end with">reg.exe</Image>
+			<Image name="Info='ipconfig discovery'" condition="end with">ipconfig.exe</Image>
+			<Image name="Info='Executables Launched In Appdata'" condition="contains">\appdata\</Image>
+			<Image condition="contains">\programdata\</Image>
+			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
+			<Image condition="contains">\ProgramData</Image>
+			<Image condition="contains">\Windows\</Image>
+			<Image condition="contains">\Perflogs\</Image>
+			<Image condition="contains">\config\systemprofile\</Image>
+			<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
+			<Image condition="contains">\</Image>
+		</ProcessCreate>
+		<ProcessCreate onmatch="exclude">
+			<!--SECTION: Microsoft Windows-->
+			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
+			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
+			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
+			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
+			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
+			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
+			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
+			<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
+			<Image condition="is">C:\Windows\System32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
+			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
+			<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->
+			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
+			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
+			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
+			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
+			<ParentCommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</ParentCommandLine> <!--Microsoft:Windows 10 Noise-->
+			<CommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</CommandLine> <!--Microsoft:Windows 10 Noise-->
+			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
+			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
+			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
+			<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
+			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
+			<!--SECTION: Microsoft:Windows:Defender-->
+			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
+			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
+			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
+			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
+			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
+			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
+			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
+			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
+			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
+			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
+			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine><!--Microsoft:Windows: Search Indexer-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine><!--Microsoft:Windows 10-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine><!--Microsoft:Windows 10-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k UnistackSvcGroup</CommandLine><!--Microsoft:Windows 10-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k defragsvc</CommandLine><!--Microsoft:Windows Defrag-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k RPCSS</CommandLine><!--Microsoft:Windows Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k utcsvc</CommandLine><!--Microsoft:Windows Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup</CommandLine><!--Microsoft:Windows Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k DcomLaunch</CommandLine><!--Microsoft:Windows Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Microsoft:Windows:Network: BitLocker Drive Encryption-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Microsoft:Windows:Network: Background Intelligent File Transfer (BITS) -->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Microsoft:Windows: Windows Management Instrumentation (WMI) -->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc</CommandLine> <!--Microsoft:Windows:Network: Group Policy -->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Microsoft:Windows:Network: DNS caching, other uses -->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Microsoft:Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Microsoft:Windows:Network: Network Location Awareness-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Microsoft:Windows:Network: Terminal Services (RDP)-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
+			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows 10-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k GPSvcGroup</CommandLine><!--Microsoft:Windows Network Services-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k tapisrv</CommandLine><!--Microsoft:Windows Network Services-->
+			<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
+			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
+			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
+			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
+			<!--SECTION: Microsoft dotNet-->
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
+			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
+			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
+			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
+			<!--SECTION: Microsoft Office-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
+			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<Image condition="is">C:\Windows\splwow64.exe</Image> <!--Microsoft:Office: Print Driver Host spam -->
+			<!--SECTION: Microsoft:Windows: Media player-->
+			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
+			<!--SECTION: Microsoft Exchange-->
+			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
+			<CommandLine condition="contains">C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1</CommandLine>
+			<!--SECTION: Microsoft Misc-->
+			<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
+			<!--SECTION: Google-->
+			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
+			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
+			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
+			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
+			<!--SECTION: Firefox-->
+			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
+			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
+			<!--SECTION: Adobe-->
+			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
+			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
+			<!--SECTION: Adobe:Acrobat DC-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<!--SECTION: Adobe:Acrobat 2015-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<!--SECTION: Adobe:Acrobat Reader DC-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<!--SECTION: Adobe:Flash-->
+			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
+			<!--SECTION: Adobe:Updater-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<!--SECTION: Adobe:Supporting processes-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
+			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
+			<!--SECTION: Adobe:Creative Cloud-->
+			<!--SECTION: Cisco-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
+			<!--SECTION: Drivers-->
+			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
+			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
+			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
+			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
+			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
+			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
+			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
+			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
+			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
+			<!--SECTION: Dropbox-->
+			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
+			<!--SECTION: Dell-->
+			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
+			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
+			<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
+			<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine>			
+			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
+			<!--SECTION: Lenovo-->
+			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
+			<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
+			<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
+			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
+			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
+			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
+			<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
+			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
+			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
+			<ParentCommandLine condition="contains">C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</ParentCommandLine> <!--Lenovo: Modern Apps Plugin Host-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
+			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
+			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
+			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
+			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
+			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
+			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe</ParentImage>
+			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe</ParentImage>
+			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsu.exe</ParentImage>
+			<Image condition="contains">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
+			<!--SECTION: MSI: Micro-Star International Computers-->
+			<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
+			<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
+			<ParentImage condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</ParentImage><!-- MSI: Helpdesk Updater-->
+			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
+			<ParentImage condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</ParentImage><!-- MSI: Dragon Center Updater-->
+			<!--SECTION: Intel-->
+			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
+			<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
+			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe</Image><!--Intel: Graphics Driver-->
+			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe</Image><!--Intel: Graphics Driver-->
+			<!--SECTION: Antivirus-->
+			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
+			<CommandLine condition="contains">C:\Program Files (x86)\Webroot\WRSA.exe" -ul</CommandLine> <!--Webroot-->
+			<ParentCommandLine condition="is">"C:\Program Files (x86)\Webroot\WRSA.exe" -service</ParentCommandLine> <!--Webroot-->
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image><!--Webroot-->
+			<!--SECTION: Synaptics Touchpad-->
+			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
+			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
+			<!--SECTION: Custom Apps-->
+			<!--SECTION: Labtech -->
+			<!--Since Labtech nests its processes, the following exclusions could be exploited, remove if you do not need-->
+			<!--TODO: Will define these more in the future-->
+			<ParentCommandLine condition="is">C:\Windows\LTSvc\LTSVC.exe -sLTService</ParentCommandLine> <!--Labtech Agent-->
+			<ParentImage condition="is">C:\Windows\LTSvc\LTSVC.exe</ParentImage> <!--Labtech Agent-->
+			<CurrentDirectory condition="is">C:\Windows\LTSvc\</CurrentDirectory><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">find /i "Listening"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">netstat -an</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">nslookup</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">nbtstat.exe</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">dsquery</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">sc query</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">interface tcp show global</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
+			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
+			<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
+			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
+			<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
+			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">tasklist</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">wmic path win32_operatingsystem get</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">sc queryex type= service</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">C:\Program Files\StorageCraft\ImageManager\ImageManager.exe</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">Get-WmiObject -Namespace Root\CimV2\TerminalServices</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">vssadmin list writers</ParentCommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">vssadmin  list writers</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">net view \\localhost | find " Print</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">net view \\localhost | find " Disk</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
+			<ParentImage condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</ParentImage> <!--Labtech Client-->
+			<ParentCommandLine condition="contains">C:\Windows\LTSvc\LTSvcMon.exe -sLTService</ParentCommandLine>
+			<ParentImage condition="is">C:\Windows\LTSvc\LTSvcMon.exe</ParentImage>
+			<Image condition="is">C:\Windows\LTSvc\LTTray.exe</Image>
+			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall</ParentCommandLine>
+			<CommandLine condition="contains">interface tcp show global</CommandLine>
+			<Image condition="is">nslookup.exe</Image><!--Labtech NStest.bat lookups-->
+			<!--END: Labtech-->
+			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
+			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
+			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
+			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
+			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
+			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
+			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
+			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
+			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
+			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
+			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
+			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage> <!--Enpass Password Manager-->
+			<Image condition="contains">C:\Program Files (x86)\Enpass\Enpass.exe</Image> <!--Enpass Password Manager-->
+			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
+			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentImage> <!--FortiClient Noise -->
+			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
+			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
+			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
+			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
+			<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
+			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
+			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
+			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
+			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 8cf8291fca4c1d71f430dcb8b0adad60d9035bed Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 09:35:35 -0400
Subject: [PATCH 257/471] Update Mitre Rules.

---
 Sysmon-config.xml | 311 +++++++++++++++++++++++-----------------------
 1 file changed, 155 insertions(+), 156 deletions(-)

diff --git a/Sysmon-config.xml b/Sysmon-config.xml
index 46ab3d27..4abbf558 100644
--- a/Sysmon-config.xml
+++ b/Sysmon-config.xml
@@ -73,203 +73,202 @@
 		<ProcessCreate onmatch="include">
 			<!--Mitre ATT&CK Rules-->
 			<!--Accessibility Features-->
-			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">osk.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef='T1015','Technique='Persistence Privilege Escalation'" condition="end with">AtBroker.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">osk.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef='T1049','Technique='Discover'" condition="end with">whoami.exe</Image>
-			<Image name="MitreRef='T1057','Technique='Discover'" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef='T1033','Technique='Discover'" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef='T1016','Technique='Discover'" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef='T1049','Technique='Discover'" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef='ToDo','Technique='Discover'" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef='T1049','Technique=''" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
-			<Image name="MitreRef='T1201','Technique=''" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef='T1201','Technique=''" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef='T1049','Technique='System Network Connections Discovery'" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef='ToDo','Technique=''" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef='ToDo','Technique=''" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
-			<Image name="MitreRef='ToDo','Technique=''" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
-			<Image name="MitreRef='T1016','Technique=''" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef='ToDo','Technique=''" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
-			<Image name="MitreRef='T1214','Technique=''" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef='ToDo','Technique=''" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
-			<Image name="MitreRef='T1016','Technique=''" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
-			<Image name="MitreRef='ToDo','Technique=''" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
-			<Image name="MitreRef='T1070','Technique='" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
-			<Image name="MitreRef='T1053','Technique=''" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
-			<Image name="MitreRef='T1117','Technique=''" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<ParentImage name="MitreRef='T1028','Technique='Remote WMIC/Execution, Lateral Movement'" condition="end with">wmiprvse.exe</ParentImage>
-			<ParentImage name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="end with">psexesvc.exe</ParentImage>
-			<Description name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="end with">psexec.exe</ParentImage>
-			<Description name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS='S0029','Command execution - Execution, Lateral Movement'" condition="end with">pskill.exe</ParentImage>
-			<Image name="MitreRef='ToDo','Technique=''" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
-			<Image name="MitreRef='T1059','Technique=''" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<ParentImage name="MitreRef='T1059','Technique=''" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
-			<Image name="MitreRef='T1086','Technique=''" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
-			<Description name="MitreRef='T1086','Technique=''" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
-			<ParentImage name="MitreRef='T1086','Technique=''" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
-			<Image name="MitreRef='T1202','Technique=''" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRef='T1202','Technique=''" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<Image name="MitreRef='ToDo','Technique='" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
-			<Image name="MitreRef='T1202','Technique=''" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
-			<Image name="MitreRef='T1158','Technique=''" condition="end with">attrib.exe</Image>
-			<Image name="MitreRef='ToDo','Technique=''" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
+			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host-Defense Evasion" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
+			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
+			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<Image name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<ParentImage name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
+			<Image name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<Description name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
+			<ParentImage name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
+			<Image name="MitreRef=T1202,Technique=" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRef=T1202,Technique=" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<Image name="MitreRef=T1202,Technique=" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
+			<Image name="MitreRef=T1158,Technique=" condition="end with">attrib.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
 	  		<!--                                                                                                                                            -->
 			<!--appc shim-->
-			<Image name="MitreRef='T1138','Technique=''" condition="end with">sdbinst.exe</Image>
+			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--BitsAdmin-->
-			<Image name="MitreRef='T1197','Technique='Bitsadmin File Transfers'" condition="end with">bitsadmin.exe</Image>
+			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--UAC Bypass-->
-			<ParentImage name="MitreRef='T1088',Technique='UAC Bypass'" condition="end with">eventvwr.exe</ParentImage>
-			<ParentImage name="MitreRef='T1088',Technique='UAC Bypass'" condition="end with">fodhelper.exe</ParentImage>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">eventvwr.exe</ParentImage>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">fodhelper.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--InstallUtil Abuse-->
-			<Image name="MitreRef='T1118',Technique=''" condition="end with">InstallUtil.exe</Image>
-			<CommandLine name="MitreRef='T1118','Technique=''" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
+			<Image name="MitreRef=T1118,Technique=" condition="end with">InstallUtil.exe</Image>
+			<CommandLine name="MitreRef=T1118,Technique=" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
-	        <Image name="MitreRef='T1218','Technique=''" condition="end with">Mavinject.exe</Image>
-			<Image name="MitreRef='T1191','Technique=''" condition="end with">CMSTP.exe</Image>
+	        <Image name="MitreRef=T1218,Technique=" condition="end with">Mavinject.exe</Image>
+			<Image name="MitreRef=T1191,Technique=" condition="end with">CMSTP.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--MSBuild-->
-			<Image name="MitreRef='T1191','Technique=''" condition="end with">MSBuild.exe</Image>
-	        <Image name="MitreRef='T1121','Technique=''" condition="end with">regsvcs.exe</Image>
-			<Image name="MitreRef='T1121','Technique=''" condition="end with">regasm.exe</Image>
-			<Image name="MitreRef='T1218','Technique=''" condition="end with">SyncAppvPublishingServer.exe</Image>
+			<Image name="MitreRef=T1191,Technique=" condition="end with">MSBuild.exe</Image>
+	        <Image name="MitreRef=T1121,Technique=" condition="end with">regsvcs.exe</Image>
+			<Image name="MitreRef=T1121,Technique=" condition="end with">regasm.exe</Image>
+			<Image name="MitreRef=T1218,Technique=" condition="end with">SyncAppvPublishingServer.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Control Panel-->
-			<Image name="MitreRef='T1218','Technique=''" condition="end with">control.exe</Image>
-	        <CommandLine name="MitreRef='T1196','Technique=''" condition="contains">control.exe /name</CommandLine>
-			<CommandLine name="MitreRef='T1196','Technique=''" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
+			<Image name="MitreRef=T1218,Technique=" condition="end with">control.exe</Image>
+	        <CommandLine name="MitreRef=T1196,Technique=" condition="contains">control.exe /name</CommandLine>
+			<CommandLine name="MitreRef=T1196,Technique=" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Custom Mitre-->
-			<Image name="MitreRef='T1028','Technique='Windows Remote Management'" condition="end with">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef='T1028','Technique='Windows Remote Management'" condition="end with">wsmprovhost.exe</ParentImage>
-			<Image name="MitreRef='T1028','Technique='Windows Remote Management'" condition="end with">winrm.cmd</Image>
-			<CommandLine name="MitreRef='T1105','Technique='Command and Control/Lateral Movement'" condition="contains">certutil.exe -decode</CommandLine>
-			<CommandLine name="MitreRef='T1105','Technique='Command and Control/Lateral Movement'" condition="contains">certutil -decode</CommandLine>
-			<Image name="MitreRef='T1170','Technique='Defense Evasion/Execution'" condition="end with">mshta.exe</Image>
-			<Image name="MitreRef='T1070','Technique='Defense Evasion'" condition="end with">wevutil.exe</Image>
-			<CommandLine name="MitreRef='T1070','Technique='Defense Evasion'" condition="contains">wevutil cl</CommandLine>
-			<Image name="MitreRef='T1053','Technique='Execution/Persistence/Privledge Escalation'" condition="end with">schtasks.exe</Image>
-			<ParentImage name="MitreRef='T1053','Technique='Execution/Persistence/Privledge Escalation'" condition="end with">schtasks.exe</ParentImage>
-			<Image name="MitreRef='T1053','Technique='Execution/Persistence/Privledge Escalation'" condition="end with">at.exe</Image>
-			<ParentImage name="MitreRef='T1053','Technique='Execution/Persistence/Privledge Escalation'" condition="end with">at.exe</ParentImage>
-			<Image name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">forfiles.exe</Image>
-			<ParentImage name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">forfiles.exe</ParentImage>
-			<Image name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">pcalua.exe</Image>
-			<ParentImage name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">pcalua.exe</ParentImage>
-			<Image name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">bash.exe</Image>
-			<ParentImage name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">bash.exe</ParentImage>
-			<Image name="MitreRef='T1202','Technique='Indirect Command Execution'" condition="end with">bash.exe</Image>
-			<CommandLine name="MitreRef='ToDo','Technique='Powershell Injection Persistence Bypass - Execution, Lateral Movement'" condition="contains">System.Management.Automation</CommandLine>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</ParentImage>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">winrm.cmd</Image>
+			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
+			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
+			<Image name="MitreRef=T1170,Technique=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
+			<Image name="MitreRef=T1070,Technique=Defense Evasion" condition="end with">wevutil.exe</Image>
+			<CommandLine name="MitreRef=T1070,Technique=Defense Evasion" condition="contains">wevutil cl</CommandLine>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
+			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Adobe Parent Processes-->
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Acrobat'" condition="end with">acrobat.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Adobe Reader'" condition="end with">acrord32.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="end with">acrobat.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="end with">acrord32.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Browser Parent Processes-->
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned Process from Chrome'" condition="end with">chrome.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Firefox'" condition="end with">firefox.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Internet Explorer'" condition="end with">iexplore.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Edge Browser'" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Edge Browser'" condition="end with">MicrosoftEdge.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Vivaldi Browser'" condition="end with">vivaldi.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique='Process Spawned from Waterfox Browser'" condition="end with">waterfox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="end with">chrome.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="end with">firefox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="end with">iexplore.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdge.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="end with">vivaldi.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="end with">waterfox.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Java Parent Processes-->
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">java.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">javaw.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">java.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">javaw.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Office Parent Processes & Abuse-->
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">word.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">excel.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">POWERPNT.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">outlook.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">visio.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">msaccess.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">lync.exe</ParentImage>
-			<ParentImage name="MitreRef='ToDo','Technique=''" condition="end with">skype.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">word.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">excel.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">POWERPNT.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">outlook.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">visio.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">msaccess.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">lync.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">skype.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Output Redirection-->
-			<CommandLine name="Note='Output Redirection'" condition="contains">2></CommandLine>
-			<CommandLine name="Note='Output Redirection'" condition="contains">&lt;</CommandLine>
-			<CommandLine name="Note='Output Redirection'" condition="contains">></CommandLine>
+			<CommandLine name="Note=Output Redirection" condition="contains">2></CommandLine>
+			<CommandLine name="Note=Output Redirection" condition="contains">&lt;</CommandLine>
+			<CommandLine name="Note=Output Redirection" condition="contains">></CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Multiple Commands-->
-			<CommandLine name="Note='Multiple Commands'" condition="contains">&amp;</CommandLine>
-			<CommandLine name="Note='Multiple Commands'" condition="contains">;</CommandLine>
-			<CommandLine name="Note='Command Pipe'" condition="contains">|</CommandLine>
-			<CommandLine name="Note='interactive command to slow output'" condition="contains">more</CommandLine>
-			<CommandLine name="Note='Commands run from \\tsclient share ie: samsam ransomware'" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Note='DotDot Dirs'" condition="contains">..</CommandLine>
+			<CommandLine name="Note=Multiple Commands" condition="contains">&amp;</CommandLine>
+			<CommandLine name="Note=Multiple Commands" condition="contains">;</CommandLine>
+			<CommandLine name="Note=Command Pipe" condition="contains">|</CommandLine>
+			<CommandLine name="Note=interactive command to slow output" condition="contains">more</CommandLine>
+			<CommandLine name="Note=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Note=DotDot Dirs" condition="contains">..</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Hack Command Line Events-->
-			<CommandLine name="Note='legacy hack command sometimes run by meterpreter or cobalt strike'" condition="contains">COMSPEC</CommandLine>
-			<CommandLine name="Note='Powershell Invoke-Expression'" condition="contains">iex</CommandLine>
-			<CommandLine name="Note='Powershell Invoke-Expression'" condition="contains">Invoke-Expression</CommandLine>
-			<CommandLine name="Note='Powershell Invoke-WebRequest'" condition="contains">iwr</CommandLine>
-			<CommandLine name="Note='Powershell Invoke-WebRequest'" condition="contains">Invoke-WebRequest</CommandLine>
-			<CommandLine name="Note='Powershell Download'" condition="contains">DownloadFile</CommandLine>
-			<CommandLine name="Note='Powershell Download'" condition="contains">DownloadString</CommandLine>
-			<CommandLine name="Note='Powershell Download'" condition="contains">Net.WebClient</CommandLine>
-			<CommandLine name="Note='Powershell Download'" condition="contains">System.Net.WebRequest</CommandLine>
-			<CommandLine name="Note='Powershell Download'" condition="contains">System.Net.SecurityProtocolType</CommandLine>
-			<CommandLine name="Note='invoke-shellcode'" condition="contains">Shellcode</CommandLine>
-			<CommandLine name="Note='Detect Base64 encoding'" condition="contains">FromBase64String</CommandLine>
-			<CommandLine name="Note='Detect Secure Strings'" condition="contains">convertto-securestring</CommandLine>
-			<CommandLine name="Note='Detect some more obfuscation'" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">DownloadFile</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">DownloadString</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">Net.WebClient</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=invoke-shellcode" condition="contains">Shellcode</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control-Execution,Note=Detect Base64 encoding" condition="contains">FromBase64String</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Ofuscated Command Line arguments-->
-			<CommandLine name="Note='Detect Invoke-Obfuscation'" condition="contains">runtime.interopservices.marshal</CommandLine>
-			<CommandLine name="Note='Detect some more obfuscation'" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-windowstyle h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-windowstyl h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-windowsty h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-windowst h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-windows h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-window h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-windo h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-wind h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-win h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-wi h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-w h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-wi h</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-win hi</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-win hid</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-win hidd</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-win hidde</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-win hidden</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-Nop</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-Noni</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-ec</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">-en</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
-			<CommandLine name="Note='Obfuscation'" condition="contains">C^om^S^pEc</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
+			<CommandLine name="MitreRef=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyle h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyl h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowsty h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowst h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windows h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-window h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windo h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wind h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-w h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hi</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hid</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidd</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidde</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidden</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-Nop</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-Noni</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-ec</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-en</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">C^om^S^pEc</CommandLine>
 
 			<!--                                                                                                                                            -->
 			<!--Suspicious Command Line Locations-->
-			<Image name="MitreRef='ToDo','Technique='Command Line'" condition="end with">.com</Image>
-			<Image name="MitreRef='ToDo','Technique='Command Line'" condition="end with">powershell.exe</Image>
-			<Image name="Info='Executables Launched In Temp'" condition="contains">\temp\</Image>
-			<Image name="Info='Executables Launched In User Dirs'" condition="begin with">C:\users</Image>
+			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
+			<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
+			<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
 			<ParentImage condition="end with">explorer.exe</ParentImage>
 			<Image condition="end with">control.exe</Image>
 			<Image condition="end with">acrord32.exe</Image>
 			<Image condition="end with">installutil.exe</Image>
-			<Image name="Info='Registry modification/queries'" condition="end with">reg.exe</Image>
-			<Image name="Info='ipconfig discovery'" condition="end with">ipconfig.exe</Image>
-			<Image name="Info='Executables Launched In Appdata'" condition="contains">\appdata\</Image>
+			<Image name="Info=Registry modification/queries" condition="end with">reg.exe</Image>
+			<Image name="Info=ipconfig discovery" condition="end with">ipconfig.exe</Image>
+			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
 			<Image condition="contains">\programdata\</Image>
 			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
 			<Image condition="contains">\ProgramData</Image>

From 492a2fe9df4f5cf6d8f8de1f6e0f858202be0a26 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 15:33:05 -0400
Subject: [PATCH 258/471] update

---
 Sysmon-config.xml | 187 +++++++++++++++++++++++++++++++++++++---------
 1 file changed, 151 insertions(+), 36 deletions(-)

diff --git a/Sysmon-config.xml b/Sysmon-config.xml
index 4abbf558..65bf72b7 100644
--- a/Sysmon-config.xml
+++ b/Sysmon-config.xml
@@ -82,7 +82,7 @@
 			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
 			<Image name="MitreRef=T1049,Technique=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
 			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
 			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
@@ -116,12 +116,57 @@
 			<Image name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Description name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
 			<ParentImage name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
-			<Image name="MitreRef=T1202,Technique=" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRef=T1202,Technique=" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
-			<Image name="MitreRef=T1202,Technique=" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
-			<Image name="MitreRef=T1158,Technique=" condition="end with">attrib.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
+			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="end with">attrib.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash -c</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash.exe -c</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey.exe /list</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil -urlcache -split -f</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -out:</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -target:library</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmd.exe /k</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp.exe /ni /s</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp /ni /s</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl.exe /y \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl /y \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec.exe http</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec http</CommandLine>
+			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">diskshadow</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">rundll32.exe advpack.dll,LaunchINFSection</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">rundll32 advpack.dll,LaunchINFSection</ParentImage>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">set </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">setx </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">pushd</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">popd</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">subst</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">ren </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">move </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">md </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">del </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">rd </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">expand </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">find </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--appc shim-->
 			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
@@ -134,8 +179,8 @@
 			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">fodhelper.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--InstallUtil Abuse-->
-			<Image name="MitreRef=T1118,Technique=" condition="end with">InstallUtil.exe</Image>
-			<CommandLine name="MitreRef=T1118,Technique=" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
+			<Image name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
+			<CommandLine name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
 	        <Image name="MitreRef=T1218,Technique=" condition="end with">Mavinject.exe</Image>
@@ -148,9 +193,9 @@
 			<Image name="MitreRef=T1218,Technique=" condition="end with">SyncAppvPublishingServer.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Control Panel-->
-			<Image name="MitreRef=T1218,Technique=" condition="end with">control.exe</Image>
-	        <CommandLine name="MitreRef=T1196,Technique=" condition="contains">control.exe /name</CommandLine>
-			<CommandLine name="MitreRef=T1196,Technique=" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
+			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
+	        <CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
+			<CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Custom Mitre-->
 			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</Image>
@@ -202,37 +247,39 @@
 			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">skype.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Output Redirection-->
-			<CommandLine name="Note=Output Redirection" condition="contains">2></CommandLine>
-			<CommandLine name="Note=Output Redirection" condition="contains">&lt;</CommandLine>
-			<CommandLine name="Note=Output Redirection" condition="contains">></CommandLine>
+			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
+			<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
+			<CommandLine name="Alert=Output Redirection" condition="contains">></CommandLine>
+			<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
+			
 	  		<!--                                                                                                                                            -->
 			<!--Detect Multiple Commands-->
-			<CommandLine name="Note=Multiple Commands" condition="contains">&amp;</CommandLine>
-			<CommandLine name="Note=Multiple Commands" condition="contains">;</CommandLine>
-			<CommandLine name="Note=Command Pipe" condition="contains">|</CommandLine>
-			<CommandLine name="Note=interactive command to slow output" condition="contains">more</CommandLine>
-			<CommandLine name="Note=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Note=DotDot Dirs" condition="contains">..</CommandLine>
+			<CommandLine name="Alert=Multiple Commands" condition="contains">&amp;</CommandLine>
+			<CommandLine name="Alert=Multiple Commands" condition="contains">;</CommandLine>
+			<CommandLine name="Alert=Command Pipe" condition="contains">|</CommandLine>
+			<CommandLine name="Alert=interactive command to slow output" condition="contains">more</CommandLine>
+			<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Hack Command Line Events-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">DownloadFile</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">DownloadString</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">Net.WebClient</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control-Execution,Note=Detect Base64 encoding" condition="contains">FromBase64String</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Note=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control-Execution,Alert=Detect Base64 encoding" condition="contains">FromBase64String</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Ofuscated Command Line arguments-->
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
-			<CommandLine name="MitreRef=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyle h</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyl h</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowsty h</CommandLine>
@@ -256,7 +303,50 @@
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-en</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">C^om^S^pEc</CommandLine>
-
+			<!--Suspicious Windows tools-->
+			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
+			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
+			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
+			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
+			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
+			<Image condition="image">mshta.exe</Image>
+			<Image name="Alert=Psexec Utilities" condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
+			<Image name="Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
+			<Image name="Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image><!--Detect PsShutdown-->
+			<Image condition="contains">psservice</Image><!--Detect PsService-->
+			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
+			<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
+			<Image condition="image">installutil.exe</Image>
+			<Image name="Alert=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
+			<Image name="Alert=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
+			<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->
+			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
+			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
+			<Image name="Alert=Secure Shell Execution" condition="image">ssh.exe</Image><!-- SSH -->
+			<Image name="Alert=Secure Shell Execution" condition="image">putty.exe</Image><!-- SSH -->
+			<Image name="Alert=Secure Shell Execution"condition="image">kitty.exe</Image><!-- SSH -->
+			<Image cname="Alert=Secure Shell Execution"ondition="image">kitty_portable.exe</Image><!-- SSH -->
+			<Image name="Alert=Secure Shell FTP Execution"condition="image">psftp.exe</Image><!-- SFTP -->
+			<Image condition="image">tftp.exe</Image><!-- TFTP -->
+			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
+			<Image condition="image">net.exe</Image><!-- net use/net view-->
+			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
+			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
+			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
+			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
+			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
+			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
+			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
+			<Image condition="image">curl.exe</Image>
+			<Image condition="image">wget.exe</Image>
+			<Image condition="image">www.exe</Image>
+			<Image condition="image">awk.exe</Image>
+			<Image condition="image">sed.exe</Image>
+			<!--Tor-->
+			<Image condition="image">tor.exe</Image><!-- Tor-->
 			<!--                                                                                                                                            -->
 			<!--Suspicious Command Line Locations-->
 			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
@@ -724,6 +814,31 @@
 			<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
 			<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
 			<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
+			<!--Public Port Scan Detection-->
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">shodan</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">shadow</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">researchscan</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">census</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">linode</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">sl-reverse</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">scanhub</DestinationHostname>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">.edu</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">158.130.6.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">71.6.216.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">137.226.113.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">138.246.252.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">128.32.30.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">208.93.152.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">162.216.46.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">169.229.3.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">155.94.254.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">98.143.148.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">155.94.222.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">134.147.203.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">69.170.62.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">159.203.213.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">209.236.120.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">158.130.6</DestinationIp>
 			<!--Ports-->
 			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->
 			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->

From 6325b5ad1f134dc1d7b15607a96c52cc3c236636 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 16:14:17 -0400
Subject: [PATCH 259/471] Update for Sysmon 8.0

---
 sysmonconfig-export.xml | 325 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 324 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1b49b13a..65bf72b7 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -51,7 +51,7 @@
   PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier.
 -->
 
-<Sysmon schemaversion="4.00">
+<Sysmon schemaversion="4.10">
 	<!--SYSMON META CONFIG-->
 	<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
 	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
@@ -70,6 +70,304 @@
 			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
 
 		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
+		<ProcessCreate onmatch="include">
+			<!--Mitre ATT&CK Rules-->
+			<!--Accessibility Features-->
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">osk.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
+			<!--Native Windows tools - Living off the land-->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
+			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host-Defense Evasion" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
+			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
+			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<Image name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<ParentImage name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
+			<Image name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<Description name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
+			<ParentImage name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
+			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="end with">attrib.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash -c</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash.exe -c</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey.exe /list</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil -urlcache -split -f</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -out:</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -target:library</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmd.exe /k</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp.exe /ni /s</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp /ni /s</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl.exe /y \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl /y \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec.exe http</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec http</CommandLine>
+			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">diskshadow</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">rundll32.exe advpack.dll,LaunchINFSection</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">rundll32 advpack.dll,LaunchINFSection</ParentImage>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">set </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">setx </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">pushd</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">popd</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">subst</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">ren </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">move </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">md </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">del </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">rd </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">expand </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">find </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
+	  		<!--                                                                                                                                            -->
+			<!--appc shim-->
+			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
+	  		<!--                                                                                                                                            -->
+			<!--BitsAdmin-->
+			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
+	  		<!--                                                                                                                                            -->
+			<!--UAC Bypass-->
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">eventvwr.exe</ParentImage>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">fodhelper.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
+			<!--InstallUtil Abuse-->
+			<Image name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
+			<CommandLine name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Mavinject -->
+	        <Image name="MitreRef=T1218,Technique=" condition="end with">Mavinject.exe</Image>
+			<Image name="MitreRef=T1191,Technique=" condition="end with">CMSTP.exe</Image>
+	  		<!--                                                                                                                                            -->
+			<!--MSBuild-->
+			<Image name="MitreRef=T1191,Technique=" condition="end with">MSBuild.exe</Image>
+	        <Image name="MitreRef=T1121,Technique=" condition="end with">regsvcs.exe</Image>
+			<Image name="MitreRef=T1121,Technique=" condition="end with">regasm.exe</Image>
+			<Image name="MitreRef=T1218,Technique=" condition="end with">SyncAppvPublishingServer.exe</Image>
+	  		<!--                                                                                                                                            -->
+			<!--Control Panel-->
+			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
+	        <CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
+			<CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Custom Mitre-->
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</ParentImage>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">winrm.cmd</Image>
+			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
+			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
+			<Image name="MitreRef=T1170,Technique=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
+			<Image name="MitreRef=T1070,Technique=Defense Evasion" condition="end with">wevutil.exe</Image>
+			<CommandLine name="MitreRef=T1070,Technique=Defense Evasion" condition="contains">wevutil cl</CommandLine>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
+			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Detect Spawned Adobe Parent Processes-->
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="end with">acrobat.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="end with">acrord32.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
+			<!--Detect Spawned Browser Parent Processes-->
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="end with">chrome.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="end with">firefox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="end with">iexplore.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdge.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="end with">vivaldi.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="end with">waterfox.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
+			<!--Detect Spawned Java Parent Processes-->
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">java.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">javaw.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
+			<!--Detect Spawned Office Parent Processes & Abuse-->
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">word.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">excel.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">POWERPNT.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">outlook.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">visio.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">msaccess.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">lync.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">skype.exe</ParentImage>
+	  		<!--                                                                                                                                            -->
+			<!--Detect Output Redirection-->
+			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
+			<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
+			<CommandLine name="Alert=Output Redirection" condition="contains">></CommandLine>
+			<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
+			
+	  		<!--                                                                                                                                            -->
+			<!--Detect Multiple Commands-->
+			<CommandLine name="Alert=Multiple Commands" condition="contains">&amp;</CommandLine>
+			<CommandLine name="Alert=Multiple Commands" condition="contains">;</CommandLine>
+			<CommandLine name="Alert=Command Pipe" condition="contains">|</CommandLine>
+			<CommandLine name="Alert=interactive command to slow output" condition="contains">more</CommandLine>
+			<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Hack Command Line Events-->
+			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control-Execution,Alert=Detect Base64 encoding" condition="contains">FromBase64String</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
+	  		<!--                                                                                                                                            -->
+			<!--Ofuscated Command Line arguments-->
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyle h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyl h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowsty h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowst h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windows h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-window h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windo h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wind h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-w h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hi</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hid</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidd</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidde</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidden</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-Nop</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-Noni</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-ec</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-en</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">C^om^S^pEc</CommandLine>
+			<!--Suspicious Windows tools-->
+			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
+			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
+			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
+			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
+			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
+			<Image condition="image">mshta.exe</Image>
+			<Image name="Alert=Psexec Utilities" condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
+			<Image name="Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
+			<Image name="Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image><!--Detect PsShutdown-->
+			<Image condition="contains">psservice</Image><!--Detect PsService-->
+			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
+			<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
+			<Image condition="image">installutil.exe</Image>
+			<Image name="Alert=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
+			<Image name="Alert=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
+			<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->
+			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
+			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
+			<Image name="Alert=Secure Shell Execution" condition="image">ssh.exe</Image><!-- SSH -->
+			<Image name="Alert=Secure Shell Execution" condition="image">putty.exe</Image><!-- SSH -->
+			<Image name="Alert=Secure Shell Execution"condition="image">kitty.exe</Image><!-- SSH -->
+			<Image cname="Alert=Secure Shell Execution"ondition="image">kitty_portable.exe</Image><!-- SSH -->
+			<Image name="Alert=Secure Shell FTP Execution"condition="image">psftp.exe</Image><!-- SFTP -->
+			<Image condition="image">tftp.exe</Image><!-- TFTP -->
+			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
+			<Image condition="image">net.exe</Image><!-- net use/net view-->
+			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
+			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
+			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
+			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
+			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
+			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
+			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
+			<Image condition="image">curl.exe</Image>
+			<Image condition="image">wget.exe</Image>
+			<Image condition="image">www.exe</Image>
+			<Image condition="image">awk.exe</Image>
+			<Image condition="image">sed.exe</Image>
+			<!--Tor-->
+			<Image condition="image">tor.exe</Image><!-- Tor-->
+			<!--                                                                                                                                            -->
+			<!--Suspicious Command Line Locations-->
+			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
+			<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
+			<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
+			<ParentImage condition="end with">explorer.exe</ParentImage>
+			<Image condition="end with">control.exe</Image>
+			<Image condition="end with">acrord32.exe</Image>
+			<Image condition="end with">installutil.exe</Image>
+			<Image name="Info=Registry modification/queries" condition="end with">reg.exe</Image>
+			<Image name="Info=ipconfig discovery" condition="end with">ipconfig.exe</Image>
+			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
+			<Image condition="contains">\programdata\</Image>
+			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
+			<Image condition="contains">\ProgramData</Image>
+			<Image condition="contains">\Windows\</Image>
+			<Image condition="contains">\Perflogs\</Image>
+			<Image condition="contains">\config\systemprofile\</Image>
+			<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
+			<Image condition="contains">\</Image>
+		</ProcessCreate>
 		<ProcessCreate onmatch="exclude">
 			<!--SECTION: Microsoft Windows-->
 			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
@@ -516,6 +814,31 @@
 			<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
 			<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
 			<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
+			<!--Public Port Scan Detection-->
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">shodan</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">shadow</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">researchscan</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">census</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">linode</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">sl-reverse</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">scanhub</DestinationHostname>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">.edu</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">158.130.6.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">71.6.216.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">137.226.113.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">138.246.252.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">128.32.30.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">208.93.152.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">162.216.46.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">169.229.3.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">155.94.254.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">98.143.148.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">155.94.222.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">134.147.203.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">69.170.62.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">159.203.213.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">209.236.120.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">158.130.6</DestinationIp>
 			<!--Ports-->
 			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->
 			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->

From a3ce85f9af048b378e51b449f5f7a12a8f038a0b Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 19:34:39 -0400
Subject: [PATCH 260/471] Fix syntax errors

---
 sysmonconfig-export.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 65bf72b7..ce54a827 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -326,9 +326,9 @@
 			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
 			<Image name="Alert=Secure Shell Execution" condition="image">ssh.exe</Image><!-- SSH -->
 			<Image name="Alert=Secure Shell Execution" condition="image">putty.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell Execution"condition="image">kitty.exe</Image><!-- SSH -->
-			<Image cname="Alert=Secure Shell Execution"ondition="image">kitty_portable.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell FTP Execution"condition="image">psftp.exe</Image><!-- SFTP -->
+			<Image name="Alert=Secure Shell Execution" condition="image">kitty.exe</Image><!-- SSH -->
+			<Image name="Alert=Secure Shell Execution" condition="image">kitty_portable.exe</Image><!-- SSH -->
+			<Image name="Alert=Secure Shell FTP Execution" condition="image">psftp.exe</Image><!-- SFTP -->
 			<Image condition="image">tftp.exe</Image><!-- TFTP -->
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
 			<Image condition="image">net.exe</Image><!-- net use/net view-->

From b97604b7002821852aa278909ed499f254c7bd1c Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 20:38:22 -0400
Subject: [PATCH 261/471] Remove testing config

---
 Sysmon-config.xml | 2203 ---------------------------------------------
 1 file changed, 2203 deletions(-)
 delete mode 100644 Sysmon-config.xml

diff --git a/Sysmon-config.xml b/Sysmon-config.xml
deleted file mode 100644
index 65bf72b7..00000000
--- a/Sysmon-config.xml
+++ /dev/null
@@ -1,2203 +0,0 @@
-<!--
-  sysmon-config | A sysmon configuration focused on default high-quality event tracing and easy customization by the community
-  Master version:	50 | Date: 2017-03-02
-  Master author:	@SwiftOnSecurity, with contributors also credited in-line or on Git.
-  Master project:	https://github.com/SwiftOnSecurity/sysmon-config
-  Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
-
-  Fork version:	150
-  Fork author:	ionstorm
-  Fork project:	https://github.com/ion-storm/sysmon-config
-  Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
-
-  REQUIRED: Sysmon version 7.01 or higher (due to changes in registry syntax and bug-fixes)
-	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
-	Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated.
-
-  NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF. Will need to run command to allow log access to the Network Service:
-	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
-
-  NOTE: Do not let the size and complexity of this configuration discourage you from customizing this or building your own.
-	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very
-	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
-	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
-	as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
-
-  NOTE: Sysmon is NOT a whitelist solution or HIDS engine, it is a computer change and event logging tool with very basic exclude rules.
-	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
-	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
-
-  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
-	to study it, many ways to evade some of the logging. If you are in a high-threat environment, you should consider a much broader
-	log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which
-	this configuration monitors, especially in the first minutes.
-
-  TECHNICAL:
-  - Run sysmon.exe -? for a briefing on Sysmon configuration.
-  - Sysmon does not support nested/multi-conditional rules. There are only blanket INCLUDE and EXCLUDE. "Exclude" rules override "Include" rules.
-  - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
-  - Some Sysmon monitoring abilities are not meant for general-purpose use due to their large performance impact, such as ProcessAccess.
-  - Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
-  - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
-  - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
-  - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
-  - "ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches. Cleared on service restart.
-  - "LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions. Cleared on service restart.
-  - Sysmon does not track which rule caused an event to be logged.
-
-  TECHNICAL: Filter conditions available for use are: is, is not, contains, excludes, begin with, end with, less than, more than, image
-  - The "image" filter is usable with any field. Same as "is" but can either match the entire string, or only the text after the last "\" in the string. Credit: @mattifestation
-
-  PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier.
--->
-
-<Sysmon schemaversion="4.10">
-	<!--SYSMON META CONFIG-->
-	<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
-	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
-
-	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
-	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
-	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
-
-	<EventFiltering>
-
-	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
-		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
-			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
-			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
-			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
-			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
-		<ProcessCreate onmatch="include">
-			<!--Mitre ATT&CK Rules-->
-			<!--Accessibility Features-->
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">osk.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
-			<Image name="MitreRef=T1049,Technique=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
-			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
-			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
-			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host-Defense Evasion" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
-			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
-			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
-			<Image name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<ParentImage name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
-			<Image name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
-			<Description name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
-			<ParentImage name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
-			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="end with">attrib.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash -c</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash.exe -c</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey.exe /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil -urlcache -split -f</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -out:</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -target:library</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmd.exe /k</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp.exe /ni /s</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp /ni /s</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl.exe /y \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl /y \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec http</CommandLine>
-			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">diskshadow</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">rundll32.exe advpack.dll,LaunchINFSection</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">rundll32 advpack.dll,LaunchINFSection</ParentImage>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">set </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">setx </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">pushd</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">popd</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">subst</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">ren </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">move </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">md </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">del </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">rd </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">expand </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">find </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--appc shim-->
-			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--BitsAdmin-->
-			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--UAC Bypass-->
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">eventvwr.exe</ParentImage>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">fodhelper.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--InstallUtil Abuse-->
-			<Image name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
-			<CommandLine name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
-	  		<!--                                                                                                                                            -->
-			<!--Mavinject -->
-	        <Image name="MitreRef=T1218,Technique=" condition="end with">Mavinject.exe</Image>
-			<Image name="MitreRef=T1191,Technique=" condition="end with">CMSTP.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--MSBuild-->
-			<Image name="MitreRef=T1191,Technique=" condition="end with">MSBuild.exe</Image>
-	        <Image name="MitreRef=T1121,Technique=" condition="end with">regsvcs.exe</Image>
-			<Image name="MitreRef=T1121,Technique=" condition="end with">regasm.exe</Image>
-			<Image name="MitreRef=T1218,Technique=" condition="end with">SyncAppvPublishingServer.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--Control Panel-->
-			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
-	        <CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
-			<CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
-	  		<!--                                                                                                                                            -->
-			<!--Custom Mitre-->
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">winrm.cmd</Image>
-			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
-			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
-			<Image name="MitreRef=T1170,Technique=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
-			<Image name="MitreRef=T1070,Technique=Defense Evasion" condition="end with">wevutil.exe</Image>
-			<CommandLine name="MitreRef=T1070,Technique=Defense Evasion" condition="contains">wevutil cl</CommandLine>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
-			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Spawned Adobe Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="end with">acrobat.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="end with">acrord32.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Spawned Browser Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="end with">chrome.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="end with">firefox.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="end with">iexplore.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdge.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="end with">vivaldi.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="end with">waterfox.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Spawned Java Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">java.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">javaw.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Spawned Office Parent Processes & Abuse-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">word.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">excel.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">POWERPNT.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">outlook.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">visio.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">msaccess.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">lync.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">skype.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Output Redirection-->
-			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
-			<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
-			<CommandLine name="Alert=Output Redirection" condition="contains">></CommandLine>
-			<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
-			
-	  		<!--                                                                                                                                            -->
-			<!--Detect Multiple Commands-->
-			<CommandLine name="Alert=Multiple Commands" condition="contains">&amp;</CommandLine>
-			<CommandLine name="Alert=Multiple Commands" condition="contains">;</CommandLine>
-			<CommandLine name="Alert=Command Pipe" condition="contains">|</CommandLine>
-			<CommandLine name="Alert=interactive command to slow output" condition="contains">more</CommandLine>
-			<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
-	  		<!--                                                                                                                                            -->
-			<!--Hack Command Line Events-->
-			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control-Execution,Alert=Detect Base64 encoding" condition="contains">FromBase64String</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
-	  		<!--                                                                                                                                            -->
-			<!--Ofuscated Command Line arguments-->
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyle h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyl h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowsty h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowst h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windows h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-window h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windo h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wind h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-w h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hi</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hid</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidd</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidde</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidden</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-Nop</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-Noni</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-ec</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-en</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">C^om^S^pEc</CommandLine>
-			<!--Suspicious Windows tools-->
-			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
-			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
-			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
-			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
-			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
-			<Image condition="image">mshta.exe</Image>
-			<Image name="Alert=Psexec Utilities" condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
-			<Image name="Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
-			<Image name="Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image><!--Detect PsShutdown-->
-			<Image condition="contains">psservice</Image><!--Detect PsService-->
-			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
-			<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<Image condition="image">installutil.exe</Image>
-			<Image name="Alert=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
-			<Image name="Alert=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
-			<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->
-			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
-			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
-			<Image name="Alert=Secure Shell Execution" condition="image">ssh.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell Execution" condition="image">putty.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell Execution"condition="image">kitty.exe</Image><!-- SSH -->
-			<Image cname="Alert=Secure Shell Execution"ondition="image">kitty_portable.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell FTP Execution"condition="image">psftp.exe</Image><!-- SFTP -->
-			<Image condition="image">tftp.exe</Image><!-- TFTP -->
-			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
-			<Image condition="image">net.exe</Image><!-- net use/net view-->
-			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
-			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
-			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
-			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
-			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
-			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
-			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
-			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
-			<Image condition="image">curl.exe</Image>
-			<Image condition="image">wget.exe</Image>
-			<Image condition="image">www.exe</Image>
-			<Image condition="image">awk.exe</Image>
-			<Image condition="image">sed.exe</Image>
-			<!--Tor-->
-			<Image condition="image">tor.exe</Image><!-- Tor-->
-			<!--                                                                                                                                            -->
-			<!--Suspicious Command Line Locations-->
-			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
-			<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
-			<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
-			<ParentImage condition="end with">explorer.exe</ParentImage>
-			<Image condition="end with">control.exe</Image>
-			<Image condition="end with">acrord32.exe</Image>
-			<Image condition="end with">installutil.exe</Image>
-			<Image name="Info=Registry modification/queries" condition="end with">reg.exe</Image>
-			<Image name="Info=ipconfig discovery" condition="end with">ipconfig.exe</Image>
-			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
-			<Image condition="contains">\programdata\</Image>
-			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
-			<Image condition="contains">\ProgramData</Image>
-			<Image condition="contains">\Windows\</Image>
-			<Image condition="contains">\Perflogs\</Image>
-			<Image condition="contains">\config\systemprofile\</Image>
-			<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
-			<Image condition="contains">\</Image>
-		</ProcessCreate>
-		<ProcessCreate onmatch="exclude">
-			<!--SECTION: Microsoft Windows-->
-			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
-			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
-			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
-			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
-			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
-			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
-			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
-			<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
-			<Image condition="is">C:\Windows\System32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
-			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
-			<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->
-			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
-			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
-			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
-			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
-			<ParentCommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</ParentCommandLine> <!--Microsoft:Windows 10 Noise-->
-			<CommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</CommandLine> <!--Microsoft:Windows 10 Noise-->
-			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
-			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
-			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
-			<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
-			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
-			<!--SECTION: Microsoft:Windows:Defender-->
-			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
-			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
-			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
-			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
-			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
-			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
-			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
-			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
-			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
-			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
-			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine><!--Microsoft:Windows: Search Indexer-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine><!--Microsoft:Windows 10-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine><!--Microsoft:Windows 10-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k UnistackSvcGroup</CommandLine><!--Microsoft:Windows 10-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k defragsvc</CommandLine><!--Microsoft:Windows Defrag-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k RPCSS</CommandLine><!--Microsoft:Windows Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k utcsvc</CommandLine><!--Microsoft:Windows Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup</CommandLine><!--Microsoft:Windows Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k DcomLaunch</CommandLine><!--Microsoft:Windows Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Microsoft:Windows:Network: BitLocker Drive Encryption-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Microsoft:Windows:Network: Background Intelligent File Transfer (BITS) -->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Microsoft:Windows: Windows Management Instrumentation (WMI) -->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc</CommandLine> <!--Microsoft:Windows:Network: Group Policy -->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Microsoft:Windows:Network: DNS caching, other uses -->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Microsoft:Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Microsoft:Windows:Network: Network Location Awareness-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Microsoft:Windows:Network: Terminal Services (RDP)-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows 10-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k GPSvcGroup</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k tapisrv</CommandLine><!--Microsoft:Windows Network Services-->
-			<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
-			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
-			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
-			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
-			<!--SECTION: Microsoft dotNet-->
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
-			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
-			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
-			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
-			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
-			<!--SECTION: Microsoft Office-->
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
-			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
-			<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
-			<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-			<Image condition="is">C:\Windows\splwow64.exe</Image> <!--Microsoft:Office: Print Driver Host spam -->
-			<!--SECTION: Microsoft:Windows: Media player-->
-			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
-			<!--SECTION: Microsoft Exchange-->
-			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
-			<CommandLine condition="contains">C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1</CommandLine>
-			<!--SECTION: Microsoft Misc-->
-			<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
-			<!--SECTION: Google-->
-			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
-			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
-			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
-			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
-			<!--SECTION: Firefox-->
-			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
-			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
-			<!--SECTION: Adobe-->
-			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
-			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
-			<!--SECTION: Adobe:Acrobat DC-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
-			<!--SECTION: Adobe:Acrobat 2015-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
-			<!--SECTION: Adobe:Acrobat Reader DC-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
-			<!--SECTION: Adobe:Flash-->
-			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
-			<!--SECTION: Adobe:Updater-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<!--SECTION: Adobe:Supporting processes-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
-			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
-			<!--SECTION: Adobe:Creative Cloud-->
-			<!--SECTION: Cisco-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
-			<!--SECTION: Drivers-->
-			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
-			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
-			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
-			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
-			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
-			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
-			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
-			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
-			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
-			<!--SECTION: Dropbox-->
-			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
-			<!--SECTION: Dell-->
-			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
-			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
-			<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
-			<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine>			
-			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
-			<!--SECTION: Lenovo-->
-			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
-			<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
-			<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
-			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
-			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
-			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
-			<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
-			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
-			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
-			<ParentCommandLine condition="contains">C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</ParentCommandLine> <!--Lenovo: Modern Apps Plugin Host-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
-			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
-			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
-			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
-			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
-			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
-			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe</ParentImage>
-			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe</ParentImage>
-			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsu.exe</ParentImage>
-			<Image condition="contains">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
-			<!--SECTION: MSI: Micro-Star International Computers-->
-			<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
-			<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
-			<ParentImage condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</ParentImage><!-- MSI: Helpdesk Updater-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
-			<ParentImage condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</ParentImage><!-- MSI: Dragon Center Updater-->
-			<!--SECTION: Intel-->
-			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
-			<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
-			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe</Image><!--Intel: Graphics Driver-->
-			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe</Image><!--Intel: Graphics Driver-->
-			<!--SECTION: Antivirus-->
-			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
-			<CommandLine condition="contains">C:\Program Files (x86)\Webroot\WRSA.exe" -ul</CommandLine> <!--Webroot-->
-			<ParentCommandLine condition="is">"C:\Program Files (x86)\Webroot\WRSA.exe" -service</ParentCommandLine> <!--Webroot-->
-			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image><!--Webroot-->
-			<!--SECTION: Synaptics Touchpad-->
-			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
-			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
-			<!--SECTION: Custom Apps-->
-			<!--SECTION: Labtech -->
-			<!--Since Labtech nests its processes, the following exclusions could be exploited, remove if you do not need-->
-			<!--TODO: Will define these more in the future-->
-			<ParentCommandLine condition="is">C:\Windows\LTSvc\LTSVC.exe -sLTService</ParentCommandLine> <!--Labtech Agent-->
-			<ParentImage condition="is">C:\Windows\LTSvc\LTSVC.exe</ParentImage> <!--Labtech Agent-->
-			<CurrentDirectory condition="is">C:\Windows\LTSvc\</CurrentDirectory><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">find /i "Listening"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">netstat -an</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">nslookup</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">nbtstat.exe</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">dsquery</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">sc query</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">interface tcp show global</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
-			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
-			<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">wmic path win32_operatingsystem get</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">sc queryex type= service</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">C:\Program Files\StorageCraft\ImageManager\ImageManager.exe</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-WmiObject -Namespace Root\CimV2\TerminalServices</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">vssadmin list writers</ParentCommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">vssadmin  list writers</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">net view \\localhost | find " Print</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">net view \\localhost | find " Disk</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentImage condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</ParentImage> <!--Labtech Client-->
-			<ParentCommandLine condition="contains">C:\Windows\LTSvc\LTSvcMon.exe -sLTService</ParentCommandLine>
-			<ParentImage condition="is">C:\Windows\LTSvc\LTSvcMon.exe</ParentImage>
-			<Image condition="is">C:\Windows\LTSvc\LTTray.exe</Image>
-			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall</ParentCommandLine>
-			<CommandLine condition="contains">interface tcp show global</CommandLine>
-			<Image condition="is">nslookup.exe</Image><!--Labtech NStest.bat lookups-->
-			<!--END: Labtech-->
-			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
-			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
-			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
-			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
-			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
-			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
-			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
-			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
-			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
-			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
-			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage> <!--Enpass Password Manager-->
-			<Image condition="contains">C:\Program Files (x86)\Enpass\Enpass.exe</Image> <!--Enpass Password Manager-->
-			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
-			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentImage> <!--FortiClient Noise -->
-			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
-			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
-			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
-			<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
-			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
-			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
-			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
-			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
-		</ProcessCreate>
-
-	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
-		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
-		<FileCreateTime onmatch="include">
-			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
-			<Image condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
-			<Image condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
-		</FileCreateTime>
-
-		<FileCreateTime onmatch="exclude">
-			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
-			<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
-			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
-			<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
-			<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->
-			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Chrome constantly changes file times-->
-			<Image condition="contains">setup</Image> <!--Ignore setups-->
-		</FileCreateTime>
-
-	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
-		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
-		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
-		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
-		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
-		<!--TECHNICAL:	These exe do not initiate their connections, and thus including does not work in this section: BITSADMIN.exe-->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
-		<NetworkConnect onmatch="include">
-			<!--Suspicious sources for network-connecting binaries-->
-			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
-			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
-			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
-			<Image condition="begin with">C:\Perflogs\</Image>
-			<Image condition="contains">config\systemprofile\</Image>
-			<Image condition="contains">\Windows\Fonts\</Image>
-			<Image condition="contains">\Windows\IME\</Image>
-			<Image condition="contains">\Windows\addins\</Image>
-			<Image condition="contains">chrome.exe</Image>
-			<Image condition="contains">iexplore.exe</Image>
-			<Image condition="contains">firefox.exe</Image>
-			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
-			<Image condition="contains">MicrosoftEdge.exe</Image>
-			<Image condition="contains">explorer.exe</Image>
-			<!--Suspicious Windows tools-->
-			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
-			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
-			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
-			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
-			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
-			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
-			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
-			<Image condition="image">mshta.exe</Image>
-			<Image condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
-			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
-			<Image condition="contains">pskill</Image><!--Detect pskill-->
-			<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
-			<Image condition="contains">psservice</Image><!--Detect PsService-->
-			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
-			<Image condition="image">java.exe</Image>
-			<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<Image condition="image">installutil.exe</Image>
-			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
-			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
-			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
-			<Image condition="image">telnet.exe</Image><!-- Telnet -->
-			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
-			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
-			<Image condition="image">ssh.exe</Image><!-- SSH -->
-			<Image condition="image">putty.exe</Image><!-- SSH -->
-			<Image condition="image">kitty.exe</Image><!-- SSH -->
-			<Image condition="image">kitty_portable.exe</Image><!-- SSH -->
-			<Image condition="image">psftp.exe</Image><!-- SFTP -->
-			<Image condition="image">tftp.exe</Image><!-- TFTP -->
-			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
-			<Image condition="image">net.exe</Image><!-- net use/net view-->
-			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
-			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
-			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
-			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
-			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
-			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
-			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
-			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
-			<!--Tor-->
-			<Image condition="image">tor.exe</Image><!-- Tor-->
-			<!--Hack tools hosting-->
-			<DestinationHostname condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
-			<DestinationHostname condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
-			<!--Suspicious destinations-->
-			<DestinationHostname condition="contains">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">goo.gl</DestinationHostname>
-			<DestinationHostname condition="contains">git.io</DestinationHostname>
-			<DestinationHostname condition="contains">bit.ly</DestinationHostname>
-			<DestinationHostname condition="contains">t.co</DestinationHostname>
-			<DestinationHostname condition="contains">ow.ly</DestinationHostname>
-			<DestinationHostname condition="contains">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
-			<!--Dynamic DNS Providers-->
-			<DestinationHostname condition="contains">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<!--Tor2Web Providers-->
-			<DestinationHostname condition="contains">onion.to</DestinationHostname>
-			<DestinationHostname condition="contains">onion.cab</DestinationHostname>
-			<DestinationHostname condition="contains">onion.sh</DestinationHostname>
-			<DestinationHostname condition="contains">onion.nu</DestinationHostname>
-			<DestinationHostname condition="contains">onion.direct</DestinationHostname>
-			<DestinationHostname condition="contains">tor2web.org</DestinationHostname>
-			<DestinationHostname condition="contains">tor2web.fi</DestinationHostname>
-			<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
-			<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
-			<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
-			<!--Public Port Scan Detection-->
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">shodan</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">shadow</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">researchscan</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">linode</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">sl-reverse</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">scanhub</DestinationHostname>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">.edu</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">158.130.6.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">71.6.216.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">137.226.113.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">138.246.252.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">128.32.30.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">208.93.152.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">162.216.46.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">169.229.3.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">155.94.254.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">98.143.148.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">155.94.222.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">134.147.203.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">69.170.62.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">159.203.213.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">209.236.120.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">158.130.6</DestinationIp>
-			<!--Ports-->
-			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->
-			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->
-			<DestinationPort condition="is">3389</DestinationPort> <!--RDP Port-->
-			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
-			<DestinationPort condition="is">22</DestinationPort>   <!--SSH Port-->
-			<DestinationPort condition="is">23</DestinationPort>   <!--Telnet Port-->
-			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
-			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->
-			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
-			<DestinationPort condition="is">5800</DestinationPort> <!--VNC Port-->
-			<DestinationPort condition="is">5900</DestinationPort> <!--VNC Port-->
-			<DestinationPort condition="is">1194</DestinationPort> <!--OpenVPN Port-->
-			<DestinationPort condition="is">1701</DestinationPort> <!--L2TP Port-->
-			<DestinationPort condition="is">1723</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">1293</DestinationPort> <!--IPSec Nat Traversal Port-->
-			<DestinationPort condition="is">4500</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">1080</DestinationPort> <!--Socks Port-->
-			<DestinationPort condition="is">8080</DestinationPort> <!--Socks Port-->
-			<DestinationPort condition="is">3128</DestinationPort> <!--Socks Port-->
-			<DestinationPort condition="is">9001</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">9030</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">4443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">2448</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">8143</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">243</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">65535</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13506</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">200</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">198</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">49180</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13507</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">6625</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4444</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4438</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1904</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13505</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13504</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">12102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">9631</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">5445</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">2443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13394</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13145</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">12103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">5552</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">3939</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">3675</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">666</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">473</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">5649</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4455</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4433</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1817</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">100</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">65520</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1960</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1515</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">743</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">700</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">14154</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">14103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">14102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">12322</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">10101</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">7210</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4040</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">9943</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<!--Ports: Threats-->
-			<DestinationPort condition="is">7777</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:7777 -->
-			<DestinationPort condition="is">9943</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:9943 -->
-			<DestinationPort condition="is">666</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:666 -->
-		</NetworkConnect>
-		<NetworkConnect onmatch="exclude">
-			<!--SECTION: Microsoft -->
-			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
-			<Image condition="is">C:\Windows\System32\find.exe</Image><!-- Oddly find.exe connects to localhost and creates spam -->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
-			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
-			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
-			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
-			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
-			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
-			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
-			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
-			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
-			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
-			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
-			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
-			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
-			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
-			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname> <!--Bing & Cortana Searches-->
-			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
-			<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
-			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
-			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
-			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
-			<DestinationPortName condition="is">epmap</DestinationPortName> <!--Silence LDAP-->
-			<SourcePortName condition="is">epmap</SourcePortName> <!--Silence LDAP-->
-			<SourcePort condition="is">135</SourcePort>  <!--epmap Port-->
-			<DestinationPort condition="is">135</DestinationPort>  <!--epmap Port-->
-			<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
-			<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
-			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
-			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
-			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->
-			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
-			<DestinationPortName condition="is">netbios-ns</DestinationPortName> <!--Netbios DNS Resolution-->
-			<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
-			<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
-			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
-			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
-			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
-			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
-			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
-			<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
-			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
-			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
-			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
-			<Image condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
-			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
-			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
-			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
-			<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
-			<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
-			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
-		</NetworkConnect>
-
-	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
-
-		<!--DATA: UtcTime, State, Version, SchemaVersion-->
-		<!--Cannot be filtered.-->
-
-	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
-		<!--COMMENT:	Useful data in building infection timelines.-->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
-		<ProcessTerminate onmatch="include">
-		<!--COMMENT:	Useful data in building infection timelines.-->
-			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
-			<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
-			<Image condition="begin with">C:\Windows\Temp</Image> <!--Process terminations by user binaries-->
-			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
-		</ProcessTerminate>
-
-	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
-		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
-			about what you exclude from monitoring. Low event volume, little incentive to exclude.
-			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
-		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
-
-		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
-		<DriverLoad onmatch="exclude">
-		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
-				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
-			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
-			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft drivers-->
-			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
-			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel drivers-->
-			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
-			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic drivers-->
-			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia drivers-->
-			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom drivers-->
-			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD drivers-->
-			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware drivers-->
-			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek drivers-->
-			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI drivers-->
-			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
-			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
-			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
-			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed Fortinet drivers-->
-			<Signature condition="contains">Webroot</Signature> <!--Exclude signed Webroot drivers-->
-			<Signature condition="is">NoVirusThanks Company Srl</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">Invincea</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">ShoreTel</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">Synology</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">Citrix</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">SonicWall</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">Sophos</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">OpenVPN</Signature> <!--Exclude signed drivers-->
-		</DriverLoad>
-
-	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
-		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
-		<ImageLoad onmatch="include">
-			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
-			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
-			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
-			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
-			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
-			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
-		</ImageLoad>
-		<ImageLoad onmatch="exclude">
-			<SignatureStatus condition="is">Valid</SignatureStatus>
-			<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
-			<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
-			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
-			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
-			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
-			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
-			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
-			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
-			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
-			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
-			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
-			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
-			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
-			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
-			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
-			<Company condition="contains">Microsoft</Company>
-			<Product condition="contains">Microsoft</Product>
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
-			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
-			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
-			<Image condition="is">C:\Windows\sysmon64.exe</Image>
-			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
-			<ImageLoaded condition="is">C:\Windows\sysmon64.exe</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\conhost.exe</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\pcwum.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\kernel32.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\user32.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\dns.exe</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\zvprtmon5.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\termsrv.dll</ImageLoaded>
-			<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
-			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
-			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
-			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
-			<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
-			<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
-			<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll</ImageLoaded>
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
-			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
-			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
-			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
-			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
-			<!-- Custom App Exclusions -->
-			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
-			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
-			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
-			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
-			<Image condition="is">C:\Windows\System32\VSSVC.</Image>
-			<Image condition="is">C:\Windows\System32\conhost.exe</Image>
-			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
-			<Image condition="is">C:\Windows\System32\NETSTAT.EXE</Image>
-			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
-			<Image condition="is">C:\Windows\System32\tasklist.exe</Image>
-			<Image condition="is">C:\Windows\System32\nslookup.exe</Image>
-			<Image condition="is">C:\Windows\System32\find.exe</Image>
-			<Image condition="is">C:\cs\tools\php\php-cgi.exe</Image>
-			<Image condition="is">C:\Windows\System32\nbtstat.exe</Image>
-			<Image condition="is">C:\Windows\System32\dsquery.exe</Image>
-			<Image condition="is">C:\Windows\System32\netsh.exe</Image>
-			<Image condition="is">C:\Windows\System32\taskeng.exe</Image>
-			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image>
-			<Image condition="contains">SQL Server</Image>
-			<ImageLoaded condition="contains">SQL Server</ImageLoaded>
-			<Image condition="contains">Exchange Server</Image>
-			<ImageLoaded condition="contains">Exchange Server</ImageLoaded>
-		</ImageLoad>
-
-	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
-		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
-		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
-
-		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
-		<CreateRemoteThread onmatch="exclude">
-			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
-			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>			
-			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
-			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
-			<SourceImage condition="contains">FireSvc.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
-			<TargetImage condition="end with">controls\cef\ConnectWise.exe</TargetImage>
-		</CreateRemoteThread>
-
-	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
-		<!--EVENT 9: "RawAccessRead detected"-->
-		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
-			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
-			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
-		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
-		<RawAccessRead onmatch="include">
-		</RawAccessRead>
-
-	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
-		<!--EVENT 10: "Process accessed"-->
-		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
-		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
-		<ProcessAccess onmatch="include">
-			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
-			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
-			<SourceImage condition="contains">powershell.exe</SourceImage>
-			<TargetImage condition="contains">verclsid.exe</TargetImage>
-			<CallTrace condition="contains">VBE7.dll</CallTrace>
-			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
-		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
-				Disabled by default since including even one entry here activates this component. Reward/performance decision.
-				Encourage you to experiment with this feature yourself.
-				Uses 4mbs+ IO -->
-		</ProcessAccess>
-		<ProcessAccess onmatch="exclude">
-			<!-- Filter out common access masks
-			A reference is available here for the mask: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880%28v=vs.85%29.aspx
-			Ideally an access mask with any of the following is useful:
-			PROCESS_VM_WRITE (0x0020)
-			PROCESS_VM_READ (0x0010)
-			PROCESS_VM_OPERATION (0x0008)
-          
-			0x1410 (potential memory read) is common activity. E.g. by taskmgr.exe. We only want to capture this against lsass.exe and winlogon.exe, but this logic is in the subscription.
-			-->
-			<GrantedAccess condition="is">0x40</GrantedAccess>
-			<GrantedAccess condition="is">0x101000</GrantedAccess>
-			<GrantedAccess condition="is">0x1000</GrantedAccess>
-			<GrantedAccess condition="is">0x1400</GrantedAccess>
-			<GrantedAccess condition="is">0x100000</GrantedAccess>
-			<GrantedAccess condition="is">0x3200</GrantedAccess>
-			<GrantedAccess condition="is">0x101400</GrantedAccess>
-			<GrantedAccess condition="is">0x101001</GrantedAccess>
-			
-			<!-- These binaries appear to access lsass legitimately -->
-			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
-			<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe</SourceImage>
-			<SourceImage condition="contains">taskmgr</SourceImage>
-			<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
-			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
-			<SourceImage condition="end with">\EMET_GUI.exe</SourceImage>
-			<SourceImage condition="end with">\procexp64.exe</SourceImage>
-			<SourceImage condition="contains">processhacker</SourceImage>
-			<SourceImage condition="end with">\Bin\FMS.exe</SourceImage> <!-- Exchange Process -->
-			<SourceImage condition="contains">\Exchange Server\</SourceImage>
-			<SourceImage condition="contains">SQL</SourceImage>
-			<SourceImage condition="end with">:\Windows\System32\smss.exe</SourceImage>
-			<SourceImage condition="end with">:\Windows\system32\csrss.exe</SourceImage>
-			<SourceImage condition="end with">:\Windows\system32\wininit.exe</SourceImage>
-			<SourceImage condition="end with">\Google\Update\GoogleUpdate.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\Webroot\WRSA.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
-			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
-			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
-			<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
-			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
-			<SourceImage condition="contains">ScreenConnect</SourceImage>
-			<!-- These binaries get or access processes running .NET -->
-			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
-			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
-			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
-			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<SourceImage condition="contains">ShadowProtect</SourceImage>
-			<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
-			<SourceImage condition="end with">Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
-			<SourceImage condition="end with">Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
-			<SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
-			<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
-			<SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage>
-			<SourceImage condition="end with">\Trusteer\Rapport\bin\RapportMgmtService.exe</SourceImage>
-			<SourceImage condition="end with">Adobe\AdobeGCClient\AGMService.exe</SourceImage>
-			<SourceImage condition="end with">NT-ware Shared\MomAdmSvc\MomAdmSvc.exe</SourceImage>
-			<SourceImage condition="end with">\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe</SourceImage>
-		</ProcessAccess>
-
-	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
-		<!--EVENT 11: "File created"-->
-		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
-		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
-		<FileCreate onmatch="include">
-			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
-			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
-			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
-			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
-			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
-			<TargetFilename condition="end with">.ocx</TargetFilename>
-			<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->
-			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
-			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
-			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
-			<TargetFilename condition="end with">.com</TargetFilename> <!--Batch scripting: Batch scripts can also use the .com extension -->
-			<TargetFilename condition="end with">.btm</TargetFilename> <!--Batch scripting: Batch scripts can also use the .btm extension -->
-			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.msc</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.ws</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.wsh</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
-			<TargetFilename condition="end with">.ps1xml</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.psc1</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.psd1</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.psm1</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.pssc</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.cdxml</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
-			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
-			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
-			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
-			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
-			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.vbsript</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.js</TargetFilename> <!--Java Scripting-->
-			<TargetFilename condition="end with">.jse</TargetFilename> <!--Java Scripting-->
-			<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
-			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
-			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
-			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
-			<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
-			<TargetFilename condition="end with">.SettingContent-ms</TargetFilename> <!--More info: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39-->
-			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
-			<TargetFilename condition="contains">\Desktop</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
-			<TargetFilename condition="contains">\Documents</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
-			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
-			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
-			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
-			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
-			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks-->
-			<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
-			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
-			<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
-			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
-			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
-			<!--SECTION: Other suspicious file types to monitor-->
-			<TargetFilename condition="end with">.ICL</TargetFilename>
-			<TargetFilename condition="end with">.FON</TargetFilename>
-			<TargetFilename condition="end with">.FOT</TargetFilename>
-			<TargetFilename condition="end with">.ico</TargetFilename>
-			<TargetFilename condition="end with">.lnk</TargetFilename>
-			<TargetFilename condition="end with">.eml</TargetFilename>
-			<TargetFilename condition="end with">.msg</TargetFilename>
-			<TargetFilename condition="end with">.SCT</TargetFilename>
-			<TargetFilename condition="end with">.SCR</TargetFilename>
-			<TargetFilename condition="end with">.SHB</TargetFilename>
-			<TargetFilename condition="end with">.SHS</TargetFilename>
-			<TargetFilename condition="end with">.PAF</TargetFilename>
-			<TargetFilename condition="end with">.JSE</TargetFilename>
-			<TargetFilename condition="end with">.gadget</TargetFilename>
-			<TargetFilename condition="end with">.cpl</TargetFilename>
-			<TargetFilename condition="end with">.inf</TargetFilename>
-			<!--SECTION: Ransomware-->
-			<TargetFilename condition="contains">help_decrypt</TargetFilename>
-			<TargetFilename condition="contains">help_restore</TargetFilename>
-			<TargetFilename condition="contains">ReadDecryptFilesHere</TargetFilename>
-			<TargetFilename condition="contains">howto_recover_file</TargetFilename>
-			<TargetFilename condition="contains">recover_file_</TargetFilename>
-			<TargetFilename condition="contains">Recovery_file_</TargetFilename>
-			<TargetFilename condition="contains">how_to_decrypt</TargetFilename>
-			<TargetFilename condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
-			<TargetFilename condition="contains">_how_recover_</TargetFilename>
-			<TargetFilename condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
-			<TargetFilename condition="contains">help_my_files</TargetFilename>
-			<TargetFilename condition="contains">how_recover</TargetFilename>
-			<TargetFilename condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
-			<TargetFilename condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
-			<TargetFilename condition="contains">YOUR_FILES.url</TargetFilename>
-			<TargetFilename condition="contains">Coin.Locker.txt</TargetFilename>
-			<TargetFilename condition="contains">_secret_code.txt</TargetFilename>
-			<TargetFilename condition="contains">Decrypt_readme.txt</TargetFilename>
-			<TargetFilename condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
-			<TargetFilename condition="contains">FILESAREGONE.txt</TargetFilename>
-			<TargetFilename condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
-			<TargetFilename condition="contains">HELLOTHERE.TXT</TargetFilename>
-			<TargetFilename condition="contains">READTHISNOW!!!.txt</TargetFilename>
-			<TargetFilename condition="contains">SECRETIDHERE.KEY</TargetFilename>
-			<TargetFilename condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
-			<TargetFilename condition="contains">SECRET.KEY</TargetFilename>
-			<TargetFilename condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
-			<TargetFilename condition="contains">RECOVERY_FILES.TXT</TargetFilename>
-			<TargetFilename condition="contains">RECOVERY_FILE.</TargetFilename>
-			<TargetFilename condition="contains">HowtoRestore_Files</TargetFilename>
-			<TargetFilename condition="contains">restorefiles</TargetFilename>
-			<TargetFilename condition="contains">howrecover+</TargetFilename>
-			<TargetFilename condition="contains">recoveryfile</TargetFilename>
-			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
-			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
-			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
-			<!--SamSam Ransomware File drops -->
-			<TargetFilename condition="contains">www.exe</TargetFilename>
-			<TargetFilename condition="contains">ps.exe</TargetFilename>
-			<TargetFilename condition="contains">nt.exe</TargetFilename>
-			<TargetFilename condition="contains">doliohdyjkajd.dll</TargetFilename>
-			<TargetFilename condition="contains">run2.exe</TargetFilename>
-			<TargetFilename condition="contains">ping2.exe</TargetFilename>
-			<!--END: SamSam Ransomware File drops -->
-			<!--SECTION: Certificates -->
-			<TargetFilename condition="contains">.pem</TargetFilename>
-			<TargetFilename condition="contains">.crt</TargetFilename>
-			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
-			<TargetFilename condition="contains">.cer</TargetFilename>
-			<TargetFilename condition="contains">.csr</TargetFilename>
-			<TargetFilename condition="contains">.der</TargetFilename>
-			<TargetFilename condition="contains">.p7b</TargetFilename>
-			<TargetFilename condition="contains">.p7r</TargetFilename>
-			<TargetFilename condition="contains">.p7s</TargetFilename>
-			<TargetFilename condition="contains">.pfx</TargetFilename>
-			<TargetFilename condition="contains">.sto</TargetFilename>
-			<TargetFilename condition="contains">.p12</TargetFilename>
-			<TargetFilename condition="contains">.crl</TargetFilename>
-			<TargetFilename condition="contains">.sst</TargetFilename>
-			<TargetFilename condition="contains">.key</TargetFilename>
-			<!--SECTION: CIA Vault7 Leak -->
-			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Vault7 CIA Leak: Possible malformed file will escape IE sandbox -->
-			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
-			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
-			<TargetFilename condition="contains">.manifest</TargetFilename>
-			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
-			<TargetFilename condition="contains">HammerDrillStatus.dll</TargetFilename> <!-- Vault7 CIA Leak: HammerDrill DLL -->
-			<!--SECTION: Mimikatz-->
-			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
-		</FileCreate>
-		<FileCreate onmatch="exclude">
-			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\</TargetFilename> <!--Microsoft:Windows: taskhostw re-creates certificate store constantly-->
-			<TargetFilename condition="end with">\Downloads</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
-			<TargetFilename condition="end with">\Start Menu</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
-			<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
-			<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
-			<!--SECTION: Microsoft-->
-			<Image condition="contains">C:\Windows\System32\svchost.exe</Image> <!-- Microsoft:Windows: Svchost creating thousands of files, creating new profiles on TS's -->
-			<Image condition="contains">C:\Windows\System32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
-			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\IE</TargetFilename> <!-- Microsoft:Windows: Creates thousands of files including new profiles -->
-			<Image condition="is">\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates</Image>
-			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
-			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
-			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
-			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
-			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
-			<TargetFilename condition="end with">.SQM</TargetFilename> <!-- Ignore Exchange files created -->
-			<TargetFilename condition="end with">.SPL</TargetFilename> <!-- Ignore Spooled Print Jobs -->
-			<TargetFilename condition="end with">.SHD</TargetFilename> <!-- Ignore Spooled Print Jobs -->
-			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
-			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
-			<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
-			<!--SECTION: Microsoft:Office-->
-			<TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
-			<!--SECTION: Microsoft:Windows:Updates-->
-			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
-			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
-			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
-			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
-			<Image condition="begin with">Firefox Setup </Image> <!-- Firefox:Installer -->
-			<TargetFilename condition="is">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive</TargetFilename> <!--Powershell spam!-->
-			<TargetFilename condition="is">C:\Windows\System32\config\netlogon.ftl</TargetFilename> <!-- Microsoft:Windows: Domain login cache-->
-			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image><!-- Microsoft:Windows: WMI Performance updates-->
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image><!-- Microsoft:Office Click2Run-->
-			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
-			<Image condition="is">C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe</Image><!-- Microsoft:SQL Server: Creating tons of files-->
-			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
-			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image><!-- VMware:vSphere: Creates .cmdline apps in appdata\*\Temp-->
-			<!--SECTION: Dell-->
-			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
-			<!--SECTION: Intel-->
-			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
-			<!--SECTION: Chrome Noise-->
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlUws.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeExtMalware.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\IpMalware.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSubresourceFilter.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new</TargetFilename>
-			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
-			<!--SECTION: Adobe-->
-			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
-			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
-			<!--SECTION: Connectwise-->
-			<Image condition="is">C:\Program Files (x86)\ConnectWise\PSA.net\ConnectWise.exe</Image>
-			<!--SECTION: Datto-->
-			<Image condition="is">C:\Program Files\Datto\Datto Windows Agent\DattoBackupAgent.exe</Image>
-			<!--SECTION: Toshiba Print Drivers-->
-			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\TOSHIBA\</TargetFilename>
-			<TargetFilename condition="contains">TOSHIBA\eSTUDIOX\UNIDRV</TargetFilename>
-			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\bdcore.dll</TargetFilename>
-			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\scanclient.dll</TargetFilename>
-			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\Repository\nagent</TargetFilename>
-			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\</TargetFilename>
-		</FileCreate>
-
-	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
-		<!--EVENT 12: "Registry object added or deleted"-->
-		<!--EVENT 13: "Registry value set-->
-		<!--EVENT 14: "Registry objected renamed"-->
-		
-		<!--NOTE:	"contains" conditions below are formatted to reduce CPU load, so they may appear written inconsistently, but this is on purpose from tuning.-->
-		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
-		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
-		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
-		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->
-
-		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
-		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
-		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
-		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
-		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
-
-		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.-->
-
-		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
-		<RegistryEvent onmatch="include">
-			<!--Autorun or Startups-->
-				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
-				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
-				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
-			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
-			<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
-			<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
-			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
-			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
-			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers</TargetObject> <!-- Print Provider DLL's loaded at startup can be malicious, lets monitor those -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>  <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
-			<TargetObject condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
-			<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject> <!--Persistence using GlobalFlags in Image File Execution Options: [ https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ ] -->
-			<!--CLSID launch commands and file association changes-->
-			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
-			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<!--Windows COM-->
-			<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
-			<!--Windows shell hijack-->
-			<TargetObject condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject condition="contains">\ShellServiceObjects</TargetObject>
-			<TargetObject condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
-			<!--AppPaths hijacking-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<!--Terminal service boobytraps-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<!--Group Policy interity-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
-			<!--Winsock and Winsock2-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
-			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
-			<TargetObject condition="begin with">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride - Threats sometimes change proxy server -->
-			<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<!--Credential providers-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<!--Networking-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
-			<TargetObject condition="end with">EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
-			<!--DLLs that get injected into every process launch-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
-			<!--Office-->
-			<!--Microsoft Office-->
-			<TargetObject condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
-			<TargetObject condition="contains">\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
-			<TargetObject condition="contains">\Excel\Addins\</TargetObject> <!--Microsoft:Office: Excel add-ins-->
-			<TargetObject condition="contains">\Word\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
-			<TargetObject condition="contains">\Access\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
-			<TargetObject condition="contains">\Powerpoint\Addins\</TargetObject> <!--Microsoft:Office: Powerpoint add-ins-->
-			<!--IE-->
-			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<!--Magic registry keys-->
-			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
-			<!--Infection artifacts-->
-			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
-			<!--Windows internals integrity monitoring-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			<!--Common Malware Persistence locations-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
-			<TargetObject condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
-			<TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
-			<TargetObject condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
-			<TargetObject condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
-			<!--Group Policy Scripts-->
-			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<!--Detect Network History-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			<TargetObject condition="end with">DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
-			<!--Detect User Activity-->
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			<!--RDP History Tracking-->
-			<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
-			<!--Detect Threats from Webroot Antivirus-->
-			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
-			<TargetObject condition="contains">\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
-			<TargetObject condition="contains">\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
-			<!--Detect Changes to Proxy Server Setting-->
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<!--Detect Browser Hijackers-->
-			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>-->
-			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>-->
-			<!--<TargetObject condition="contains">\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>-->
-			<!--Detect Unauthorized Firewall Changes-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Check for apps added to Firewall Auth List-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering-->
-			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
-			<TargetObject condition="contains">\Security\Level</TargetObject>
-			<TargetObject condition="contains">\Security\Level1Remove</TargetObject>
-			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject condition="end with">\HideSCAHealth</TargetObject> <!--Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<!--Detect if Windows Defender is Disabled-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject> <!-- Detect disabling of machine password change -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject> <!-- Causes the domain controller to refuse password change requests only from workstations or member servers -->
-			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
-			<!-- Lots of noise from multiple locations, need a better monitor
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
-			-->
-			<!-- Other Stuff -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject condition="contains">\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject><!--Identify Rogue Scheduled Task ID's added to Boot -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject condition="contains">\comfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\htafile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\batfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\exefile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> <!-- Detect: UAC Bypass via sdclt: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -->
-			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\mscfile\shell\open\command</TargetObject> <!-- Detect: Event Viewer UAC Bypass: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ -->
-			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
-			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> <!-- Detect: Dns Server dll injection -->
-			<!--Windows application compatibility shims-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
-			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
-			-->
-		</RegistryEvent>
-
-		<RegistryEvent onmatch="exclude">
-		<!--COMMENT:	Remove low-information noise. Often these hide a process recreating an empty key and do not hide the values created subsequently.-->
-			<!--SECTION: Microsoft binaries-->
-			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
-			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
-			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
-			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
-			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\</TargetObject> <!-- Edge Extensions Creating Reg entries on launch -->
-			<!--Misc-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->
-			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
-			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Adobe PDF Browser Toolbar-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\{724D43A0-0D85-11D4-9908-00400523E39A}</TargetObject> <!--RoboForms Browser toolbar-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Misc IE Activity-->
-			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
-			<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\App Paths" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
-			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
-			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join-->
-			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
-			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
-			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
-			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system-->
-			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
-			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
-			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
-			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
-			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Microsoft:Windows: SvcHost Noise-->
-			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Windows: Remove noise from Windows 10 Cortana | Credit @ion-storm--> <!--Win10-->
-			<!--Bootup Control noise-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<!--Services autostart noise-->
-			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
-			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
-			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
-			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
-			<TargetObject condition="end with">\services\DeviceAssociationService\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<!--FileExts noise filtering-->
-			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">\UserChoice</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
-			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
-			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jxr</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf</TargetObject>
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
-			<!--Group Policy noise-->
-			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Microsoft:Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it--> <!--OPTIONAL FILTER-->
-			<!--Autoruns noise-->
-			<!--<Details condition="is">c:\program files (x86)\microsoft office\office16\lync.exe</Details> Microsoft:Office: SkypeForBusiness autorun--> 
-			<!--<Details condition="is">"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized</Details> Cisco: AnyConnect autorun-->
-			<!--<Details condition="contains">ScanToPCActivationApp.exe" -deviceID "</Details> HP: Printer-->
-			<!--SECTION: 3rd party-->
-			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
-			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
-			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
-			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
-			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
-			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
-			<!--SECTION: Labtech-->
-			<TargetObject condition="end with">\LTSvcMon\Start</TargetObject>
-			<TargetObject condition="end with">\LTService\Start</TargetObject>
-			<!--SECTION: ShadowProtect-->
-			<TargetObject condition="contains">{F2C2787D-95AB-40D4-942D-298F5F757874}</TargetObject>
-			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
-			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\</TargetObject>
-			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates\</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\</TargetObject>
-			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
-			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
-			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
-			<!--SECTION: Nitro Pro Spam-->
-			<TargetObject condition="contains">\Software\NITRO\PRO</TargetObject>
-			<!--SECTION: Webroot Spam-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\WRData\Status</TargetObject>
-		</RegistryEvent>
-
-	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
-		<!--EVENT 15: "File stream created"-->
-		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
-			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
-			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
-			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
-		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
-		<FileCreateStreamHash onmatch="exclude">
-			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
-		</FileCreateStreamHash>
-		<FileCreateStreamHash onmatch="include">
-			<TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
-			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
-			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
-			<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
-			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
-			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
-			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
-			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.dll</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.sys</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
-			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
-			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
-			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
-			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
-			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
-			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.js</TargetFilename> <!--Java-->
-			<!--SECTION: Certificates -->
-			<TargetFilename condition="contains">.pem</TargetFilename>
-			<TargetFilename condition="contains">.crt</TargetFilename>
-			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
-			<TargetFilename condition="contains">.cer</TargetFilename>
-			<TargetFilename condition="contains">.csr</TargetFilename>
-			<TargetFilename condition="contains">.der</TargetFilename>
-			<TargetFilename condition="contains">.p7b</TargetFilename>
-			<TargetFilename condition="contains">.p7r</TargetFilename>
-			<TargetFilename condition="contains">.p7s</TargetFilename>
-			<TargetFilename condition="contains">.pfx</TargetFilename>
-			<TargetFilename condition="contains">.sto</TargetFilename>
-			<TargetFilename condition="contains">.p12</TargetFilename>
-			<TargetFilename condition="contains">.crl</TargetFilename>
-			<TargetFilename condition="contains">.sst</TargetFilename>
-			<TargetFilename condition="contains">.key</TargetFilename>
-			<!--SECTION: CIA Vault7 Leak -->
-			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
-			<TargetFilename condition="contains">.manifest</TargetFilename>
-			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
-			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
-			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
-		</FileCreateStreamHash>
-
-	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
-		<!--EVENT 16: "Sysmon config state changed"-->
-		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
-		
-		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
-		<!--Cannot be filtered.-->
-
-	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
-		<!--EVENT 17: "Pipe Created"-->
-		<!--EVENT 18: "Pipe Connected"-->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-		<PipeEvent onmatch="exclude">
-		<!--COMMENT: Exclude known-good pipe users-->
-				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
-				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
-			<!--SECTION: Microsoft-->
-			<PipeName condition="contains">lsass</PipeName>
-			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
-			<PipeName condition="is">\spoolss</PipeName>
-			<!--SECTION: Microsoft IIS -->
-			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
-			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
-			<Image condition="is">C:\Windows\syswow64\snmp.exe</Image>
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
-			<!--SECTION: Microsoft Exchange Server -->
-			<Image condition="contains">Exchange Server</Image>
-			<!--SECTION: Microsoft DNS Server -->
-			<Image condition="is">C:\Windows\system32\dns.exe</Image>
-			<!--SECTION: Microsoft SQL Server -->
-			<PipeName condition="is">\sql\query</PipeName>
-			<Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
-			<!--SECTION: Microsoft Skype For Business Server -->
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe</Image>
-			<!--SECTION: Microsoft DFS Replication -->
-			<Image condition="is">C:\Windows\system32\DFSRs.exee</Image>
-			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
-			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
-			<Image condition="is">C:\Windows\System32\LxRun.exe</Image> <!--Bash On Windows -->
-			<PipeName condition="contains">vmware-</PipeName>
-			<Image condition="is">\System</Image>
-			<PipeName condition="is">\InitShutdown</PipeName>
-			<Image condition="is">C:\Windows\System32\wininit.exe</Image>
-			<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="is">C:\Windows\System32\services.exe</Image>
-			<PipeName condition="is">\ntsvcs</PipeName>
-			<PipeName condition="is">\scerpc</PipeName>
-			<Image condition="is">C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe</Image>
-			<Image condition="is">C:\Windows\System32\smss.exe</Image>
-			<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
-			<PipeName condition="is">\epmapper</PipeName>
-			<PipeName condition="is">\atsvc</PipeName>
-			<PipeName condition="is">\browser</PipeName>
-			<PipeName condition="is">\srvsvc</PipeName>
-			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
-			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
-			<PipeName condition="is">\W32TIME_ALT</PipeName>
-			<PipeName condition="is">\eventlog</PipeName>
-			<PipeName condition="is">\wkssvc</PipeName>
-			<PipeName condition="contains">\TDLN-</PipeName>
-			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
-			<PipeName condition="is">\MsFteWds</PipeName>
-			<!--SECTION: Webroot-->
-			<PipeName condition="is">\WRSVCPipe</PipeName>
-			<PipeName condition="is">\WRSynUM2</PipeName>
-			<PipeName condition="is">\wrUrl</PipeName><!--Webroot Webfiltering Pipe-->
-			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
-			<!--SECTION: Google-->
-			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
-			<Image condition="contains">AppData\Local\Google\Chrome\User Data\SwReporter\</Image>
-			<PipeName condition="contains">mojo.</PipeName>
-			<PipeName condition="contains">crashpad_</PipeName>
-			<PipeName condition="contains">chrome.</PipeName>
-			<PipeName condition="contains">GoogleCrashServices</PipeName>
-			<!--SECTION: Other-->
-			<Image condition="end with">slack.exe</Image>
-			<!--SECTION: ConnectWise-->
-			<PipeName condition="contains">booma\</PipeName>
-			<!--SECTION: EnPass-->
-			<PipeName condition="contains">qtsingleapp-enpass-</PipeName>
-			<Image condition="contains">qtsingleapp-enpass-</Image>
-			<!--SECTION: RoyalTS-->
-			<PipeName condition="contains">eo.ipc.</PipeName>
-			<!--SECTION: Windows Firewall Control-->
-			<Image condition="is">C:\Program Files\Windows Firewall Control\wfc.exe</Image>
-			<!--SECTION: Everything Search-->
-			<PipeName condition="contains">Everything Service</PipeName>
-			<PipeName condition="contains">anchor_gui_agent</PipeName>
-			<!--SECTION: Adobe-->
-			<Image condition="end with">Adobe\ARM\1.0\AdobeARM.exe</Image>
-			<!--SECTION: Lenovo-->
-			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
-			<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
-			<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
-			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
-			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE</Image>
-			<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
-			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\TPOSD.EXE</Image>
-			<Image condition="is">C:\Program Files (x86)\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
-			<!--SECTION: Fortinet-->
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe</Image>
-			<!--SECTION: Sophos VPN Client-->
-			<Image condition="is">c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe</Image>
-			<!--SECTION: Labtech-->
-			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
-			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
-			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
-			<!--SECTION: N-Able -->
-			<Image condition="end with">N-able Technologies\Windows Agent\bin\agent.exe</Image>
-			<Image condition="end with">N-able Technologies\AVDefender\EPIntegrationService.exe</Image>
-			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
-			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
-			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>
-			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
-			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
-			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
-			<Image condition="contains">C:\Program Files\Lenovo\</Image>
-			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
-			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
-			<PipeName condition="contains">Anonymous Pipe</PipeName> <!-- NOTICE: Comment this out if you dont use Labtech, labtech nests processes and causes excessive noise -->
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
-			<PipeName condition="contains">SQLAnywhereLRM</PipeName> <!-- Quickbooks -->
-			<PipeName condition="contains">pgsignal</PipeName> <!-- Postgres SQL -->
-			<Image condition="is">postgres.exe</Image>
-			<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft SQL writer-->
-			<PipeName condition="contains">TSVCPIPE-</PipeName> <!-- Terminal Services Pipe-->
-			<PipeName condition="contains">BB4BB19A178C25D1</PipeName>
-			<PipeName condition="contains">SQLAnywhereLRM</PipeName>
-			<PipeName condition="contains">SQLLocal</PipeName>
-			<PipeName condition="contains">DropboxPipe_</PipeName>
-			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe</Image>
-			<Image condition="is">C:\Pfx Engagement\WM\PFXEngagement.exe</Image>
-			<Image condition="is">C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe</Image>
-			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
-			<Image condition="is">ScreenConnect.ClientService.exe</Image>
-			<Image condition="is">QBW32.EXE</Image>
-			<Image condition="end with">EXCEL.EXE</Image>
-			<Image condition="end with">ADCUpdate.exe</Image>
-			<Image condition="end with">Hydrous.Host.exe</Image>
-			<Image condition="end with">TNSLSNR.exe</Image>
-			<Image condition="contains">ShoreWare Server</Image>
-		</PipeEvent>
-
-	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
-		<!--EVENT 19: "WmiEventFilter activity detected"-->
-		<!--EVENT 20: "WmiEventConsumer activity detected"-->
-		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
-
-		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
-		<WmiEvent onmatch="exclude">
-		</WmiEvent>
-
-	<!--SYSMON EVENT ID 255 : ERROR-->
-		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
-			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
-			Sysinternals forum or over Twitter (@markrussinovich)."-->
-		<!--Cannot be filtered.-->
-
-	</EventFiltering>
-</Sysmon>

From 0d14c6ad2c8bab5ed44c463520b729368082516e Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 20:43:31 -0400
Subject: [PATCH 262/471] readme

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index ec05f5e0..8e398908 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 # Sysmon Threat Intelligence Configuration #
 
+** See the develop Branch for more bleeding edge updates: https://github.com/ion-storm/sysmon-config/tree/develop **
 This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
 
 The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.

From 63c473f0d86f44c43120ca07d44972c6569bef9a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 20:45:21 -0400
Subject: [PATCH 263/471] readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8e398908..5aea6230 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # Sysmon Threat Intelligence Configuration #
+See the develop Branch for more bleeding edge updates: https://github.com/ion-storm/sysmon-config/tree/develop
 
-** See the develop Branch for more bleeding edge updates: https://github.com/ion-storm/sysmon-config/tree/develop **
 This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
 
 The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.

From 906cf5a2b0aec052ac500410ef8fa2535c31d3a3 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 23:17:17 -0400
Subject: [PATCH 264/471] add N-Central exclusion

---
 sysmonconfig-export.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ce54a827..966cd79a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -678,6 +678,11 @@
 			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
+			<!--Ignore MSPaint.exe-->
+			<Hashes condition="contains">56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900</Hashes>
+			<!--N-Able/N-Central Exclusions-->
+			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
+			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 7295667d716c3166ecf41e91a71035c32e633013 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 9 Jul 2018 23:22:16 -0400
Subject: [PATCH 265/471] add more exclusions

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 966cd79a..927bf03e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -683,6 +683,7 @@
 			<!--N-Able/N-Central Exclusions-->
 			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
 			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
+			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 30f451ce0550c265aab036c44f15657179e83bcb Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 08:24:09 -0400
Subject: [PATCH 266/471] N-Able Exclusions

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 927bf03e..f8b83116 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -683,6 +683,9 @@
 			<!--N-Able/N-Central Exclusions-->
 			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
 			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
+			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
 			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
 		</ProcessCreate>
 

From e4404f0a8f26f3670d42f91206a2bdcc37345914 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 08:31:06 -0400
Subject: [PATCH 267/471] sysmon exclusions

---
 sysmonconfig-export.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f8b83116..b1110dfe 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -687,6 +687,10 @@
 			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
 			<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
 			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
+			<!--Sysmon Auto-Update Exclusion-->
+			<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>
+			<CommandLine condition="contains">ion-storm/sysmon-config</CommandLine>
+
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From b6b4ecc155cf5baaad0f6780e039f59e617f313c Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 09:20:40 -0400
Subject: [PATCH 268/471] more exclusions

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b1110dfe..f6c4c054 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -689,6 +689,7 @@
 			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
 			<!--Sysmon Auto-Update Exclusion-->
 			<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>
+			<CommandLine condition="contains">\sysmon\Auto_Update.bat</CommandLine>
 			<CommandLine condition="contains">ion-storm/sysmon-config</CommandLine>
 
 		</ProcessCreate>

From e6173c07635f2748f6867696347b766980431a43 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 09:26:12 -0400
Subject: [PATCH 269/471] exclusions

---
 sysmonconfig-export.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f6c4c054..98d6fc45 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -685,7 +685,11 @@
 			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage>
 			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</ParentImage>			
+			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>			
+			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\installer\installer.exe	</ParentImage>
+			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epupdateservice.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\ShadowProtectDataReader.exe</ParentImage>
 			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
 			<!--Sysmon Auto-Update Exclusion-->
 			<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>

From 4f5f3e1909820642db9481e69df741946850a441 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 10:51:24 -0400
Subject: [PATCH 270/471] exclude logon scripts

---
 sysmonconfig-export.xml | 100 ++++++++++++++++++++--------------------
 1 file changed, 51 insertions(+), 49 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 98d6fc45..946cbce9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -183,14 +183,14 @@
 			<CommandLine name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
-	        <Image name="MitreRef=T1218,Technique=" condition="end with">Mavinject.exe</Image>
-			<Image name="MitreRef=T1191,Technique=" condition="end with">CMSTP.exe</Image>
+	        <Image name="MitreRef=T1218,Technique=Mavinject" condition="end with">Mavinject.exe</Image>
+			<Image name="MitreRef=T1191,Technique=Mavinject" condition="end with">CMSTP.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--MSBuild-->
-			<Image name="MitreRef=T1191,Technique=" condition="end with">MSBuild.exe</Image>
-	        <Image name="MitreRef=T1121,Technique=" condition="end with">regsvcs.exe</Image>
-			<Image name="MitreRef=T1121,Technique=" condition="end with">regasm.exe</Image>
-			<Image name="MitreRef=T1218,Technique=" condition="end with">SyncAppvPublishingServer.exe</Image>
+			<Image name="MitreRef=T1191,Technique=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
+	        <Image name="MitreRef=T1121,Technique=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
+			<Image name="MitreRef=T1121,Technique=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
+			<Image name="MitreRef=T1218,Technique=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Control Panel-->
 			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
@@ -263,48 +263,48 @@
 	  		<!--                                                                                                                                            -->
 			<!--Hack Command Line Events-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control-Execution,Alert=Detect Base64 encoding" condition="contains">FromBase64String</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">FromBase64String</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Ofuscated Command Line arguments-->
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyle h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowstyl h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowsty h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windowst h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windows h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-window h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-windo h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wind h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-w h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hi</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hid</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidd</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidde</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-win hidden</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-Nop</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-Noni</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-ec</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">-en</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation/Command And Control" condition="contains">C^om^S^pEc</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyle h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyl h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowsty h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowst h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windows h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-window h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windo h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wind h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-w h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hi</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hid</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidd</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidde</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidden</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Nop</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Noni</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Suspicious Windows tools-->
-			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image name="MitreRef=T1001,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
@@ -678,9 +678,9 @@
 			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
 			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
-			<!--Ignore MSPaint.exe-->
+			<!--Exclude: MSPaint.exe-->
 			<Hashes condition="contains">56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900</Hashes>
-			<!--N-Able/N-Central Exclusions-->
+			<!--Exclude: N-Able/N-Central-->
 			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
 			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage>
@@ -691,11 +691,13 @@
 			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epupdateservice.exe</ParentImage>
 			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\ShadowProtectDataReader.exe</ParentImage>
 			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
-			<!--Sysmon Auto-Update Exclusion-->
+			<!--Exclude: Sysmon Auto-Update-->
 			<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>
 			<CommandLine condition="contains">\sysmon\Auto_Update.bat</CommandLine>
 			<CommandLine condition="contains">ion-storm/sysmon-config</CommandLine>
-
+			 <!--Exclude: Netlogon scripts-->
+			<ParentCommandLine condition="contains">\netlogon\</ParentCommandLine>
+			<CommandLine condition="contains">\netlogon\</CommandLine>
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 10e37469d1c340a628079f10f8a5d08f94e0dbdb Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 11:54:40 -0400
Subject: [PATCH 271/471] Organize into Tactic's & Techniques

---
 sysmonconfig-export.xml | 267 +++++++++++++++++++---------------------
 1 file changed, 130 insertions(+), 137 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 946cbce9..2f6e0de9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -72,16 +72,29 @@
 		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
 		<ProcessCreate onmatch="include">
 			<!--Mitre ATT&CK Rules-->
-			<!--Accessibility Features-->
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">osk.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Persistence Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Native Windows tools - Living off the land-->
+			<!--MITRE TACTIC: Defense Evasion-->
+			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host-Defense Evasion" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
+			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">eventvwr.exe</ParentImage>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">fodhelper.exe</ParentImage>
+			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
+			<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
+			<Image name="MitreRef=T1191,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
+	        <Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
+			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
+	        <CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
+			<CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
+			<Image name="MitreRef=T1170,Technique=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
+			<Image name="MitreRef=T1070,Technique=Defense Evasion" condition="end with">wevutil.exe</Image>
+			<CommandLine name="MitreRef=T1070,Technique=Defense Evasion" condition="contains">wevutil cl</CommandLine>
+			<!--MITRE TACTIC: Discovery-->
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
+			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
 			<Image name="MitreRef=T1049,Technique=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
 			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
@@ -92,32 +105,98 @@
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
 			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
 			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
 			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
-			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host-Defense Evasion" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
-			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
-			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<!--MITRE TACTIC: Execution-->
+			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</CommandLine>
+			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</ParentCommandLine>
 			<Image name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
 			<ParentImage name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
 			<Image name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Description name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
 			<ParentImage name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
 			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
 			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</ParentImage>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">winrm.cmd</Image>
+			<!--MITRE TACTIC: Persistence-->
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">osk.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
+			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</ParentImage>
+			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
+			<!--MITRE TACTIC: Lateral Movement-->
+			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
+			<!--MITRE TECHNIQUE: Obfuscation-->
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">FromBase64String</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyle h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyl h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowsty h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowst h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windows h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-window h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windo h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wind h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-w h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hi</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hid</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidd</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidde</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidden</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Nop</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Noni</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
+			<!--Native Windows tools - Living off the land-->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
+			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
 			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
 			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="end with">attrib.exe</Image>
@@ -168,56 +247,12 @@
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
-			<!--appc shim-->
-			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--BitsAdmin-->
-			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--UAC Bypass-->
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">eventvwr.exe</ParentImage>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass" condition="end with">fodhelper.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--InstallUtil Abuse-->
-			<Image name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
-			<CommandLine name="MitreRef=T1118,Technique=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
-	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
 	        <Image name="MitreRef=T1218,Technique=Mavinject" condition="end with">Mavinject.exe</Image>
 			<Image name="MitreRef=T1191,Technique=Mavinject" condition="end with">CMSTP.exe</Image>
 	  		<!--                                                                                                                                            -->
-			<!--MSBuild-->
-			<Image name="MitreRef=T1191,Technique=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
-	        <Image name="MitreRef=T1121,Technique=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
-			<Image name="MitreRef=T1121,Technique=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
-			<Image name="MitreRef=T1218,Technique=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--Control Panel-->
-			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
-	        <CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
-			<CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
-	  		<!--                                                                                                                                            -->
-			<!--Custom Mitre-->
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">winrm.cmd</Image>
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
-			<Image name="MitreRef=T1170,Technique=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
-			<Image name="MitreRef=T1070,Technique=Defense Evasion" condition="end with">wevutil.exe</Image>
-			<CommandLine name="MitreRef=T1070,Technique=Defense Evasion" condition="contains">wevutil cl</CommandLine>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
-			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Adobe Parent Processes-->
 			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="end with">acrobat.exe</ParentImage>
@@ -261,48 +296,6 @@
 			<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
 			<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
 	  		<!--                                                                                                                                            -->
-			<!--Hack Command Line Events-->
-			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">FromBase64String</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
-	  		<!--                                                                                                                                            -->
-			<!--Ofuscated Command Line arguments-->
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyle h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyl h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowsty h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowst h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windows h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-window h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windo h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wind h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-w h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hi</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hid</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidd</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidde</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidden</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Nop</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Noni</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Suspicious Windows tools-->
 			<Image name="MitreRef=T1001,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
@@ -333,7 +326,6 @@
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
 			<Image condition="image">net.exe</Image><!-- net use/net view-->
 			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
-			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
 			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
 			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
 			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
@@ -831,34 +823,35 @@
 			<DestinationHostname condition="contains">onion.direct</DestinationHostname>
 			<DestinationHostname condition="contains">tor2web.org</DestinationHostname>
 			<DestinationHostname condition="contains">tor2web.fi</DestinationHostname>
+			<DestinationHostname condition="contains">tor2web.io</DestinationHostname>
 			<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
 			<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
 			<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
 			<!--Public Port Scan Detection-->
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">shodan</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">shadow</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">researchscan</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">linode</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">sl-reverse</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">scanhub</DestinationHostname>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">.edu</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">158.130.6.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">71.6.216.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">137.226.113.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">138.246.252.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">128.32.30.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">208.93.152.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">162.216.46.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">169.229.3.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">155.94.254.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">98.143.148.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">155.94.222.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">134.147.203.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">69.170.62.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">159.203.213.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">209.236.120.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Discovery/Reconnaissance" condition="contains">158.130.6</DestinationIp>
+			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shodan</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shadow</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">researchscan</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">census</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">linode</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">sl-reverse</DestinationHostname>
+			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">scanhub</DestinationHostname>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">.edu</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">71.6.216.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">137.226.113.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">138.246.252.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">128.32.30.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">208.93.152.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">162.216.46.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">169.229.3.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.254.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">98.143.148.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.222.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">134.147.203.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">69.170.62.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">159.203.213.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">209.236.120.</DestinationIp>
+			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6</DestinationIp>
 			<!--Ports-->
 			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->
 			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->

From cfca001ce94ac23dc0f6bef56e4750f16261cf46 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 12:53:37 -0400
Subject: [PATCH 272/471] add some mitre registry identifiers

---
 sysmonconfig-export.xml | 106 ++++++++++++++++++++--------------------
 1 file changed, 53 insertions(+), 53 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2f6e0de9..8405482d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -109,13 +109,13 @@
 			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
 			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
 			<!--MITRE TACTIC: Execution-->
-			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</CommandLine>
-			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="contains">COMSPEC</ParentCommandLine>
-			<Image name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<ParentImage name="MitreRef=T1059,Technique=" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
-			<Image name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
-			<Description name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
-			<ParentImage name="MitreRef=T1086,Technique=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
+			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
+			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</ParentCommandLine>
+			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
+			<Image name="MitreRef=T1086,Technique=Powershell" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<Description name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
+			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
@@ -128,11 +128,11 @@
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
 			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
 			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
 			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</Image>
 			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</ParentImage>
 			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</Image>
@@ -853,11 +853,11 @@
 			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">209.236.120.</DestinationIp>
 			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6</DestinationIp>
 			<!--Ports-->
-			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->
-			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->
-			<DestinationPort condition="is">3389</DestinationPort> <!--RDP Port-->
+			<DestinationPort name="Service=HTTP Connection" condition="is">80</DestinationPort> <!--RDP Port-->
+			<DestinationPort name="Service=HTTPS Connection" condition="is">443</DestinationPort>
+			<DestinationPort name="Service=Remote Desktop Connection" condition="is">3389</DestinationPort> <!--RDP Port-->
 			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
-			<DestinationPort condition="is">22</DestinationPort>   <!--SSH Port-->
+			<DestinationPort name="Service=SSH Connection" condition="is">22</DestinationPort>   <!--SSH Port-->
 			<DestinationPort condition="is">23</DestinationPort>   <!--Telnet Port-->
 			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
 			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->
@@ -1269,7 +1269,7 @@
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">
 			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
-			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
+			<TargetFilename name="MitreRef=T1060,Technique=Autorun Folder,Tactic=Persistence" condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
@@ -1525,14 +1525,14 @@
 				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
 				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
 				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
-			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
-			<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
-			<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
-			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
-			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
-			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
 			<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers</TargetObject> <!-- Print Provider DLL's loaded at startup can be malicious, lets monitor those -->
@@ -1543,29 +1543,29 @@
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
 			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
-			<TargetObject condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
 			<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
 			<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
 			<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
 			<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
 			<TargetObject condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
 			<TargetObject condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
 			<TargetObject condition="contains">SafeBoot\AlternateShell</TargetObject>
 			<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
@@ -1661,17 +1661,17 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
 			<!--Common Malware Persistence locations-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
-			<TargetObject condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
-			<TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
-			<TargetObject condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
-			<TargetObject condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
 			<!--Group Policy Scripts-->
 			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
 			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>

From 54b708df5172306cafe5640c0a8d94b1ac78d2d8 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 13:25:59 -0400
Subject: [PATCH 273/471] misc updates

---
 sysmonconfig-export.xml | 64 ++++++++++++++++++++---------------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8405482d..fefb0216 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -73,7 +73,6 @@
 		<ProcessCreate onmatch="include">
 			<!--Mitre ATT&CK Rules-->
 			<!--MITRE TACTIC: Defense Evasion-->
-			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host-Defense Evasion" condition="end with">wevtutil.exe</Image> <!--Microsoft:Windows: read and modify the Windows Eventlog -->
 			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
 			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
 			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">eventvwr.exe</ParentImage>
@@ -85,35 +84,35 @@
 			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
 			<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
 			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
-	        <CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
-			<CommandLine name="MitreRef=T1196,Technique=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
-			<Image name="MitreRef=T1170,Technique=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
-			<Image name="MitreRef=T1070,Technique=Defense Evasion" condition="end with">wevutil.exe</Image>
-			<CommandLine name="MitreRef=T1070,Technique=Defense Evasion" condition="contains">wevutil cl</CommandLine>
+	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
+			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
+			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
+			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="end with">wevutil.exe</Image>
+			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="contains">wevutil cl</CommandLine>
 			<!--MITRE TACTIC: Discovery-->
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net user</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net localgroup</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
 			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
-			<Image name="MitreRef=T1049,Technique=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
 			<!--MITRE TACTIC: Execution-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
 			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</ParentCommandLine>
 			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
 			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
-			<Image name="MitreRef=T1086,Technique=Powershell" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Description name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
 			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
@@ -133,16 +132,16 @@
 			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
 			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
 			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">forfiles.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">pcalua.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution" condition="end with">bash.exe</Image>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">wsmprovhost.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management" condition="end with">winrm.cmd</Image>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</ParentImage>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">winrm.cmd</Image>
 			<!--MITRE TACTIC: Persistence-->
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
@@ -1269,7 +1268,8 @@
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">
 			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
-			<TargetFilename name="MitreRef=T1060,Technique=Autorun Folder,Tactic=Persistence" condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
+			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
+			<TargetFilename name="MitreRef=T1060,Technique=Autorun Folder Entries,Tactic=Persistence" condition="contains">\Programs\Startup</TargetFilename> <!--Microsoft:Windows: Autorun Startup Folder-->
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
@@ -1526,7 +1526,7 @@
 				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
 				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
+			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->

From 6736eddade799db6a8c7b2ab510c55c359c94cbe Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 13:34:53 -0400
Subject: [PATCH 274/471] at.exe fix

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index fefb0216..a043c86d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -154,8 +154,8 @@
 			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
 			<!--MITRE TACTIC: Lateral Movement-->
 			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>

From c15c830ae3010bcd18cd1214ec4076c230f61bd2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 13:37:30 -0400
Subject: [PATCH 275/471] fix cls

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a043c86d..58fc19d9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -243,7 +243,7 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="is">cls.exe</Image>
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->

From cdbe0988b100fb8c5936e8562bd2e5a29ba70ca2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 16:04:58 -0400
Subject: [PATCH 276/471] slight tweak for cmd.exe

---
 sysmonconfig-export.xml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 58fc19d9..ea506a7c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -110,8 +110,8 @@
 			<!--MITRE TACTIC: Execution-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
 			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</ParentCommandLine>
-			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
+			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
 			<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Description name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
 			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
@@ -310,7 +310,6 @@
 			<Image condition="contains">psservice</Image><!--Detect PsService-->
 			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
 			<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<Image condition="image">installutil.exe</Image>
 			<Image name="Alert=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
 			<Image name="Alert=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
 			<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->

From b04ccf5bc18fd82fcb80042f29bf571e79d35fe7 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 16:21:42 -0400
Subject: [PATCH 277/471] net.exe update

---
 sysmonconfig-export.xml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ea506a7c..32faee26 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -101,8 +101,8 @@
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
 			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
 			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
 			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
@@ -157,6 +157,9 @@
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net user /add</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net localgroup administrators /add</CommandLine>
+
 			<!--MITRE TACTIC: Lateral Movement-->
 			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
 			<!--MITRE TECHNIQUE: Obfuscation-->
@@ -382,6 +385,7 @@
 			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
 			<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
 			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
+			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
 			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->

From 26c8234ff7c0f80c97503ec93ed0b283c3ef5de2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 16:25:02 -0400
Subject: [PATCH 278/471] end with --> is

---
 sysmonconfig-export.xml | 46 ++++++++++++++++++++---------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 32faee26..35aad391 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -73,40 +73,40 @@
 		<ProcessCreate onmatch="include">
 			<!--Mitre ATT&CK Rules-->
 			<!--MITRE TACTIC: Defense Evasion-->
-			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">eventvwr.exe</ParentImage>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">fodhelper.exe</ParentImage>
-			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
+			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="is">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="is">bitsadmin.exe</Image>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="is">eventvwr.exe</ParentImage>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="is">fodhelper.exe</ParentImage>
+			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="is">InstallUtil.exe</Image>
 			<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
-			<Image name="MitreRef=T1191,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
-	        <Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
-			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
+			<Image name="MitreRef=T1191,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="is">MSBuild.exe</Image>
+	        <Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="is">regsvcs.exe</Image>
+			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="is">regasm.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="is">SyncAppvPublishingServer.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="is">control.exe</Image>
 	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
 			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
-			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
-			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="end with">wevutil.exe</Image>
+			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution" condition="is">mshta.exe</Image>
+			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="is">wevutil.exe</Image>
 			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="contains">wevutil cl</CommandLine>
 			<!--MITRE TACTIC: Discovery-->
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net user</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net localgroup</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
-			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
-			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="is">dsquery.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="is">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="is">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="is">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="is">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="is">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="is">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="is">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
 			<!--MITRE TACTIC: Execution-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
 			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</ParentCommandLine>

From dd50ab52799dd52ab5899c66178266d0414b7191 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 10 Jul 2018 16:35:06 -0400
Subject: [PATCH 279/471] save some cpu cycles with more "is"

---
 sysmonconfig-export.xml | 239 ++++++++++++++++++++--------------------
 1 file changed, 120 insertions(+), 119 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 35aad391..cc6c2596 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -100,7 +100,7 @@
 			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="is">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
 			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="is">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
@@ -110,11 +110,11 @@
 			<!--MITRE TACTIC: Execution-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
 			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</ParentCommandLine>
-			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
-			<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="is">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="is">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
+			<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="is">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Description name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
-			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
+			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="is">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
@@ -125,35 +125,35 @@
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="is">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="is">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="is">psexesvc.exe</ParentImage>
 			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="is">psexec.exe</ParentImage>
 			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">winrm.cmd</Image>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="is">pskill.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">forfiles.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">forfiles.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">pcalua.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">pcalua.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">bash.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">bash.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">bash.exe</Image>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="is">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="is">wsmprovhost.exe</ParentImage>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="is">winrm.cmd</Image>
 			<!--MITRE TACTIC: Persistence-->
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">osk.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
-			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
-			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="is">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">osk.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">AtBroker.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="is">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
+			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="is">sdbinst.exe</Image>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</ParentImage>
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
@@ -161,7 +161,7 @@
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net localgroup administrators /add</CommandLine>
 
 			<!--MITRE TACTIC: Lateral Movement-->
-			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
+			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="is">wmiprvse.exe</ParentImage>
 			<!--MITRE TECHNIQUE: Obfuscation-->
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">FromBase64String</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
@@ -192,18 +192,18 @@
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
-			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
-			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="end with">attrib.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=" condition="is">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="is">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=ToDo,Technique=" condition="is">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
+			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="is">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef=ToDo,Technique=" condition="is">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef=ToDo,Technique=" condition="is">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef=ToDo,Technique=" condition="is">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="is">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="is">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
+			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="is">attrib.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="is">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="is">nltest.exe</Image>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash -c</CommandLine>
@@ -247,41 +247,41 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="is">cls.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="is">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
-	        <Image name="MitreRef=T1218,Technique=Mavinject" condition="end with">Mavinject.exe</Image>
-			<Image name="MitreRef=T1191,Technique=Mavinject" condition="end with">CMSTP.exe</Image>
+	        <Image name="MitreRef=T1218,Technique=Mavinject" condition="is">Mavinject.exe</Image>
+			<Image name="MitreRef=T1191,Technique=Mavinject" condition="is">CMSTP.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Adobe Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="end with">acrobat.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="end with">acrord32.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="is">acrobat.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="is">acrord32.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Browser Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="end with">chrome.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="end with">firefox.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="end with">iexplore.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdge.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="end with">vivaldi.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="end with">waterfox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="is">chrome.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="is">firefox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="is">iexplore.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="is">MicrosoftEdgeCP.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="is">MicrosoftEdge.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="is">vivaldi.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="is">waterfox.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Java Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">java.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">javaw.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">java.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">javaw.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Office Parent Processes & Abuse-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">word.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">excel.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">POWERPNT.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">outlook.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">visio.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">msaccess.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">lync.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">skype.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">word.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">excel.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">POWERPNT.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">outlook.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">visio.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">msaccess.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">lync.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">skype.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Output Redirection-->
 			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
@@ -345,12 +345,12 @@
 			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
 			<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
 			<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
-			<ParentImage condition="end with">explorer.exe</ParentImage>
-			<Image condition="end with">control.exe</Image>
-			<Image condition="end with">acrord32.exe</Image>
-			<Image condition="end with">installutil.exe</Image>
-			<Image name="Info=Registry modification/queries" condition="end with">reg.exe</Image>
-			<Image name="Info=ipconfig discovery" condition="end with">ipconfig.exe</Image>
+			<ParentImage condition="is">explorer.exe</ParentImage>
+			<Image condition="is">control.exe</Image>
+			<Image condition="is">acrord32.exe</Image>
+			<Image condition="is">installutil.exe</Image>
+			<Image name="Info=Registry modification/queries" condition="is">reg.exe</Image>
+			<Image name="Info=ipconfig discovery" condition="is">ipconfig.exe</Image>
 			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
 			<Image condition="contains">\programdata\</Image>
 			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
@@ -366,7 +366,7 @@
 			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
 			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
 			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
-			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
+			<Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
 			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
 			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
 			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
@@ -388,7 +388,7 @@
 			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
 			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
-			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
+			<Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
 			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
 			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
 			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
@@ -502,54 +502,54 @@
 			<!--SECTION: Adobe-->
 			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
 			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
 			<!--SECTION: Adobe:Acrobat DC-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
 			<!--SECTION: Adobe:Acrobat 2015-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
 			<!--SECTION: Adobe:Acrobat Reader DC-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
 			<!--SECTION: Adobe:Flash-->
-			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
+			<Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
 			<!--SECTION: Adobe:Updater-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
 			<!--SECTION: Adobe:Supporting processes-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
+			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
+			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
+			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
+			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
 			<!--SECTION: Adobe:Creative Cloud-->
 			<!--SECTION: Cisco-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
+			<Image condition="is">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
+			<ParentImage condition="is">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
 			<!--SECTION: Drivers-->
 			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
 			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
-			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
+			<Image condition="is">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
 			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
 			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
-			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
 			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
 			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
-			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
+			<ParentImage condition="is">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
 			<!--SECTION: Dropbox-->
-			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
+			<Image condition="is">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
+			<ParentImage condition="is">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
 			<!--SECTION: Dell-->
 			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
 			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
@@ -619,7 +619,7 @@
 			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
+			<ParentImage condition="is">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
 			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
@@ -648,11 +648,11 @@
 			<CommandLine condition="contains">interface tcp show global</CommandLine>
 			<Image condition="is">nslookup.exe</Image><!--Labtech NStest.bat lookups-->
 			<!--END: Labtech-->
-			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
+			<Image condition="is">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
 			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
-			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
-			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
+			<Image condition="is">vivaldi.exe</Image> <!--Vivaldi Browser-->
+			<Image condition="end with">ConnectWise.exe</Image> <!--Connectwise-->
 			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
 			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
@@ -946,13 +946,13 @@
 			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
-			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
+			<Image condition="end with">Dropbox.exe</Image> <!--Dropbox-->
 			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
 			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
-			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
-			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
-			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
+			<Image condition="is">Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
+			<Image condition="is">DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
+			<Image condition="is">vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
@@ -1010,7 +1010,8 @@
 			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
 			<Image condition="begin with">C:\Windows\Temp</Image> <!--Process terminations by user binaries-->
-			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
+			<Image condition="is">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
+			<Image condition="is">Sysmon64.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
 		</ProcessTerminate>
 
 	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
@@ -2117,7 +2118,7 @@
 			<PipeName condition="contains">chrome.</PipeName>
 			<PipeName condition="contains">GoogleCrashServices</PipeName>
 			<!--SECTION: Other-->
-			<Image condition="end with">slack.exe</Image>
+			<Image condition="is">slack.exe</Image>
 			<!--SECTION: ConnectWise-->
 			<PipeName condition="contains">booma\</PipeName>
 			<!--SECTION: EnPass-->
@@ -2193,10 +2194,10 @@
 			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
 			<Image condition="is">ScreenConnect.ClientService.exe</Image>
 			<Image condition="is">QBW32.EXE</Image>
-			<Image condition="end with">EXCEL.EXE</Image>
-			<Image condition="end with">ADCUpdate.exe</Image>
-			<Image condition="end with">Hydrous.Host.exe</Image>
-			<Image condition="end with">TNSLSNR.exe</Image>
+			<Image condition="is">EXCEL.EXE</Image>
+			<Image condition="is">ADCUpdate.exe</Image>
+			<Image condition="is">Hydrous.Host.exe</Image>
+			<Image condition="is">TNSLSNR.exe</Image>
 			<Image condition="contains">ShoreWare Server</Image>
 		</PipeEvent>
 

From b925dae30fbcfb67924ba05db6499a8f9c00b7df Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 07:45:23 -0400
Subject: [PATCH 280/471] add command line exclusion

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index cc6c2596..ed9816d9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -678,6 +678,7 @@
 			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
 			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage>
+			<ParentCommandLine condition="contains">N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentCommandLine>
 			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
 			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</ParentImage>			
 			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>			

From c168824efe425a4607f0a028b24b253cbad814a2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 08:15:49 -0400
Subject: [PATCH 281/471] app exclusions

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ed9816d9..47ddb26d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -693,6 +693,8 @@
 			 <!--Exclude: Netlogon scripts-->
 			<ParentCommandLine condition="contains">\netlogon\</ParentCommandLine>
 			<CommandLine condition="contains">\netlogon\</CommandLine>
+			<ParentImage condition="is">C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE</ParentImage>
+
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 7bdcd3253bebfdc201ad322399e78609450389c5 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 10:08:36 -0400
Subject: [PATCH 282/471] exclude taskeng.exe, we already detect task creation,
 task execution can be noisy and there is an extra need for many exclusions
 enabling this.

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 47ddb26d..2039eaae 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -461,6 +461,7 @@
 			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
 			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
 			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
+			<ParentImage condition="is">C:\Windows\System32\taskeng.exe</ParentImage><!--Microsoft:Scheduled Task noise, we already detect creation-->
 			<!--SECTION: Microsoft dotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->

From 61db4aa25d63e1c6d4ffe644c372d0aee7050002 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 13:18:12 -0400
Subject: [PATCH 283/471] Add net.exe exclusions and command line additions,
 net use is too noisy.

---
 sysmonconfig-export.xml | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2039eaae..f8723083 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -91,8 +91,29 @@
 			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="contains">wevutil cl</CommandLine>
 			<!--MITRE TACTIC: Discovery-->
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe  user</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1 localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1  localgroup</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe  group</CommandLine>
 			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="is">dsquery.exe</Image><!-- Query domain-->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="is">whoami.exe</Image>
 			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="is">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
@@ -154,6 +175,8 @@
 			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="is">sdbinst.exe</Image>
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</ParentImage>
+			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks /create</CommandLine>
+			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks.exe /create</CommandLine>
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
@@ -325,7 +348,6 @@
 			<Image name="Alert=Secure Shell FTP Execution" condition="image">psftp.exe</Image><!-- SFTP -->
 			<Image condition="image">tftp.exe</Image><!-- TFTP -->
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
-			<Image condition="image">net.exe</Image><!-- net use/net view-->
 			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
 			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
 			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
@@ -695,7 +717,14 @@
 			<ParentCommandLine condition="contains">\netlogon\</ParentCommandLine>
 			<CommandLine condition="contains">\netlogon\</CommandLine>
 			<ParentImage condition="is">C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE</ParentImage>
-
+			 <!--Exclude: Too noisy in a domain environment with legacy logon scripts-->
+			<CommandLine condition="contains">net use</CommandLine>
+			<CommandLine condition="contains">net.exe use</CommandLine>
+			<CommandLine condition="contains">net1 use</CommandLine>
+			<CommandLine condition="contains">net1.exe use</CommandLine>
+			<CommandLine condition="contains">net time</CommandLine>
+			<CommandLine condition="contains">net.exe time</CommandLine>
+			<CommandLine condition="contains">net1 time</CommandLine>
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
@@ -729,8 +758,9 @@
 		<NetworkConnect onmatch="include">
 			<!--Suspicious sources for network-connecting binaries-->
 			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
+			<Image condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
+			<Image condition="contains">$RECYCLE.BIN</Image> <!--Network Connection in Temp Directories-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
-			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
 			<Image condition="begin with">C:\Perflogs\</Image>
 			<Image condition="contains">config\systemprofile\</Image>
 			<Image condition="contains">\Windows\Fonts\</Image>
@@ -742,6 +772,7 @@
 			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
 			<Image condition="contains">MicrosoftEdge.exe</Image>
 			<Image condition="contains">explorer.exe</Image>
+			<Image name="Alert=Non-Exe Connecting to network" condition="excludes">.exe</Image>
 			<!--Suspicious Windows tools-->
 			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
 			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->

From 66adb24bffd4d32c82dc8bc59972dc4eb4712657 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 13:27:19 -0400
Subject: [PATCH 284/471] let no longer flag linode

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f8723083..3669f629 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -869,7 +869,6 @@
 			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shadow</DestinationHostname>
 			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">researchscan</DestinationHostname>
 			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">linode</DestinationHostname>
 			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">sl-reverse</DestinationHostname>
 			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">scanhub</DestinationHostname>
 			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">.edu</DestinationIp>

From 9fd2df60ca35fbf4305258de0cc470f8fb15bcb6 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 13:54:56 -0400
Subject: [PATCH 285/471] add T1055

---
 sysmonconfig-export.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3669f629..27268a10 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1187,6 +1187,10 @@
 		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
 
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
+		<CreateRemoteThread onmatch="include">
+			<StartFunction name="MitreRef=T1055,Technique=DLL Injection via LoadLibrary API Call,Tactic=Defense Evasion" condition="contains">LoadLibrary</StartFunction>
+			<SourceImage condition="contains">\</SourceImage>
+		</CreateRemoteThread>
 		<CreateRemoteThread onmatch="exclude">
 			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
 			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
@@ -1201,6 +1205,13 @@
 			<SourceImage condition="contains">FireSvc.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
 			<TargetImage condition="end with">controls\cef\ConnectWise.exe</TargetImage>
+			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epsecurityservice.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPSecurityService.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe</SourceImage>
+			<SourceImage condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\Remote Debugger\x64\msvsmon.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\System32\rdpclip.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\sysmon64.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\sysmon.exe</SourceImage>
 		</CreateRemoteThread>
 
 	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->

From 0a6543144dfe77d876f8bda7188916f18a6ddd5a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 14:37:32 -0400
Subject: [PATCH 286/471] Autorun exclusions

---
 sysmonconfig-export.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 27268a10..5ae748e0 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2001,6 +2001,26 @@
 			<TargetObject condition="contains">\Software\NITRO\PRO</TargetObject>
 			<!--SECTION: Webroot Spam-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\WRData\Status</TargetObject>
+			<!--MITRE Autorun Exclusions-->
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\RapportIaso</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\gzflt</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\trufos</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\wudfsvc</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EFS</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\avc3</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\NableRemoteService</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\TabletInputService</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\AdobeARMservice</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPUpdateService</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\ScreenConnect </TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPSecurityService</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPIntegrationService</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\wrUrlFlt</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\avckf</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\services\NableRemoteService</TargetObject>
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC</TargetObject>
+			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\BDElam</TargetObject>
 		</RegistryEvent>
 
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->

From 09173b2e8bbf0025fb66cb2c32b5106d650b3c6f Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 14:43:28 -0400
Subject: [PATCH 287/471] excludes

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5ae748e0..e5c59f85 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -171,7 +171,6 @@
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">DisplaySwitch.exe</ParentImage>
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">Narrator.exe</ParentImage>
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">AtBroker.exe</ParentImage>
-			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="is">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
 			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="is">sdbinst.exe</Image>
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</ParentImage>
@@ -725,6 +724,7 @@
 			<CommandLine condition="contains">net time</CommandLine>
 			<CommandLine condition="contains">net.exe time</CommandLine>
 			<CommandLine condition="contains">net1 time</CommandLine>
+			<CommandLine condition="contains">C:\Windows\system32\cmd.exe /c UsrLogon.cmd</CommandLine>
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From e629916766c03adf0164b4a91c77f1ea9a986743 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 15:38:14 -0400
Subject: [PATCH 288/471] revert is change

---
 sysmonconfig-export.xml | 268 +++++++++++++++++++++-------------------
 1 file changed, 142 insertions(+), 126 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e5c59f85..727c209f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -73,21 +73,21 @@
 		<ProcessCreate onmatch="include">
 			<!--Mitre ATT&CK Rules-->
 			<!--MITRE TACTIC: Defense Evasion-->
-			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="is">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="is">bitsadmin.exe</Image>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="is">eventvwr.exe</ParentImage>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="is">fodhelper.exe</ParentImage>
-			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="is">InstallUtil.exe</Image>
+			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">eventvwr.exe</ParentImage>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">fodhelper.exe</ParentImage>
+			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
 			<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
-			<Image name="MitreRef=T1191,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="is">MSBuild.exe</Image>
-	        <Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="is">regsvcs.exe</Image>
-			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="is">regasm.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="is">SyncAppvPublishingServer.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="is">control.exe</Image>
+			<Image name="MitreRef=T1191,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
+	        <Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
+			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
 	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
 			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
-			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution" condition="is">mshta.exe</Image>
-			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="is">wevutil.exe</Image>
+			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
+			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="end with">wevutil.exe</Image>
 			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="contains">wevutil cl</CommandLine>
 			<!--MITRE TACTIC: Discovery-->
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net user</CommandLine>
@@ -121,21 +121,28 @@
 			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="is">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
 			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="is">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
+			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="is">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="is">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
 			<!--MITRE TACTIC: Execution-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
 			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</ParentCommandLine>
-			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="is">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="is">cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
-			<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="is">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
+			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
+			<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Description name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
-			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="is">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
+			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
@@ -146,23 +153,23 @@
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="is">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="is">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="is">psexesvc.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
 			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="is">psexec.exe</ParentImage>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
 			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="is">pskill.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">forfiles.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">forfiles.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">pcalua.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">pcalua.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">bash.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">bash.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="is">bash.exe</Image>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="is">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="is">wsmprovhost.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="is">winrm.cmd</Image>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</ParentImage>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">winrm.cmd</Image>
 			<!--MITRE TACTIC: Persistence-->
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="is">sethc.exe</ParentImage>
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">utilman.exe</ParentImage>
@@ -176,6 +183,17 @@
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</ParentImage>
 			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks /create</CommandLine>
 			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks.exe /create</CommandLine>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">osk.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
+			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
@@ -183,7 +201,7 @@
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net localgroup administrators /add</CommandLine>
 
 			<!--MITRE TACTIC: Lateral Movement-->
-			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="is">wmiprvse.exe</ParentImage>
+			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
 			<!--MITRE TECHNIQUE: Obfuscation-->
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">FromBase64String</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
@@ -214,18 +232,18 @@
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef=ToDo,Technique=" condition="is">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="is">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
-			<Image name="MitreRef=ToDo,Technique=" condition="is">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
-			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="is">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
-			<Image name="MitreRef=ToDo,Technique=" condition="is">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
-			<Image name="MitreRef=ToDo,Technique=" condition="is">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
-			<Image name="MitreRef=ToDo,Technique=" condition="is">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="is">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="is">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
-			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="is">attrib.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="is">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="is">nltest.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
+			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
+			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="end with">attrib.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash -c</CommandLine>
@@ -269,48 +287,47 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="is">cls.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="is">doskey.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
-	        <Image name="MitreRef=T1218,Technique=Mavinject" condition="is">Mavinject.exe</Image>
-			<Image name="MitreRef=T1191,Technique=Mavinject" condition="is">CMSTP.exe</Image>
+	        <Image name="MitreRef=T1218,Technique=Mavinject" condition="end with">Mavinject.exe</Image>
+			<Image name="MitreRef=T1191,Technique=Mavinject" condition="end with">CMSTP.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Adobe Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="is">acrobat.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="is">acrord32.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="end with">acrobat.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="end with">acrord32.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Browser Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="is">chrome.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="is">firefox.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="is">iexplore.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="is">MicrosoftEdgeCP.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="is">MicrosoftEdge.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="is">vivaldi.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="is">waterfox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="end with">chrome.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="end with">firefox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="end with">iexplore.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdge.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="end with">vivaldi.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="end with">waterfox.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Java Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">java.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">javaw.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">java.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">javaw.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Office Parent Processes & Abuse-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">word.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">excel.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">POWERPNT.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">outlook.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">visio.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">msaccess.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">lync.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="is">skype.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">word.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">excel.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">POWERPNT.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">outlook.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">visio.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">msaccess.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">lync.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">skype.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Output Redirection-->
 			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
 			<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
 			<CommandLine name="Alert=Output Redirection" condition="contains">></CommandLine>
 			<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
-			
 	  		<!--                                                                                                                                            -->
 			<!--Detect Multiple Commands-->
 			<CommandLine name="Alert=Multiple Commands" condition="contains">&amp;</CommandLine>
@@ -366,12 +383,12 @@
 			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
 			<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
 			<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
-			<ParentImage condition="is">explorer.exe</ParentImage>
-			<Image condition="is">control.exe</Image>
-			<Image condition="is">acrord32.exe</Image>
-			<Image condition="is">installutil.exe</Image>
-			<Image name="Info=Registry modification/queries" condition="is">reg.exe</Image>
-			<Image name="Info=ipconfig discovery" condition="is">ipconfig.exe</Image>
+			<ParentImage condition="end with">explorer.exe</ParentImage>
+			<Image condition="end with">control.exe</Image>
+			<Image condition="end with">acrord32.exe</Image>
+			<Image condition="end with">installutil.exe</Image>
+			<Image name="Info=Registry modification/queries" condition="end with">reg.exe</Image>
+			<Image name="Info=ipconfig discovery" condition="end with">ipconfig.exe</Image>
 			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
 			<Image condition="contains">\programdata\</Image>
 			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
@@ -387,7 +404,7 @@
 			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
 			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
 			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
-			<Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
+			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
 			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
 			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
 			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
@@ -409,7 +426,7 @@
 			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
 			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
-			<Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
+			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
 			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
 			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
 			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
@@ -524,54 +541,54 @@
 			<!--SECTION: Adobe-->
 			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
 			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
 			<!--SECTION: Adobe:Acrobat DC-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
 			<!--SECTION: Adobe:Acrobat 2015-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
 			<!--SECTION: Adobe:Acrobat Reader DC-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
 			<!--SECTION: Adobe:Flash-->
-			<Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
+			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
 			<!--SECTION: Adobe:Updater-->
-			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
 			<!--SECTION: Adobe:Supporting processes-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
-			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
-			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
+			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
 			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
 			<!--SECTION: Adobe:Creative Cloud-->
 			<!--SECTION: Cisco-->
-			<ParentImage condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
-			<Image condition="is">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
-			<ParentImage condition="is">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
+			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
+			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
+			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
 			<!--SECTION: Drivers-->
 			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
 			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
-			<Image condition="is">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
+			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
 			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
 			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
-			<ParentImage condition="is">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
+			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
 			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
 			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
-			<ParentImage condition="is">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
+			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
 			<!--SECTION: Dropbox-->
-			<Image condition="is">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
-			<ParentImage condition="is">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
+			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
+			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
 			<!--SECTION: Dell-->
 			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
 			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
@@ -641,7 +658,7 @@
 			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentImage condition="is">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
+			<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
 			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
@@ -670,11 +687,11 @@
 			<CommandLine condition="contains">interface tcp show global</CommandLine>
 			<Image condition="is">nslookup.exe</Image><!--Labtech NStest.bat lookups-->
 			<!--END: Labtech-->
-			<Image condition="is">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
+			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
 			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
-			<Image condition="is">vivaldi.exe</Image> <!--Vivaldi Browser-->
-			<Image condition="end with">ConnectWise.exe</Image> <!--Connectwise-->
+			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
+			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
 			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
 			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
@@ -980,13 +997,13 @@
 			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
-			<Image condition="end with">Dropbox.exe</Image> <!--Dropbox-->
+			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
 			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
 			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
 			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
-			<Image condition="is">Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
-			<Image condition="is">DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
-			<Image condition="is">vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
+			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
+			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
+			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
 			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
 			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
@@ -1044,8 +1061,7 @@
 			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
 			<Image condition="begin with">C:\Windows\Temp</Image> <!--Process terminations by user binaries-->
-			<Image condition="is">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
-			<Image condition="is">Sysmon64.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
+			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
 		</ProcessTerminate>
 
 	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
@@ -2183,7 +2199,7 @@
 			<PipeName condition="contains">chrome.</PipeName>
 			<PipeName condition="contains">GoogleCrashServices</PipeName>
 			<!--SECTION: Other-->
-			<Image condition="is">slack.exe</Image>
+			<Image condition="end with">slack.exe</Image>
 			<!--SECTION: ConnectWise-->
 			<PipeName condition="contains">booma\</PipeName>
 			<!--SECTION: EnPass-->
@@ -2259,10 +2275,10 @@
 			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
 			<Image condition="is">ScreenConnect.ClientService.exe</Image>
 			<Image condition="is">QBW32.EXE</Image>
-			<Image condition="is">EXCEL.EXE</Image>
-			<Image condition="is">ADCUpdate.exe</Image>
-			<Image condition="is">Hydrous.Host.exe</Image>
-			<Image condition="is">TNSLSNR.exe</Image>
+			<Image condition="end with">EXCEL.EXE</Image>
+			<Image condition="end with">ADCUpdate.exe</Image>
+			<Image condition="end with">Hydrous.Host.exe</Image>
+			<Image condition="end with">TNSLSNR.exe</Image>
 			<Image condition="contains">ShoreWare Server</Image>
 		</PipeEvent>
 

From 78149ff09409adb9b4873605ba1cf3997dbfff14 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 16:09:30 -0400
Subject: [PATCH 289/471] fix git f-up

---
 sysmonconfig-export.xml | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 727c209f..db593b58 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -121,14 +121,6 @@
 			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="is">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
 			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="is">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
-			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">nslookup.exe</Image> <!--Microsoft:Windows: shows DNS configuration and enables quering -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
@@ -183,23 +175,11 @@
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</ParentImage>
 			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks /create</CommandLine>
 			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks.exe /create</CommandLine>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">osk.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
-			<Image name="MitreRef=T1053,Technique=Scheduled Task-Execution/Persistence/Privilege Escalation" condition="end with">taskeng.exe</Image> <!--Microsoft:Windows: taskscheduler -->
-			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net user /add</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net localgroup administrators /add</CommandLine>
-
 			<!--MITRE TACTIC: Lateral Movement-->
 			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
 			<!--MITRE TECHNIQUE: Obfuscation-->

From 4e14b219ea298c8e3b4860ef315d4f306ba8aac7 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 11 Jul 2018 16:13:30 -0400
Subject: [PATCH 290/471] bring back end with for now

---
 sysmonconfig-export.xml | 44 ++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index db593b58..1290cbaa 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -114,15 +114,15 @@
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  group</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe group</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe  group</CommandLine>
-			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="is">dsquery.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="is">whoami.exe</Image>
-			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="is">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="is">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="is">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="is">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="is">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="is">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="end with">dsquery.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
 			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
 			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
@@ -163,20 +163,20 @@
 			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</ParentImage>
 			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">winrm.cmd</Image>
 			<!--MITRE TACTIC: Persistence-->
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="is">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">osk.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="is">AtBroker.exe</ParentImage>
-			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="is">sdbinst.exe</Image>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">schtasks.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">osk.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
+			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
 			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks /create</CommandLine>
 			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks.exe /create</CommandLine>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="is">at.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net user /add</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net localgroup administrators /add</CommandLine>
@@ -266,7 +266,7 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="is">cls.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->

From a064ab113dcf5e1c6740707edef7e21ae6ba1bbf Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 08:35:31 -0400
Subject: [PATCH 291/471] remove graylog stuff

---
 Graylog_Content_Pack/Install_Sidecar.bat       | 18 ------------------
 .../Install_Sidecar_noprompt.bat               | 16 ----------------
 2 files changed, 34 deletions(-)
 delete mode 100644 Graylog_Content_Pack/Install_Sidecar.bat
 delete mode 100644 Graylog_Content_Pack/Install_Sidecar_noprompt.bat

diff --git a/Graylog_Content_Pack/Install_Sidecar.bat b/Graylog_Content_Pack/Install_Sidecar.bat
deleted file mode 100644
index 8f9a1795..00000000
--- a/Graylog_Content_Pack/Install_Sidecar.bat
+++ /dev/null
@@ -1,18 +0,0 @@
-@echo off
-cd %temp%
-set /p glg= "[+] What's the Graylog Server name or IP?  "
-echo [+] Server set to: %glg%
-echo [+] Downloading Graylog Sidecar to: %temp%\Sidecar.exe...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/Graylog2/collector-sidecar/releases/download/0.1.0-rc.1/collector_sidecar_installer_0.1.0-rc.1.exe','%temp%\Sidecar.exe')"
-start /wait Sidecar.exe /S -SERVERURL=https://%glg%:443/api -TAGS="windows"
-echo [+] Executing Script to edit content of sidecar configuration...
-@powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/ion-storm/39d1e70fde966c6e69e57bcb989c5c8d/raw/e3bf0a7b589a340cc557c14bc0f619372cae8752/sidecar.ps1')"
-cd "C:\Program Files\graylog\collector-sidecar\"
-echo [+] Installing Graylog Services...
-graylog-collector-sidecar.exe -service install
-graylog-collector-sidecar.exe -service start
-echo [+] Checking Services...
-@powershell get-service collector-sidecar
-echo [+] Graylog Sidecar Successfully Installed and Configured!
-timeout /t 10
-exit
\ No newline at end of file
diff --git a/Graylog_Content_Pack/Install_Sidecar_noprompt.bat b/Graylog_Content_Pack/Install_Sidecar_noprompt.bat
deleted file mode 100644
index c9ac62cc..00000000
--- a/Graylog_Content_Pack/Install_Sidecar_noprompt.bat
+++ /dev/null
@@ -1,16 +0,0 @@
-@echo off
-cd %temp%
-echo [+] Downloading Graylog Sidecar to: %temp%\Sidecar.exe...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/Graylog2/collector-sidecar/releases/download/0.1.0-rc.1/collector_sidecar_installer_0.1.0-rc.1.exe','%temp%\Sidecar.exe')"
-start /wait Sidecar.exe /S -SERVERURL=https://YOURSERVERIPHERE:443/api -TAGS="windows"
-echo [+] Executing Script to edit content of sidecar configuration...
-@powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/ion-storm/39d1e70fde966c6e69e57bcb989c5c8d/raw/e3bf0a7b589a340cc557c14bc0f619372cae8752/sidecar.ps1')"
-cd "C:\Program Files\graylog\collector-sidecar\"
-echo [+] Installing Graylog Services...
-graylog-collector-sidecar.exe -service install
-graylog-collector-sidecar.exe -service start
-echo [+] Checking Services...
-@powershell get-service collector-sidecar
-echo [+] Graylog Sidecar Successfully Installed and Configured!
-timeout /t 10
-exit
\ No newline at end of file

From 4751554802e1f6f3162f5444ee3a1857757b131a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 08:36:32 -0400
Subject: [PATCH 292/471] finish gl removal

---
 .gitignore | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index b18c28f1..44c9f960 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-sysmonconfig-export.xml.bak
\ No newline at end of file
+sysmonconfig-export.xml.bak
+/Graylog_Content_Pack/

From 4bdc1cecddd8bcc52eef82fe371b4f7cf391fd7a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 09:05:25 -0400
Subject: [PATCH 293/471] ADD: Ransomware File detection & Alerting

---
 sysmonconfig-export.xml | 517 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 478 insertions(+), 39 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1290cbaa..c6ea5aab 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -262,11 +262,11 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">del </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">rd </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">expand </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">find </CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">find.exe</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">\cls.exe</Image>
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
@@ -1040,8 +1040,9 @@
 		<!--COMMENT:	Useful data in building infection timelines.-->
 			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
-			<Image condition="begin with">C:\Windows\Temp</Image> <!--Process terminations by user binaries-->
+			<Image condition="contains">\Temp\</Image> <!--Process terminations in temp directories-->
 			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
+			<Image condition="end with">Sysmon64.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
 		</ProcessTerminate>
 
 	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
@@ -1401,42 +1402,480 @@
 			<TargetFilename condition="end with">.cpl</TargetFilename>
 			<TargetFilename condition="end with">.inf</TargetFilename>
 			<!--SECTION: Ransomware-->
-			<TargetFilename condition="contains">help_decrypt</TargetFilename>
-			<TargetFilename condition="contains">help_restore</TargetFilename>
-			<TargetFilename condition="contains">ReadDecryptFilesHere</TargetFilename>
-			<TargetFilename condition="contains">howto_recover_file</TargetFilename>
-			<TargetFilename condition="contains">recover_file_</TargetFilename>
-			<TargetFilename condition="contains">Recovery_file_</TargetFilename>
-			<TargetFilename condition="contains">how_to_decrypt</TargetFilename>
-			<TargetFilename condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
-			<TargetFilename condition="contains">_how_recover_</TargetFilename>
-			<TargetFilename condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
-			<TargetFilename condition="contains">help_my_files</TargetFilename>
-			<TargetFilename condition="contains">how_recover</TargetFilename>
-			<TargetFilename condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
-			<TargetFilename condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
-			<TargetFilename condition="contains">YOUR_FILES.url</TargetFilename>
-			<TargetFilename condition="contains">Coin.Locker.txt</TargetFilename>
-			<TargetFilename condition="contains">_secret_code.txt</TargetFilename>
-			<TargetFilename condition="contains">Decrypt_readme.txt</TargetFilename>
-			<TargetFilename condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
-			<TargetFilename condition="contains">FILESAREGONE.txt</TargetFilename>
-			<TargetFilename condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
-			<TargetFilename condition="contains">HELLOTHERE.TXT</TargetFilename>
-			<TargetFilename condition="contains">READTHISNOW!!!.txt</TargetFilename>
-			<TargetFilename condition="contains">SECRETIDHERE.KEY</TargetFilename>
-			<TargetFilename condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
-			<TargetFilename condition="contains">SECRET.KEY</TargetFilename>
-			<TargetFilename condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
-			<TargetFilename condition="contains">RECOVERY_FILES.TXT</TargetFilename>
-			<TargetFilename condition="contains">RECOVERY_FILE.</TargetFilename>
-			<TargetFilename condition="contains">HowtoRestore_Files</TargetFilename>
-			<TargetFilename condition="contains">restorefiles</TargetFilename>
-			<TargetFilename condition="contains">howrecover+</TargetFilename>
-			<TargetFilename condition="contains">recoveryfile</TargetFilename>
-			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
-			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
-			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ReadDecryptFilesHere</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_file_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Recovery_file_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILE.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowtoRestore_Files</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_ReCoVeRy_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.CRAB</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cerber</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt-</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore_files</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ReadDecryptFilesHere</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_file</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Recovery_File_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_DECRYPT_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptAllFiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILE.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowtoRestore_File</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+ recoveryfile_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoverfile_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_ReCoVeRy_+</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.zzzzz </TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">aeroware</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">contains(to_string($message.file_created), "howrecover+</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_ReCoVeRy_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!READ_TO_UNLOCK!!!.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">openforyou@india.com</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.warn_wallet</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">hacks.at.sigaint.org</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.MATRIX</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Crytp0l0cker</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypted_files.dat</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">padcrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Vape Launcher.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_ME_!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.enjey</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Aescrypt.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PINGY@INDIA.COM</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WORMKILLER@INDIA.COM.XTBL</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CEBER3</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IF_WANT_FILES_BACK_PLS_READ.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zXz.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.zXz</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_ME_PLEASE.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_RECOVERY_HELP_!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READIT-IF_YOU-WANT.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.filegofprencrp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COME_RIPRISTINARE_I_FILE.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">fattura_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_steaveiwalker@india.com_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COMO_ABRIR_ARQUIVOS.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">info@kraken.cc_worldcza@email.cz</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COMO_RESTAURAR_ARCHIVOS</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">What happen to my files.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ASSISTANCE_IN_RECOVERY</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_ASSISTANCE_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BTC_DECRYPT_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.TheTrumpLocker</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ-READ-READ</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.weencedufiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.powned</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">[KASISKI]</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCCIONES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_USE_TO_FIX_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.happydayzz</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">001-READ-FOR-DECRYPT-FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INFORMATION</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Rans0m_N0te_Read_ME</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowwhereismyfiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptional</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowreadfordecryp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HERMES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_szesnl</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-IF-YOU-WANT-DEC-FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.evillock</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.letmetrydecfiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.yourransom</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.lambda_l0cked</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.gefickt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.sigaint.org</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.HakunaMatata</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.CRYPTOSHIELD</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.weareyourfriends</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">MERRY_I_LOVE_YOU_BRUCE.hta</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How decrypt files.hta</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">unCrypte</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decipher_ne</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.paytounlock</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">TRY-READ-ME-TO-DEC</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">protonmail.ch</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">LEER_INMEDIATAMENTE</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.killedXXX</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.doomed</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-No-PROBLEM-WE-DEC-FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.noproblemwedecfiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">powerfulldecrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">opensourcemail.org</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">contains(to_string($message.file_created), "READ_ME_TO_DECRYPT_YOU_INFORMA</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">file0locked</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CryptoRansomware</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.VBRANSOM</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_Recover_Files_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.oops</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.deria</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.RMCM1</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Locked-by-Mafia</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-filesencrypted</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_Globe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.hnumkhotep</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.decrypt2017</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptFile</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.L0CKED</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">1025-7152.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">firstransomware.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP-ME-ENCED-FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">helpmeencedfiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">EdgeLocker</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.XBTL</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.firecrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_DEAD</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.airacropencrypted!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">mail.ru</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WHERE-YOUR-FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Whereisyourfiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">india.com</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.hta</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.jpg</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_OPEN_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.gangbang</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">GJENOPPRETTING_AV_FILER</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!! HOW TO DECRYPT FILES !!!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.braincrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCTION RESTORE FILE</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Survey Locker.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Receipt.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WindowsApplication1.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HWID Lock.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">VIP72.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DALE_FILES.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_YOUR_DATA</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RESTORE_CORUPTED_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Cyber SpLiTTer Vbs.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-PLEASE-READ-WE-HELP</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.VforVendetta</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">popcorn_time.exe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.wallet</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">OSIRIS-</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DesktopOsiris</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">inbox.ru</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.no_more_ransom</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.lovewindows</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.osiris</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.R.i.P</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Important!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_HOW_TO_RESTORE_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RECOVER_FILES_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_RESTORE_FILES_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ThxForYurTyme</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOW_TO_Decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_RECOVER_INSTRUCTIONS</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">rtext.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPTION INSTRUCTIONS.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt explanations.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_WHAT_is.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_liesmich_encryptor_raas</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Adatok_visszaallitasahoz_utasitasok</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_TO_RECURE_YOUR_FILES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files encrypted by our friends !!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README HOW TO DECRYPT YOUR FILES.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_IT.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Recovery_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION.url</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README!!!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">email-salazar_slytherin10</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">._AiraCropEncrypted!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_RECOVER_FILES_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.bmp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zzzzzzzzzzzzzzzzzyyy</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zycrypt.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt your file</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_H_e_l_p_RECOVER_INSTRUCTIONS+</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW-TO-DECRYPT-FILES.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_DECRYPT.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">exit.hhr.obleep</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UnblockFiles.vbs</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_HYDRA_ID_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_Readme.TXT.ReadMe</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt All Files</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowDecrypt.gif</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOURFILES.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW TO DECRYPT FILES.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BUYUNLOCKCODE</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BitCryptorFileList.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How_to_decrypt_your_files.jpg</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How_to_restore_files.hta</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Como descriptografar seus arquivos.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Recovery_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Read_this_file.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION!!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.lnk</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to decrypt aes files.lnk</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restore_files.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowDecrypt.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wie_zum_Wiederherstellen_von_Dateien.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">paycrypt.bmp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">maxcrypt.bmp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_decrypt.gif</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to get data.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help-file-decrypt.enc</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enigma_encr.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enigma.hta</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">default432643264.jpg</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">default32643264.bmp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decypt_your_files.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.bmp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cryptinfo.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">crjoker.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover_instructions.bmp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_H_e_l_p_RECOVER_INSTRUCTIONS</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_instructions.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_instructions.bmp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files encrypted by our friends !!! txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_LOCKED.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_ENCRYPTED.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_ENCRYPTED.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUGOTHACKED.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UNLOCK_FILES_INSTRUCTIONS.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UNLOCK_FILES_INSTRUCTIONS.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SIFRE_COZME_TALIMATI.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SHTODELATVAM.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Read Me (How Decrypt) !!!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RESTORE_FILES_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_THIS_TO_DECRYPT.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_HOW_TO_UNLOCK.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_HOW_TO_UNLOCK.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_UMBRE_ID_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_HYRDA_ID_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ ME FOR DECRYPT.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ IF YOU WANT YOUR FILES BACK.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Payment_Instructions.jpg</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ONTSLEUTELINGS_INSTRUCTIES.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">OKSOWATHAPPENDTOYOURFILES.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">MENSAGEM.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">KryptoLocker_README.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Instructionaga.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ISTRUZIONI_DECRITTAZIONE.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCTIONS_DE_DECRYPTAGE.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCCIONES_DESCIFRADO.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTALL_TOR.URL</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IMPORTANT.README</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IMPORTANT READ ME.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Howto_RESTORE_FILES.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How to decrypt your data.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How to decrypt LeChiffre files.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Help Decrypt.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Hacked_Read_me_to_decrypt_files.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_UNLOCK_FILES_README_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.URL</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RECOVER_FILES_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW TO DECRYPT FILES.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES.PNG</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES.bmp</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_RESTORE_FILES_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.URL</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.PNG</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">GetYouFiles.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">File Decrypt Help.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILES_BACK.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ENTSCHLUSSELN_HINWEISE.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptAllFiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DESIFROVANI_POKYNY.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_YOUR_FILES.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_YOUR_FILES.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_ReadMe1.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTION.URL</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTION.HTML</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPTION_HOWTO.Notepad</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Comment débloquer mes fichiers.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BUYUNLOCKCODE.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">AllFilesAreLocked</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">@ukr.net</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.fuckyourdata</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.encrypted.locked</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.Where_my_files.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.RSplited</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.KEYZ.KEYH0LES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.How_To_Get_Back.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.How_To_Decrypt.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.Contact_Here_To_Recover_Your_Files.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.31392E30362E32303136_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.vbs</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Where_are_my_files!.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!README!!!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!-WARNING-!!!.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!-WARNING-!!!.html</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.magic_software_syndicate</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">maestro@pizzacrypts.info</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howtodecryptaesfiles.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.SecureCrypted</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt-instruct</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">files_are_encrypted.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptmyfiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_instructions.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-recover-</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!recover!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover}-</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_help_instruct</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_recover_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">+recover+</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">warning-!!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt my file</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_file_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery+</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_for_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">install_tor</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howtodecrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_restore</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_your_file</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_instruct</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cryptolocker.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_instruction</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.hydracrypt_ID</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.cryptotorlocker</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.one-we_can-help_you</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.OMG!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.nochance</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.LOL!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.CryptoTorLocker2015!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.{CRYPTENDBLACKDC}</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.key</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery_key.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.hta</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">message.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery_file.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">confirmation.key</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enc_files.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">last_chance.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">want your files back.</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover_instructions.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoverfile</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Howto_Restore_FILES.TXT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.SUPERCRYPT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.helpdecrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">only-we_can-help_you</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.fileiscryptedhard</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.blocatto</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.8lock8</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">==READ==THIS==PLEASE==</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">randomname</TargetFilename>
 			<!--SamSam Ransomware File drops -->
 			<TargetFilename condition="contains">www.exe</TargetFilename>
 			<TargetFilename condition="contains">ps.exe</TargetFilename>

From b64fe9a1acae398780ab3534e3c9f8542a2f2b66 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 09:16:52 -0400
Subject: [PATCH 294/471] add samsam detection

---
 sysmonconfig-export.xml | 50 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c6ea5aab..ae52c543 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1876,6 +1876,56 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.8lock8</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">==READ==THIS==PLEASE==</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">randomname</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">.weapologize</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">SORRY-FOR-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READ-WE-HELP.</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">CHECK-IT-HELP-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">HAPPEN-ENCED-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">HELP-ME-ENCED-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLS-DEC-MY-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">No-PROBLEM-WE-DEC-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">TRY-READ-ME-TO-DEC</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">IF-YOU-WANT-DEC-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">LET-ME-TRY-DEC-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-FOR-DECRYPT-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READIT-IF_YOU-WANT</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-READ-READ</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">WANT_FILES_BACK</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-FOR-DECCCC-FILESSS</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-README-AFFECTED-FILES</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">_DEC_FILES.</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.notfoundrans</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.VforVendetta</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.theworldisyours</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.helpmeencedfiles</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.wowwhereismyfiles</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.wowreadfordecryp</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.powerfulldecrypt</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.noproblemwedecfiles</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weareyourfriends</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.otherinformation</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.letmetrydecfiles</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.encryptedyourfiles</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weencedufiles</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.filegofprencrp</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.iaufkakfhsaraf</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.cifgksaffsfyghd</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.skjdthghh</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.ransom</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.breeding123</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.mention9823</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.suppose666</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.moments2900</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.country82000</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.supported2017</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.prosperous666</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.disposed2017</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.myrandsext2017</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.loveransisgood</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.areyoulovemyrans</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.stubbin</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.berkshire</TargetFilename>
 			<!--SamSam Ransomware File drops -->
 			<TargetFilename condition="contains">www.exe</TargetFilename>
 			<TargetFilename condition="contains">ps.exe</TargetFilename>

From f6dfbebe47da6159049a782ca6caa9b417ba7560 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 10:07:11 -0400
Subject: [PATCH 295/471] Add Crypto Mining pool detection

---
 sysmonconfig-export.xml | 68 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ae52c543..64257ba5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -356,6 +356,30 @@
 			<Image condition="image">www.exe</Image>
 			<Image condition="image">awk.exe</Image>
 			<Image condition="image">sed.exe</Image>
+			<!--SECTION: Crypto Currency Miners-->
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">stratum+tcp</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">coinhive</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">minergate</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ccminer</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">cgminer</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">sgminer</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">rainbowminer</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">xmrMiner</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolpassword</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolurl</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ahashpool</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blazepool</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasters</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">nicehash</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">yiimp</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpool</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</CommandLine>
+			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zpool</CommandLine>
 			<!--Tor-->
 			<Image condition="image">tor.exe</Image><!-- Tor-->
 			<!--                                                                                                                                            -->
@@ -885,6 +909,50 @@
 			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">159.203.213.</DestinationIp>
 			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">209.236.120.</DestinationIp>
 			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6</DestinationIp>
+			<!--Crypto Currency Mining pools-->
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blazepool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasters</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nicehash</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">yiimp</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zpool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">slushpool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minexmr</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minergate</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">dwarfpool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nanopool.org</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">viaxmr.com</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashvault.pro</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">moriaxmr.com</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">suprnova.cc</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">usxmrpool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">xmrpool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">poolto.be</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash.net</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mine.bz</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mypool.online</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">bohemianpool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">iwanttoearn.money</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">pool.xmr</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">crypto-pool</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miners.pro</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minercircle.com</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero.lindon-pool.win</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">teracycle.net</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">ratchetmining.com</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">cryptmonero</DestinationHostname>
+			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
 			<!--Ports-->
 			<DestinationPort name="Service=HTTP Connection" condition="is">80</DestinationPort> <!--RDP Port-->
 			<DestinationPort name="Service=HTTPS Connection" condition="is">443</DestinationPort>

From 6a76cf78a34b49e6166d8c920e533f492bbcea5c Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 12:53:25 -0400
Subject: [PATCH 296/471] add exclusions

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 64257ba5..04176bde 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -746,6 +746,8 @@
 			<CommandLine condition="contains">net.exe time</CommandLine>
 			<CommandLine condition="contains">net1 time</CommandLine>
 			<CommandLine condition="contains">C:\Windows\system32\cmd.exe /c UsrLogon.cmd</CommandLine>
+			<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
+			<ParentImage condition="is">C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe</ParentImage>
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 7ea5f6466ca86a029cd5d20b3c77a0a6a7e67c87 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 14:31:43 -0400
Subject: [PATCH 297/471] add Hack command line events/Privilege Escalation

---
 sysmonconfig-export.xml | 234 +++++++++++++++++++++++++++++++---------
 1 file changed, 181 insertions(+), 53 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 04176bde..8a50f501 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -213,7 +213,7 @@
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Native Windows tools - Living off the land-->
 			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeratio,MitreURL=https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
 			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
 			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
 			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
@@ -316,7 +316,135 @@
 			<CommandLine name="Alert=interactive command to slow output" condition="contains">more</CommandLine>
 			<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
 			<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
-	  		<!--                                                                                                                                            -->
+	  		<!--Hacking Command Line Events-->
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wmic shadowcopy delete</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">telnet</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-dumpcr</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">putty</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">bash.exe</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">pssh</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sdelete</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">shareenum</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sekurlsa</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">reg SAVE</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Shellcode</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WmiCommand</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-TimedScreenshot</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-CredentialInjection</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimikatz</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">VolumeShadowCopyTools</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-UserHunter</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-GPOLocation</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ACLScanner</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DowngradeAccount</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceUnquoted</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceFilePermission</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServicePermission</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ServiceAbuse</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-ServiceBinary</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAutoLogon</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnAutoRun</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnSchTask</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-UnattendedInstallFile</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-WebConfig</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ApplicationHost</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAlwaysInstallElevated</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Unconstrained</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-RegBackdoor</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-ScrnSaveBackdoor</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Gupt-Backdoor</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ADSBackdoor</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Enabled-DuplicateToken</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsUaCme</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Remove-Update</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Check-VM</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-LSASecret</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-PassHashes</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Show-TargetScreen</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Port-Scan</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">netscan</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">psscan</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PoshRatHttp</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellTCP</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellWMI</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Exfiltration</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Persistence</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Do-Exfiltration</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Start-CaptureServer</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ShellCode</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ChromeDump</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ClipboardContents</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-FoxDump</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-IndexedItem</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Screenshot</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Inveigh</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NetRipper</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-EgressCheck</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PSInject</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-RunAs</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">MailRaider</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">New-HoneyHash</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-MacAttribute</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DCSync</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerDump</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Exploit-Jboss</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ThunderStruck</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-VoiceTroll</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-Wallpaper</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-InveighRelay</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsExec</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-SSHCommand</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SecurityPackages</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-SSP</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-BackdoorLNK</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerBreach</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SiteListPassword</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-System</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">BypassUAC</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Tater</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerUp</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerView</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RickAstley</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-Fruit</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">HTTP-Login</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-TrustedDocuments</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Paranoia</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WinEnum</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ARPScan</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReverseDNSLookup</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">smbscanner</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-FruityC2</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Stager</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">process call create</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\default</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">FilterToConsumerBinding</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\subscription</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">stratum+tcp</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-donate-level=</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Wmiclass</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">WmiCl'+'as'+'s</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ntdsutil</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
 			<!--Suspicious Windows tools-->
 			<Image name="MitreRef=T1001,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
@@ -2591,59 +2719,59 @@
 			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
 		</FileCreateStreamHash>
 		<FileCreateStreamHash onmatch="include">
-			<TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
-			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
-			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
-			<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
-			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
-			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
-			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
-			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.dll</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.sys</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
-			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
-			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
-			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
-			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
-			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
-			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.js</TargetFilename> <!--Java-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.bat</TargetFilename> <!--Batch scripting-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.dll</TargetFilename> <!--Executable-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--Executable-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--System driver files-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.reg</TargetFilename> <!--Registry files-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlam</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.potm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sldm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.js</TargetFilename> <!--Java-->
 			<!--SECTION: Certificates -->
-			<TargetFilename condition="contains">.pem</TargetFilename>
-			<TargetFilename condition="contains">.crt</TargetFilename>
-			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
-			<TargetFilename condition="contains">.cer</TargetFilename>
-			<TargetFilename condition="contains">.csr</TargetFilename>
-			<TargetFilename condition="contains">.der</TargetFilename>
-			<TargetFilename condition="contains">.p7b</TargetFilename>
-			<TargetFilename condition="contains">.p7r</TargetFilename>
-			<TargetFilename condition="contains">.p7s</TargetFilename>
-			<TargetFilename condition="contains">.pfx</TargetFilename>
-			<TargetFilename condition="contains">.sto</TargetFilename>
-			<TargetFilename condition="contains">.p12</TargetFilename>
-			<TargetFilename condition="contains">.crl</TargetFilename>
-			<TargetFilename condition="contains">.sst</TargetFilename>
-			<TargetFilename condition="contains">.key</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pem</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crt</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.ca-bundle</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cer</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.csr</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.der</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7b</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7r</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7s</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pfx</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sto</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p12</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crl</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sst</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.key</TargetFilename>
 			<!--SECTION: CIA Vault7 Leak -->
-			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
-			<TargetFilename condition="contains">.manifest</TargetFilename>
-			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
-			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
-			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.manifest</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
 		</FileCreateStreamHash>
 
 	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->

From 0f76fed602a0c7df7f3040af70f889f20709d254 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 14:45:08 -0400
Subject: [PATCH 298/471] Update version

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8a50f501..3766e380 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5,12 +5,12 @@
   Master project:	https://github.com/SwiftOnSecurity/sysmon-config
   Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
-  Fork version:	150
+  Fork version:	300
   Fork author:	ionstorm
   Fork project:	https://github.com/ion-storm/sysmon-config
   Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
-  REQUIRED: Sysmon version 7.01 or higher (due to changes in registry syntax and bug-fixes)
+  REQUIRED: Sysmon version 8.00 or higher (due to changes in registry syntax and bug-fixes)
 	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
 	Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated.
 

From 5837fd3b101d2cd663d21d03337e9c059da0f869 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 15:21:26 -0400
Subject: [PATCH 299/471] too much noise, however will restore non-exe network
 connections with right exclusions

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3766e380..2552e26c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -923,7 +923,7 @@
 			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
 			<Image condition="contains">MicrosoftEdge.exe</Image>
 			<Image condition="contains">explorer.exe</Image>
-			<Image name="Alert=Non-Exe Connecting to network" condition="excludes">.exe</Image>
+			<!--<Image name="Alert=Non-Exe Connecting to network" condition="excludes">.exe</Image>-->
 			<!--Suspicious Windows tools-->
 			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
 			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->

From da1e5960176da2871caadb77c233d3c27dff2e35 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 15:26:53 -0400
Subject: [PATCH 300/471] include unknown process detection

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2552e26c..df529355 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -924,6 +924,7 @@
 			<Image condition="contains">MicrosoftEdge.exe</Image>
 			<Image condition="contains">explorer.exe</Image>
 			<!--<Image name="Alert=Non-Exe Connecting to network" condition="excludes">.exe</Image>-->
+			<Image name="Alert=Unknown Process Connecting to network" condition="contains">unknown process</Image>
 			<!--Suspicious Windows tools-->
 			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
 			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->

From 18cd82d515d4537868dc66b1c35ada3d191185f8 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 15:34:11 -0400
Subject: [PATCH 301/471] exclude dns lookups

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index df529355..f1f91b38 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1224,8 +1224,8 @@
 			<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
 			<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
 			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
+			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
 		</NetworkConnect>
-
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
 
 		<!--DATA: UtcTime, State, Version, SchemaVersion-->

From 6080f878444b5d435458573574ff1c5ae43493de Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 16:15:54 -0400
Subject: [PATCH 302/471] exclude inetcache from ads

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f1f91b38..e27e7d90 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2718,6 +2718,7 @@
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
 		<FileCreateStreamHash onmatch="exclude">
 			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
+			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename> <!--Exclude: IE Cache Spam-->
 		</FileCreateStreamHash>
 		<FileCreateStreamHash onmatch="include">
 			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->

From 40907398b9d0e20db36b0c240e18806e34c31b4f Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 16:17:33 -0400
Subject: [PATCH 303/471] more ie cache spam

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e27e7d90..e51a5e18 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2719,6 +2719,7 @@
 		<FileCreateStreamHash onmatch="exclude">
 			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
 			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename> <!--Exclude: IE Cache Spam-->
+			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> <!--Exclude: IE Cache Spam-->
 		</FileCreateStreamHash>
 		<FileCreateStreamHash onmatch="include">
 			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->

From 53e7cc5054c5b88d6c75f1060fa718f5ca87420e Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 16:19:37 -0400
Subject: [PATCH 304/471] exclude ff spam

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e51a5e18..e51ac1a9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2718,6 +2718,7 @@
 		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
 		<FileCreateStreamHash onmatch="exclude">
 			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
+			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
 			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename> <!--Exclude: IE Cache Spam-->
 			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> <!--Exclude: IE Cache Spam-->
 		</FileCreateStreamHash>

From 4f59a110eaf0dd2a9049eb80d0755a19c491df0a Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 16:44:43 -0400
Subject: [PATCH 305/471] Add Space in between = and http to allow event viewer
 to create http link

---
 sysmonconfig-export.xml | 106 ++++++++++++++++++++--------------------
 1 file changed, 53 insertions(+), 53 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e51ac1a9..f7014f53 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -115,7 +115,7 @@
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe group</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe  group</CommandLine>
 			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="end with">dsquery.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL=https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
 			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
 			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
 			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
@@ -213,7 +213,7 @@
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Native Windows tools - Living off the land-->
 			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeratio,MitreURL=https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeratio,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
 			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
 			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
 			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
@@ -2723,59 +2723,59 @@
 			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> <!--Exclude: IE Cache Spam-->
 		</FileCreateStreamHash>
 		<FileCreateStreamHash onmatch="include">
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.exe</TargetFilename> <!--Executable-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.dll</TargetFilename> <!--Executable-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--Executable-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.hta</TargetFilename> <!--Scripting-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--System driver files-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.reg</TargetFilename> <!--Registry files-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlam</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.potm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sldm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.js</TargetFilename> <!--Java-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.bat</TargetFilename> <!--Batch scripting-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.dll</TargetFilename> <!--Executable-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--Executable-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--System driver files-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.reg</TargetFilename> <!--Registry files-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlam</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.potm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sldm</TargetFilename> <!--Office Macros-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.js</TargetFilename> <!--Java-->
 			<!--SECTION: Certificates -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pem</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crt</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.ca-bundle</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cer</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.csr</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.der</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7b</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7r</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7s</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pfx</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sto</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p12</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crl</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sst</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.key</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pem</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crt</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.ca-bundle</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cer</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.csr</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.der</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7b</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7r</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7s</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pfx</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sto</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p12</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crl</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sst</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.key</TargetFilename>
 			<!--SECTION: CIA Vault7 Leak -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.manifest</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL=https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.manifest</TargetFilename>
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
+			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
 		</FileCreateStreamHash>
 
 	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->

From eb1d876aee33dd5002a9bae095cd45d2944cb935 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 12 Jul 2018 22:17:59 -0400
Subject: [PATCH 306/471] more updates

---
 sysmonconfig-export.xml | 47 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 45 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f7014f53..99e6369a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -135,6 +135,8 @@
 			<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
 			<Description name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
 			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
+			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="begin with">powershell.exe -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
+			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution,Note=Powershell Downgrade attack" condition="begin with">powershell -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
@@ -249,8 +251,12 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec.exe http</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec http</CommandLine>
 			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">diskshadow</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">rundll32.exe advpack.dll,LaunchINFSection</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">rundll32 advpack.dll,LaunchINFSection</ParentImage>
+			<!--LoLBin Applocker bypasses-->
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">advpack.dll,LaunchINFSection</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">/s /n /u /i:http:</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bginfo.bgi /popup /nolicprompt</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">set </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">setx </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">pushd</CommandLine>
@@ -318,6 +324,8 @@
 			<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
 	  		<!--Hacking Command Line Events-->
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wmic shadowcopy delete</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wbadmin delete catalog</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation,Note=BCDEdit disabling auto repair" condition="contains">/set {default} recoveryenabled no</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">telnet</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-dumpcr</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">putty</CommandLine>
@@ -445,6 +453,37 @@
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
+			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">AdjustTokenPrivileges</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">IMAGE_NT_OPTIONAL_HDR64_MAGIC</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Management.Automation.RuntimeException</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Microsoft.Win32.UnsafeNativeMethods</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">ReadProcessMemory.Invoke</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Runtime.InteropServices</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SE_PRIVILEGE_ENABLED</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Security.Cryptography</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Runtime.InteropServices</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">LSA_UNICODE_STRING</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">MiniDumpWriteDump</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">PAGE_EXECUTE_READ</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Net.Sockets.SocketFlags</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Reflection.Assembly</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SECURITY_DELEGATION</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ADJUST_PRIVILEGES</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ALL_ACCESS</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ASSIGN_PRIMARY</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_DUPLICATE</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ELEVATION</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_IMPERSONATE</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_INFORMATION_CLASS</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_PRIVILEGES</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_QUERY</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Metasploit</CommandLine>
+			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Mimikatz</CommandLine>
+			<!--Malware IOC's-->
+			<CommandLine name="Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">^h^t^t^p</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">h"t"t"p</CommandLine>
 			<!--Suspicious Windows tools-->
 			<Image name="MitreRef=T1001,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
@@ -2509,6 +2548,10 @@
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 			-->
+			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+
 		</RegistryEvent>
 
 		<RegistryEvent onmatch="exclude">

From cf080833df2e3c00c58a218e36e4eb8fb5af92d2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 13 Jul 2018 08:15:27 -0400
Subject: [PATCH 307/471] end with at.exe needs end with \at.exe to not flag
 apps like acrobat

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 99e6369a..b833c73d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -177,8 +177,8 @@
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
 			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks /create</CommandLine>
 			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks.exe /create</CommandLine>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">at.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net user /add</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net localgroup administrators /add</CommandLine>

From 64593beadfd67e78a1ba9d14b86ee8cd79d3d56d Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 13 Jul 2018 08:29:55 -0400
Subject: [PATCH 308/471] Windows firewall modifications

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b833c73d..b4ff34a7 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -568,6 +568,7 @@
 			<Image condition="contains">\Perflogs\</Image>
 			<Image condition="contains">\config\systemprofile\</Image>
 			<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
+			<CommandLine name="Note=Windows Firewall Modifications" condition="contains">netsh advfirewall firewall</CommandLine>
 			<Image condition="contains">\</Image>
 		</ProcessCreate>
 		<ProcessCreate onmatch="exclude">

From c08faac7dc2bcdcdb62a317442a389520aea7ff2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 13 Jul 2018 08:39:58 -0400
Subject: [PATCH 309/471] ransomware detection false positive removal

---
 sysmonconfig-export.xml | 131 +++++++++++++++++++---------------------
 1 file changed, 63 insertions(+), 68 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b4ff34a7..69f41099 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1676,10 +1676,9 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_ReCoVeRy_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.CRAB</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRAB</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cerber</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_decrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-decrypt</TargetFilename>
@@ -1752,12 +1751,11 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_ReCoVeRy_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!READ_TO_UNLOCK!!!.TXT</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">openforyou@india.com</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.warn_wallet</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">hacks.at.sigaint.org</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.MATRIX</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.MATRIX</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Crytp0l0cker</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypted_files.dat</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">padcrypt</TargetFilename>
@@ -1771,7 +1769,6 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IF_WANT_FILES_BACK_PLS_READ.html</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zXz.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.zXz</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_ME_PLEASE.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_RECOVERY_HELP_!.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READIT-IF_YOU-WANT.html</TargetFilename>
@@ -1787,14 +1784,14 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_ASSISTANCE_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BTC_DECRYPT_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.TheTrumpLocker</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.TheTrumpLocker</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ-READ-READ</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.weencedufiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.powned</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.weencedufiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.powned</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">[KASISKI]</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCCIONES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_USE_TO_FIX_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.happydayzz</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.happydayzz</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">001-READ-FOR-DECRYPT-FILES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INFORMATION</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Rans0m_N0te_Read_ME</TargetFilename>
@@ -1804,54 +1801,54 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HERMES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_szesnl</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-IF-YOU-WANT-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.evillock</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.letmetrydecfiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.yourransom</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.lambda_l0cked</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.gefickt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.sigaint.org</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.HakunaMatata</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.CRYPTOSHIELD</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.weareyourfriends</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.evillock</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.letmetrydecfiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.yourransom</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.lambda_l0cked</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.gefickt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.sigaint.org</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.HakunaMatata</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRYPTOSHIELD</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.weareyourfriends</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">MERRY_I_LOVE_YOU_BRUCE.hta</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How decrypt files.hta</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">unCrypte</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decipher_ne</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.paytounlock</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.paytounlock</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">TRY-READ-ME-TO-DEC</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">protonmail.ch</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">LEER_INMEDIATAMENTE</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.killedXXX</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.doomed</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.killedXXX</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.doomed</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-No-PROBLEM-WE-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.noproblemwedecfiles</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.noproblemwedecfiles</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">powerfulldecrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">opensourcemail.org</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">contains(to_string($message.file_created), "READ_ME_TO_DECRYPT_YOU_INFORMA</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">file0locked</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CryptoRansomware</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.VBRANSOM</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VBRANSOM</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_Recover_Files_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.oops</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.deria</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.RMCM1</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.oops</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.deria</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.RMCM1</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Locked-by-Mafia</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-filesencrypted</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_Globe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.hnumkhotep</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.decrypt2017</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.hnumkhotep</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.decrypt2017</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptFile</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.L0CKED</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.L0CKED</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">1025-7152.exe</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">firstransomware.exe</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP-ME-ENCED-FILES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">helpmeencedfiles</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">EdgeLocker</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.XBTL</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.firecrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.XBTL</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.firecrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_DEAD</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.airacropencrypted!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.airacropencrypted!</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">mail.ru</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WHERE-YOUR-FILES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Whereisyourfiles</TargetFilename>
@@ -1859,10 +1856,10 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.hta</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.jpg</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_OPEN_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.gangbang</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.gangbang</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">GJENOPPRETTING_AV_FILER</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!! HOW TO DECRYPT FILES !!!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.braincrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.braincrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCTION RESTORE FILE</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Survey Locker.exe</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Receipt.exe</TargetFilename>
@@ -1874,16 +1871,15 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RESTORE_CORUPTED_FILES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Cyber SpLiTTer Vbs.exe</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-PLEASE-READ-WE-HELP</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.VforVendetta</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VforVendetta</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">popcorn_time.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.wallet</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">OSIRIS-</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DesktopOsiris</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">inbox.ru</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.no_more_ransom</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.lovewindows</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.osiris</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.R.i.P</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.no_more_ransom</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.lovewindows</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.osiris</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.R.i.P</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Important!.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_HOW_TO_RESTORE_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES</TargetFilename>
@@ -1893,7 +1889,6 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ThxForYurTyme</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOW_TO_Decrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_RECOVER_INSTRUCTIONS</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">rtext.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPTION INSTRUCTIONS.</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt explanations.</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_WHAT_is.html</TargetFilename>
@@ -1908,7 +1903,7 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION.url</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README!!!</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">email-salazar_slytherin10</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">._AiraCropEncrypted!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">._AiraCropEncrypted!</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_RECOVER_FILES_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.bmp</TargetFilename>
@@ -2032,15 +2027,15 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BUYUNLOCKCODE.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">AllFilesAreLocked</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">@ukr.net</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.fuckyourdata</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.encrypted.locked</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.Where_my_files.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.RSplited</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.KEYZ.KEYH0LES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.How_To_Get_Back.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.How_To_Decrypt.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.Contact_Here_To_Recover_Your_Files.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.31392E30362E32303136_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.fuckyourdata</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.encrypted.locked</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.Where_my_files.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.RSplited</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.KEYZ.KEYH0LES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.How_To_Get_Back.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.How_To_Decrypt.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.Contact_Here_To_Recover_Your_Files.txt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.31392E30362E32303136_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.vbs</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.html</TargetFilename>
@@ -2048,10 +2043,10 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!README!!!</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!-WARNING-!!!.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!-WARNING-!!!.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.magic_software_syndicate</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.magic_software_syndicate</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">maestro@pizzacrypts.info</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howtodecryptaesfiles.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.SecureCrypted</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.SecureCrypted</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt-instruct</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">files_are_encrypted.</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptmyfiles</TargetFilename>
@@ -2083,14 +2078,14 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_instruct</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cryptolocker.</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_instruction</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.hydracrypt_ID</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.cryptotorlocker</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.one-we_can-help_you</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.OMG!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.nochance</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.LOL!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.CryptoTorLocker2015!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.{CRYPTENDBLACKDC}</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.hydracrypt_ID</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.cryptotorlocker</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.one-we_can-help_you</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.OMG!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.nochance</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.LOL!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CryptoTorLocker2015!</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.{CRYPTENDBLACKDC}</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.key</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery_key.txt</TargetFilename>
@@ -2107,15 +2102,15 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Howto_Restore_FILES.TXT</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.SUPERCRYPT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.helpdecrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">only-we_can-help_you</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.fileiscryptedhard</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.blocatto</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.8lock8</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.SUPERCRYPT</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.helpdecrypt</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">only-we_can-help_you</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.fileiscryptedhard</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.blocatto</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.8lock8</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">==READ==THIS==PLEASE==</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">randomname</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">.weapologize</TargetFilename>
+			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weapologize</TargetFilename>
 			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">SORRY-FOR-FILES</TargetFilename>
 			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READ-WE-HELP.</TargetFilename>
 			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">CHECK-IT-HELP-FILES</TargetFilename>

From 45571e590624d400664ae27e4cffa4eb27c996e1 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 13 Jul 2018 09:14:59 -0400
Subject: [PATCH 310/471] exclusions and tweaks.

---
 sysmonconfig-export.xml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 69f41099..6e863fae 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -121,8 +121,8 @@
 			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
 			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">\net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
+			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">\net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
 			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
 			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
@@ -2266,6 +2266,16 @@
 			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\scanclient.dll</TargetFilename>
 			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\Repository\nagent</TargetFilename>
 			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\</TargetFilename>
+			<Image condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</Image>
+			<Image condition="is">C:\Program Files\graylog\collector-sidecar\winlogbeat.exe</Image>
+			<Image condition="is">C:\Program Files\N-able Technologies\Endpoint Update Server\bin\EPUpdateServer.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\AVDefender\Installer.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe</Image>
+			<Image condition="is">C:\Windows\system32\printfilterpipelinesvc.exe</Image>
+			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe</Image>
+			<Image condition="end with">\Runtime\1.0\NodeRunner.exe</Image><!--Exchange NodeRunner-->
+			
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->

From 3311184c35173655e7f3ab77df3712d6a6f973b0 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 13 Jul 2018 10:29:30 -0400
Subject: [PATCH 311/471] exclude domain login scripts

---
 sysmonconfig-export.xml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6e863fae..8a486e6b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -83,7 +83,7 @@
 	        <Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
 			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
 			<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">control.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">\control.exe</Image>
 	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
 			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
 			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
@@ -124,8 +124,8 @@
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">\net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">\net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">\route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">\reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
 			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
 			<!--MITRE TACTIC: Execution-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
@@ -558,7 +558,7 @@
 			<Image condition="end with">control.exe</Image>
 			<Image condition="end with">acrord32.exe</Image>
 			<Image condition="end with">installutil.exe</Image>
-			<Image name="Info=Registry modification/queries" condition="end with">reg.exe</Image>
+			<Image name="Info=Registry modification/queries" condition="end with">\reg.exe</Image>
 			<Image name="Info=ipconfig discovery" condition="end with">ipconfig.exe</Image>
 			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
 			<Image condition="contains">\programdata\</Image>
@@ -594,8 +594,13 @@
 			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
 			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
 			<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
+			<CommandLine condition="contains">net.exe use</CommandLine> <!-- Silence domain login scripts -->
 			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
-			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
+			<CommandLine condition="contains">net1 use</CommandLine> <!-- Silence domain login scripts -->
+			<CommandLine condition="contains">net.exe time</CommandLine> <!-- Silence domain login scripts -->
+			<CommandLine condition="contains">net time</CommandLine> <!-- Silence domain login scripts -->
+			<CommandLine condition="contains">net1 time</CommandLine> <!-- Silence domain login scripts -->
+			<CommandLine condition="contains">gpscript.exe</CommandLine> <!-- Silence domain login scripts -->
 			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->

From 535b3b4dab651087675cf6b8d7017f2e23717b37 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 13 Jul 2018 20:58:57 -0400
Subject: [PATCH 312/471] add unknown process detection & updates
 notes/comments

---
 sysmonconfig-export.xml | 146 ++++++++++++++++++++--------------------
 1 file changed, 74 insertions(+), 72 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8a486e6b..a3d10562 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -73,6 +73,8 @@
 		<ProcessCreate onmatch="include">
 			<!--Mitre ATT&CK Rules-->
 			<!--MITRE TACTIC: Defense Evasion-->
+			<ParentImage name="Alert=Unknown Process Execution" condition="contains">unknown process</ParentImage>
+			<Image name="Alert=Unknown Process Execution" condition="contains">unknown process</Image>
 			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
 			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
 			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">eventvwr.exe</ParentImage>
@@ -1130,82 +1132,82 @@
 			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">cryptmonero</DestinationHostname>
 			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
 			<!--Ports-->
-			<DestinationPort name="Service=HTTP Connection" condition="is">80</DestinationPort> <!--RDP Port-->
+			<DestinationPort name="Service=HTTP Connection" condition="is">80</DestinationPort>
 			<DestinationPort name="Service=HTTPS Connection" condition="is">443</DestinationPort>
-			<DestinationPort name="Service=Remote Desktop Connection" condition="is">3389</DestinationPort> <!--RDP Port-->
+			<DestinationPort name="Service=Remote Desktop Connection" condition="is">3389</DestinationPort>
 			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
-			<DestinationPort name="Service=SSH Connection" condition="is">22</DestinationPort>   <!--SSH Port-->
-			<DestinationPort condition="is">23</DestinationPort>   <!--Telnet Port-->
-			<DestinationPort condition="is">25</DestinationPort>   <!--SMTP Port-->
-			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->
+			<DestinationPort name="Service=SSH Connection" condition="is">22</DestinationPort>
+			<DestinationPort name="Service=Telnet" condition="is">23</DestinationPort>
+			<DestinationPort name="Service=SMTP" condition="is">25</DestinationPort>
+			<DestinationPort name="Service=SMB" condition="is">139</DestinationPort>
 			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
-			<DestinationPort condition="is">5800</DestinationPort> <!--VNC Port-->
-			<DestinationPort condition="is">5900</DestinationPort> <!--VNC Port-->
-			<DestinationPort condition="is">1194</DestinationPort> <!--OpenVPN Port-->
-			<DestinationPort condition="is">1701</DestinationPort> <!--L2TP Port-->
-			<DestinationPort condition="is">1723</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">1293</DestinationPort> <!--IPSec Nat Traversal Port-->
-			<DestinationPort condition="is">4500</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">1080</DestinationPort> <!--Socks Port-->
-			<DestinationPort condition="is">8080</DestinationPort> <!--Socks Port-->
-			<DestinationPort condition="is">3128</DestinationPort> <!--Socks Port-->
-			<DestinationPort condition="is">9001</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">9030</DestinationPort> <!--Tor Port-->
-			<DestinationPort condition="is">4443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">2448</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">8143</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">243</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">65535</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13506</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">200</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">198</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">49180</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13507</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">6625</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4444</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4438</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1904</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13505</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13504</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">12102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">9631</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">5445</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">2443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13394</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">13145</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">12103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">5552</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">3939</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">3675</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">666</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">473</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">5649</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4455</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4433</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1817</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">100</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">65520</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1960</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">1515</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">743</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">700</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">14154</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">14103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">14102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">12322</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">10101</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">7210</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">4040</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
-			<DestinationPort condition="is">9943</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
+			<DestinationPort name="Service=VNC" condition="is">5800</DestinationPort>
+			<DestinationPort name="Service=VNC" condition="is">5900</DestinationPort>
+			<DestinationPort name="Service=OpenVPN" condition="is">1194</DestinationPort>
+			<DestinationPort name="Service=L2TP" condition="is">1701</DestinationPort>
+			<DestinationPort name="Service=TOR" condition="is">1723</DestinationPort>
+			<DestinationPort name="Service=IPSec" condition="is">1293</DestinationPort>
+			<DestinationPort name="Service=Tor" condition="is">4500</DestinationPort>
+			<DestinationPort name="Service=Socks Proxy Port" condition="is">1080</DestinationPort>
+			<DestinationPort name="Service=Socks Proxy Port" condition="is">8080</DestinationPort>
+			<DestinationPort name="Service=Socks Proxy Port" condition="is">3128</DestinationPort>
+			<DestinationPort name="Service=Tor" condition="is">9001</DestinationPort>
+			<DestinationPort name="Service=Tor" condition="is">9030</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4443</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">2448</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">8143</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1777</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1443</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">243</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">65535</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13506</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3360</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">200</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">198</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">49180</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13507</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3360</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">6625</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4444</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4438</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1904</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13505</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13504</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12102</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">9631</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5445</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">2443</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">777</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13394</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13145</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12103</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5552</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3939</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3675</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">666</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">473</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5649</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4455</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4433</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1817</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">100</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">65520</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1960</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1515</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">743</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">700</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14154</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14103</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14102</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12322</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">10101</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">7210</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4040</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">9943</DestinationPort>
 			<!--Ports: Threats-->
-			<DestinationPort condition="is">7777</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:7777 -->
-			<DestinationPort condition="is">9943</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:9943 -->
-			<DestinationPort condition="is">666</DestinationPort> <!-- https://www.hybrid-analysis.com/search?query=port:666 -->
+			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:7777" condition="is">7777</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:9943" condition="is">9943</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:666" condition="is">666</DestinationPort>
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<!--SECTION: Microsoft -->

From 0eb2d75fbe6b18c7b1827d5f5230290cd5077276 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 13 Jul 2018 21:38:17 -0400
Subject: [PATCH 313/471] Update comments, remove excess comments

---
 sysmonconfig-export.xml | 68 +++++++++--------------------------------
 1 file changed, 14 insertions(+), 54 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a3d10562..6d2c7cff 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -10,45 +10,7 @@
   Fork project:	https://github.com/ion-storm/sysmon-config
   Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 
-  REQUIRED: Sysmon version 8.00 or higher (due to changes in registry syntax and bug-fixes)
-	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
-	Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated.
-
-  NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF. Will need to run command to allow log access to the Network Service:
-	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
-
-  NOTE: Do not let the size and complexity of this configuration discourage you from customizing this or building your own.
-	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very
-	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
-	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
-	as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
-
-  NOTE: Sysmon is NOT a whitelist solution or HIDS engine, it is a computer change and event logging tool with very basic exclude rules.
-	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
-	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
-
-  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
-	to study it, many ways to evade some of the logging. If you are in a high-threat environment, you should consider a much broader
-	log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which
-	this configuration monitors, especially in the first minutes.
-
-  TECHNICAL:
-  - Run sysmon.exe -? for a briefing on Sysmon configuration.
-  - Sysmon does not support nested/multi-conditional rules. There are only blanket INCLUDE and EXCLUDE. "Exclude" rules override "Include" rules.
-  - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
-  - Some Sysmon monitoring abilities are not meant for general-purpose use due to their large performance impact, such as ProcessAccess.
-  - Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
-  - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
-  - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
-  - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
-  - "ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches. Cleared on service restart.
-  - "LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions. Cleared on service restart.
-  - Sysmon does not track which rule caused an event to be logged.
-
-  TECHNICAL: Filter conditions available for use are: is, is not, contains, excludes, begin with, end with, less than, more than, image
-  - The "image" filter is usable with any field. Same as "is" but can either match the entire string, or only the text after the last "\" in the string. Credit: @mattifestation
-
-  PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier.
+  REQUIRED: Sysmon version 8.00 or higher, it's recommended you stay updated.
 -->
 
 <Sysmon schemaversion="4.10">
@@ -61,15 +23,13 @@
 	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
 
 	<EventFiltering>
-
 	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
 		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
 			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
 			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
 			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
 			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
-
-		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
 		<ProcessCreate onmatch="include">
 			<!--Mitre ATT&CK Rules-->
 			<!--MITRE TACTIC: Defense Evasion-->
@@ -928,7 +888,7 @@
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
 		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->
 
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
 		<FileCreateTime onmatch="include">
 			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
@@ -952,7 +912,7 @@
 		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
 		<!--TECHNICAL:	These exe do not initiate their connections, and thus including does not work in this section: BITSADMIN.exe-->
 
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
 		<NetworkConnect onmatch="include">
 			<!--Suspicious sources for network-connecting binaries-->
 			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
@@ -1281,7 +1241,7 @@
 	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
 		<!--COMMENT:	Useful data in building infection timelines.-->
 
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
+		<!--DATA: Rulename, UtcTime, ProcessGuid, ProcessId, Image-->
 		<ProcessTerminate onmatch="include">
 		<!--COMMENT:	Useful data in building infection timelines.-->
 			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
@@ -1297,7 +1257,7 @@
 			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
 		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
 
-		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+		<!--DATA: RuleName, UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 		<DriverLoad onmatch="exclude">
 		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
 				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
@@ -1332,7 +1292,7 @@
 		<!--COMMENT:	Can cause high system load, disabled by default.-->
 		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
 
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 		<ImageLoad onmatch="include">
 			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
 			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
@@ -1429,7 +1389,7 @@
 		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
 		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
 
-		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
+		<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
 		<CreateRemoteThread onmatch="include">
 			<StartFunction name="MitreRef=T1055,Technique=DLL Injection via LoadLibrary API Call,Tactic=Defense Evasion" condition="contains">LoadLibrary</StartFunction>
 			<SourceImage condition="contains">\</SourceImage>
@@ -1465,7 +1425,7 @@
 			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
 		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
 
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, Device-->
 		<RawAccessRead onmatch="include">
 		</RawAccessRead>
 
@@ -1473,7 +1433,7 @@
 		<!--EVENT 10: "Process accessed"-->
 		<!--COMMENT:	Can cause high system load, disabled by default.-->
 		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
-		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
+		<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
 		<ProcessAccess onmatch="include">
 			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
 			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
@@ -1557,7 +1517,7 @@
 		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
 		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
 
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">
 			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
 			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
@@ -2771,7 +2731,7 @@
 			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
 		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
 
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
 		<FileCreateStreamHash onmatch="exclude">
 			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
 			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
@@ -2838,14 +2798,14 @@
 		<!--EVENT 16: "Sysmon config state changed"-->
 		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
 		
-		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
+		<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
 		<!--Cannot be filtered.-->
 
 	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
 		<!--EVENT 17: "Pipe Created"-->
 		<!--EVENT 18: "Pipe Connected"-->
 
-		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
 		<PipeEvent onmatch="exclude">
 		<!--COMMENT: Exclude known-good pipe users-->
 				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->

From df625331a3f775cd028f59c2999d3654928e1d2b Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 13 Jul 2018 21:58:01 -0400
Subject: [PATCH 314/471] Removed Custom Exclusions for Labtech & Solarwinds
 N-Central for master branch, you may want to exclude this commit if you use
 these products.

---
 sysmonconfig-export.xml | 71 -----------------------------------------
 1 file changed, 71 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6d2c7cff..e9f40474 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -776,56 +776,13 @@
 			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
 			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
 			<!--SECTION: Custom Apps-->
-			<!--SECTION: Labtech -->
-			<!--Since Labtech nests its processes, the following exclusions could be exploited, remove if you do not need-->
-			<!--TODO: Will define these more in the future-->
-			<ParentCommandLine condition="is">C:\Windows\LTSvc\LTSVC.exe -sLTService</ParentCommandLine> <!--Labtech Agent-->
-			<ParentImage condition="is">C:\Windows\LTSvc\LTSVC.exe</ParentImage> <!--Labtech Agent-->
-			<CurrentDirectory condition="is">C:\Windows\LTSvc\</CurrentDirectory><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">find /i "Listening"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">netstat -an</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">nslookup</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">nbtstat.exe</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">dsquery</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">sc query</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">interface tcp show global</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
 			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
 			<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
 			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
 			<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">wmic path win32_operatingsystem get</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">sc queryex type= service</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">C:\Program Files\StorageCraft\ImageManager\ImageManager.exe</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-WmiObject -Namespace Root\CimV2\TerminalServices</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">vssadmin list writers</ParentCommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">vssadmin  list writers</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">net view \\localhost | find " Print</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">net view \\localhost | find " Disk</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentImage condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</ParentImage> <!--Labtech Client-->
 			<ParentCommandLine condition="contains">C:\Windows\LTSvc\LTSvcMon.exe -sLTService</ParentCommandLine>
-			<ParentImage condition="is">C:\Windows\LTSvc\LTSvcMon.exe</ParentImage>
-			<Image condition="is">C:\Windows\LTSvc\LTTray.exe</Image>
-			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall</ParentCommandLine>
 			<CommandLine condition="contains">interface tcp show global</CommandLine>
-			<Image condition="is">nslookup.exe</Image><!--Labtech NStest.bat lookups-->
-			<!--END: Labtech-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
 			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
@@ -852,18 +809,6 @@
 			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
 			<!--Exclude: MSPaint.exe-->
 			<Hashes condition="contains">56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900</Hashes>
-			<!--Exclude: N-Able/N-Central-->
-			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
-			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
-			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage>
-			<ParentCommandLine condition="contains">N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentCommandLine>
-			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</ParentImage>			
-			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>			
-			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\installer\installer.exe	</ParentImage>
-			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epupdateservice.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\ShadowProtectDataReader.exe</ParentImage>
-			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
 			<!--Exclude: Sysmon Auto-Update-->
 			<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>
 			<CommandLine condition="contains">\sysmon\Auto_Update.bat</CommandLine>
@@ -871,8 +816,6 @@
 			 <!--Exclude: Netlogon scripts-->
 			<ParentCommandLine condition="contains">\netlogon\</ParentCommandLine>
 			<CommandLine condition="contains">\netlogon\</CommandLine>
-			<ParentImage condition="is">C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE</ParentImage>
-			 <!--Exclude: Too noisy in a domain environment with legacy logon scripts-->
 			<CommandLine condition="contains">net use</CommandLine>
 			<CommandLine condition="contains">net.exe use</CommandLine>
 			<CommandLine condition="contains">net1 use</CommandLine>
@@ -1223,8 +1166,6 @@
 			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
 			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
 			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
-			<Image condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
-			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
 			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
@@ -1408,8 +1349,6 @@
 			<SourceImage condition="contains">FireSvc.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
 			<TargetImage condition="end with">controls\cef\ConnectWise.exe</TargetImage>
-			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epsecurityservice.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPSecurityService.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe</SourceImage>
 			<SourceImage condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\Remote Debugger\x64\msvsmon.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\System32\rdpclip.exe</SourceImage>
@@ -1471,8 +1410,6 @@
 			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
 			<SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe</SourceImage>
 			<SourceImage condition="contains">taskmgr</SourceImage>
 			<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
 			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
@@ -2679,9 +2616,6 @@
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
 			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
 			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
-			<!--SECTION: Labtech-->
-			<TargetObject condition="end with">\LTSvcMon\Start</TargetObject>
-			<TargetObject condition="end with">\LTService\Start</TargetObject>
 			<!--SECTION: ShadowProtect-->
 			<TargetObject condition="contains">{F2C2787D-95AB-40D4-942D-298F5F757874}</TargetObject>
 			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
@@ -2915,13 +2849,8 @@
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe</Image>
 			<!--SECTION: Sophos VPN Client-->
 			<Image condition="is">c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe</Image>
-			<!--SECTION: Labtech-->
-			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
 			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
-			<!--SECTION: N-Able -->
-			<Image condition="end with">N-able Technologies\Windows Agent\bin\agent.exe</Image>
-			<Image condition="end with">N-able Technologies\AVDefender\EPIntegrationService.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
 			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>

From 335bf0945e6cb4c32e570e31193bbacc085c3a4f Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 15 Jul 2018 00:27:45 -0400
Subject: [PATCH 315/471] Update alerts

---
 sysmonconfig-export.xml | 68 ++++++++++++++++++++---------------------
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e9f40474..0d65204f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -142,39 +142,39 @@
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net user /add</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net localgroup administrators /add</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line" condition="contains">net user /add</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line" condition="contains">net localgroup administrators /add</CommandLine>
 			<!--MITRE TACTIC: Lateral Movement-->
-			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
+			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="end with">wmiprvse.exe</ParentImage>
 			<!--MITRE TECHNIQUE: Obfuscation-->
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">FromBase64String</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">FromBase64String</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyle h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyl h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowsty h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowst h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windows h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-window h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windo h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wind h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-w h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hi</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hid</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidd</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidde</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidden</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Nop</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Noni</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">runtime.interopservices.marshal</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyle h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyl h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowsty h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowst h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windows h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-window h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windo h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wind h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-w h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hi</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hid</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidd</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidde</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidden</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Nop</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Noni</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Native Windows tools - Living off the land-->
 			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
 			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeratio,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
@@ -190,12 +190,12 @@
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash -c</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash.exe -c</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash -c</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash.exe -c</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey.exe /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil -urlcache -split -f</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil -urlcache -split -f</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -out:</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
@@ -210,9 +210,9 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec http</CommandLine>
-			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">diskshadow</ParentImage>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec.exe http</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec http</CommandLine>
+			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">diskshadow</ParentImage>
 			<!--LoLBin Applocker bypasses-->
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">advpack.dll,LaunchINFSection</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>

From 08099669c35328b2b6b035a00fcff805c2da38aa Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 15 Jul 2018 12:45:27 -0400
Subject: [PATCH 316/471] revert, ref:
 https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0d65204f..50ec0128 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -562,7 +562,6 @@
 			<CommandLine condition="contains">net.exe time</CommandLine> <!-- Silence domain login scripts -->
 			<CommandLine condition="contains">net time</CommandLine> <!-- Silence domain login scripts -->
 			<CommandLine condition="contains">net1 time</CommandLine> <!-- Silence domain login scripts -->
-			<CommandLine condition="contains">gpscript.exe</CommandLine> <!-- Silence domain login scripts -->
 			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->

From bac76c18533db43875c31f6cd00e51831baf73c3 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 16 Jul 2018 11:35:26 -0400
Subject: [PATCH 317/471] ignore chrome noise

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 50ec0128..9f1c2aa9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -825,6 +825,7 @@
 			<CommandLine condition="contains">C:\Windows\system32\cmd.exe /c UsrLogon.cmd</CommandLine>
 			<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
 			<ParentImage condition="is">C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe</ParentImage>
+			<CommandLine condition="contains">chrome.nativeMessaging.out</CommandLine>
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 1c3a63de8dbd7e0a627081c35d486b4ad44aab88 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 15 Jul 2018 00:27:45 -0400
Subject: [PATCH 318/471] Update alerts

---
 sysmonconfig-export.xml | 68 ++++++++++++++++++++---------------------
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6d2c7cff..f19e75f9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -142,39 +142,39 @@
 			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</Image>
 			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net user /add</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence" condition="contains">net localgroup administrators /add</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line" condition="contains">net user /add</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line" condition="contains">net localgroup administrators /add</CommandLine>
 			<!--MITRE TACTIC: Lateral Movement-->
-			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement" condition="end with">wmiprvse.exe</ParentImage>
+			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="end with">wmiprvse.exe</ParentImage>
 			<!--MITRE TECHNIQUE: Obfuscation-->
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">FromBase64String</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">FromBase64String</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">runtime.interopservices.marshal</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyle h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowstyl h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowsty h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windowst h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windows h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-window h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-windo h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wind h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-w h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hi</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hid</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidd</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidde</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-win hidden</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Nop</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-Noni</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">runtime.interopservices.marshal</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyle h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyl h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowsty h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowst h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windows h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-window h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windo h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wind h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-w h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hi</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hid</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidd</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidde</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidden</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Nop</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Noni</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">C^om^S^pEc</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Native Windows tools - Living off the land-->
 			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
 			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeratio,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
@@ -190,12 +190,12 @@
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash -c</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bash.exe -c</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash -c</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash.exe -c</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey.exe /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">certutil -urlcache -split -f</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil -urlcache -split -f</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -out:</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
@@ -210,9 +210,9 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ieexec http</CommandLine>
-			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">diskshadow</ParentImage>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec.exe http</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec http</CommandLine>
+			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">diskshadow</ParentImage>
 			<!--LoLBin Applocker bypasses-->
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">advpack.dll,LaunchINFSection</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>

From fe5d06e82a26c99561ac629a98b49dfd44e53c21 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Sun, 15 Jul 2018 12:45:27 -0400
Subject: [PATCH 319/471] revert, ref:
 https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f19e75f9..bdeb421b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -562,7 +562,6 @@
 			<CommandLine condition="contains">net.exe time</CommandLine> <!-- Silence domain login scripts -->
 			<CommandLine condition="contains">net time</CommandLine> <!-- Silence domain login scripts -->
 			<CommandLine condition="contains">net1 time</CommandLine> <!-- Silence domain login scripts -->
-			<CommandLine condition="contains">gpscript.exe</CommandLine> <!-- Silence domain login scripts -->
 			<!--SECTION: Microsoft:Windows:Defender-->
 			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
 			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->

From 1a9a4ba722902ef09c9d09826e792c5da4a45f38 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 16 Jul 2018 11:35:26 -0400
Subject: [PATCH 320/471] ignore chrome noise

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bdeb421b..06ef07c7 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -882,6 +882,7 @@
 			<CommandLine condition="contains">C:\Windows\system32\cmd.exe /c UsrLogon.cmd</CommandLine>
 			<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
 			<ParentImage condition="is">C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe</ParentImage>
+			<CommandLine condition="contains">chrome.nativeMessaging.out</CommandLine>
 		</ProcessCreate>
 
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->

From 093e84a4c873b586a334112cdbbaccabd2ff64ad Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 17 Jul 2018 12:38:46 -0400
Subject: [PATCH 321/471] Detect Remote Desktop Shadow connection

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 06ef07c7..14e52540 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -146,6 +146,8 @@
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line" condition="contains">net localgroup administrators /add</CommandLine>
 			<!--MITRE TACTIC: Lateral Movement-->
 			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="end with">wmiprvse.exe</ParentImage>
+			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin" condition="contains">/shadow</CommandLine>
+			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin" condition="contains">/noConsentPrompt</CommandLine>
 			<!--MITRE TECHNIQUE: Obfuscation-->
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">FromBase64String</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>

From f1922b45c4487d350792b3afef21887cf561d9f8 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 17 Jul 2018 21:15:25 -0400
Subject: [PATCH 322/471] add MitreRef=T1050,Technique=New
 Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via
 Command Line

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 14e52540..821bc525 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -144,6 +144,9 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line" condition="contains">net user /add</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line" condition="contains">net localgroup administrators /add</CommandLine>
+			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line" condition="contains">sc create</CommandLine>
+			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line" condition="contains">sc.exe create</CommandLine>
+			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line" condition="contains">new-service</CommandLine>
 			<!--MITRE TACTIC: Lateral Movement-->
 			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="end with">wmiprvse.exe</ParentImage>
 			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin" condition="contains">/shadow</CommandLine>

From a677e63f6280a9b2736005895f003b8f5084b6ac Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 17 Jul 2018 21:46:59 -0400
Subject: [PATCH 323/471] add detection for Cobalt Strike's payload using
 netsh.exe helper DLLs

---
 sysmonconfig-export.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 821bc525..d0ad4f0c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -176,6 +176,7 @@
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidden</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Nop</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Noni</CommandLine>
+			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-encodedc</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
@@ -1305,6 +1306,8 @@
 			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
 			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
 			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
+			<ImageLoaded name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence,Alert=Cobalt Strike Netsh Helper Beacon" condition="contains">NetshHelperBeacon</ImageLoaded>
+			<Image name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence" condition="contains">netsh.exe</Image>
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
 			<SignatureStatus condition="is">Valid</SignatureStatus>
@@ -2376,7 +2379,7 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
 			<!--Networking-->

From 9c263c7ed11079e01eb4f92eb368c46b42fb9c2f Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 17 Jul 2018 21:59:23 -0400
Subject: [PATCH 324/471] add
 "MitreRef=T1099,Technique=Timestomp,Tactic=Defense
 Evasion,Alert=Timestomp/File creation time retroactively changed!"

---
 sysmonconfig-export.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d0ad4f0c..af46d3b4 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -896,9 +896,9 @@
 
 		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
 		<FileCreateTime onmatch="include">
-			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
-			<Image condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
-			<Image condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
+			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
+			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
+			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
 		</FileCreateTime>
 
 		<FileCreateTime onmatch="exclude">

From b788031f6bac896c280bf444eda3594cce6e7ead Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 17 Jul 2018 22:12:04 -0400
Subject: [PATCH 325/471] Enable Alerting on more autoruns, and add
 MitreRef=T1209,Technique=Time Provider Keys,Tactic=Persistence

---
 sysmonconfig-export.xml | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index af46d3b4..8a96dba8 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2286,6 +2286,7 @@
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
+			<TargetObject name="MitreRef=T1209,Technique=Time Provider Keys,Tactic=Persistence,Alert=Detect Malicious Time Provider DLL" condition="begin with">HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\</TargetObject>
 			<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers</TargetObject> <!-- Print Provider DLL's loaded at startup can be malicious, lets monitor those -->
@@ -2296,22 +2297,22 @@
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
 			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
 			<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
 			<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
 			<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>

From c40e20d0df167aa981f7cfaba1b8d21a1f9e8bee Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 13 Aug 2018 09:08:37 -0400
Subject: [PATCH 326/471] update installers

---
 Auto_Update.bat    | 2 +-
 Install Sysmon.bat | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Auto_Update.bat b/Auto_Update.bat
index 39d3b0cc..c7fe1299 100644
--- a/Auto_Update.bat
+++ b/Auto_Update.bat
@@ -1,5 +1,5 @@
 @echo on
 cd C:\ProgramData\sysmon\
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://smartsync.omegapa.com/1/files/share/44/dev/omega-sysmon/sysmonconfig-export.xml/a0e2616fc58e1c','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
 sysmon64 -c sysmonconfig-export.xml
 exit
diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index 5c0a7572..74e16906 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -17,7 +17,7 @@ pushd "C:\ProgramData\sysmon\"
 echo [+] Downloading Sysmon...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe','C:\ProgramData\sysmon\sysmon64.exe')"
 echo [+] Downloading Sysmon config...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://smartsync.omegapa.com/1/files/share/44/dev/omega-sysmon/sysmonconfig-export.xml/a0e2616fc58e1c','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
 @powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
 sysmon64.exe -accepteula -i sysmonconfig-export.xml
 sc failure Sysmon64 actions= restart/10000/restart/10000// reset= 120

From 0b33e076e77b61b2f65c9572cd0f82336258ec89 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Mon, 13 Aug 2018 09:12:52 -0400
Subject: [PATCH 327/471] remove space

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8a96dba8..463a4c1a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2982,7 +2982,6 @@
 		<!--EVENT 19: "WmiEventFilter activity detected"-->
 		<!--EVENT 20: "WmiEventConsumer activity detected"-->
 		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
-
 		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
 		<WmiEvent onmatch="exclude">
 		</WmiEvent>

From 75d53da3c9ece1171662c58f81fe6eafcc7f476e Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Wed, 15 Aug 2018 09:51:26 -0400
Subject: [PATCH 328/471] Push updates from @olafhartong for pipe events

---
 sysmonconfig-export.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 463a4c1a..1de16e03 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2815,6 +2815,23 @@
 		<!--EVENT 18: "Pipe Connected"-->
 
 		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
+		<PipeEvent onmatch="include">
+	  	 	<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_dg</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_dg2</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\ahexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\lsassw</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\rpchlp_3</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\NamePipe_MoreWindows</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\pcheap_reuse</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName condition="contains">\</PipeName><!--Include Everything else to mark above rules-->
+		</PipeEvent>
 		<PipeEvent onmatch="exclude">
 		<!--COMMENT: Exclude known-good pipe users-->
 				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->

From d2f9872869faaf818acacb29cbfd7bbecc2f16d3 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 21 Aug 2018 01:41:02 -0400
Subject: [PATCH 329/471] Big update/alerting/cleanup etc

---
 sysmonconfig-export.xml | 716 ++++++++++++++++++++++++----------------
 1 file changed, 425 insertions(+), 291 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1de16e03..cccf84fa 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -15,7 +15,7 @@
 
 <Sysmon schemaversion="4.10">
 	<!--SYSMON META CONFIG-->
-	<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
+	<HashAlgorithms>md5,imphash,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
 	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
 
 	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
@@ -36,69 +36,71 @@
 			<ParentImage name="Alert=Unknown Process Execution" condition="contains">unknown process</ParentImage>
 			<Image name="Alert=Unknown Process Execution" condition="contains">unknown process</Image>
 			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
+			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion,Alert=BitsAdmin File Transfers" condition="end with">bitsadmin.exe</Image>
 			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">eventvwr.exe</ParentImage>
 			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">fodhelper.exe</ParentImage>
-			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
-			<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
-			<Image name="MitreRef=T1191,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
-	        <Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
-			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">\control.exe</Image>
-	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
-			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
-			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
+			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="end with">InstallUtil.exe</Image>
+			<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
+			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
+	        <Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
+			<Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution" condition="end with">\control.exe</Image>
+	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">control.exe /name</CommandLine>
+			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
+			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="end with">mshta.exe</Image>
 			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="end with">wevutil.exe</Image>
-			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="contains">wevutil cl</CommandLine>
+			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Alert=Eventlog Removal Detected" condition="contains">wevutil cl</CommandLine>
 			<!--MITRE TACTIC: Discovery-->
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe  user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1 localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1  localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe  group</CommandLine>
-			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="end with">dsquery.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1  user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe  user</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1  localgroup</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe group</CommandLine>
+			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="begin with">net1.exe  group</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsadd </CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsmod </CommandLine>
+			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=DSQuery.EXE Discovery" condition="end with">dsquery.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod" condition="end with">dsmod.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsadd" condition="end with">dsadd.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Account Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
 			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">\net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">\net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">\route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">\reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System Information Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=System Network Connections Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=User enumeration/Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Alert=Network Configureation discovery with route.exe" condition="end with">\route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System information discovery with reg.exe" condition="contains">reg query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System information discovery with reg.exe" condition="contains">reg.exe query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Network Connection Discovery with netsh" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
 			<!--MITRE TACTIC: Execution-->
-			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
-			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</ParentCommandLine>
-			<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
-			<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
-			<Description name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
-			<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
+			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</CommandLine>
+			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</ParentCommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="begin with">powershell.exe -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
-			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution,Note=Powershell Downgrade attack" condition="begin with">powershell -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
+			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
+			<ParentCommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</ParentCommandLine> <!--Microsoft:Windows: PowerShell interface-->
+			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution,Alert=Powershell Downgrade attack" condition="begin with">powershell -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
@@ -109,23 +111,20 @@
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on Windows Execution" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on windows execution" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=Child Process of psexec" condition="end with">psexesvc.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="end with">psexec.exe</ParentImage>
+			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSKill Execution" condition="end with">pskill.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="end with">forfiles.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect command execution child process" condition="end with">forfiles.exe</ParentImage>
 			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</Image>
 			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">winrm.cmd</Image>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="end with">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="end with">wsmprovhost.exe</ParentImage>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
 			<!--MITRE TACTIC: Persistence-->
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
@@ -134,27 +133,27 @@
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
 			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
-			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
-			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks /create</CommandLine>
-			<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks.exe /create</CommandLine>
-			<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</ParentImage>
-			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line" condition="contains">net user /add</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line" condition="contains">net localgroup administrators /add</CommandLine>
-			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line" condition="contains">sc create</CommandLine>
-			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line" condition="contains">sc.exe create</CommandLine>
-			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line" condition="contains">new-service</CommandLine>
+			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation,Alert=Application Shimming" condition="end with">sdbinst.exe</Image>
+			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Task Scheduler execution" condition="end with">schtasks.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Child process from schtasks" condition="end with">schtasks.exe</ParentImage>
+			<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks /create</CommandLine>
+			<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks.exe /create</CommandLine>
+			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="end with">\at.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="end with">\at.exe</ParentImage>
+			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Alert=Powershell Injection persistence bypass" condition="contains">System.Management.Automation</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=User added by Command line" condition="contains">net user /add</CommandLine>
+			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line,Alert=Adminstrator added via command line" condition="contains">net localgroup administrators /add</CommandLine>
+			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc create</CommandLine>
+			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc.exe create</CommandLine>
+			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">new-service</CommandLine>
 			<!--MITRE TACTIC: Lateral Movement-->
 			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="end with">wmiprvse.exe</ParentImage>
-			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin" condition="contains">/shadow</CommandLine>
-			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin" condition="contains">/noConsentPrompt</CommandLine>
+			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow Alert" condition="contains">/shadow</CommandLine>
+			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">/noConsentPrompt</CommandLine>
 			<!--MITRE TECHNIQUE: Obfuscation-->
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">FromBase64String</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings,Alert=Powershell Secure String creation" condition="contains">convertto-securestring</CommandLine>
+			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation,Alert=Powershell Obfuscation with VerbosePreference" condition="contains">VerbosePreference.ToString</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">runtime.interopservices.marshal</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">VerbosePreference.ToString</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyle h</CommandLine>
@@ -182,27 +181,27 @@
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeratio,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
-			<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
-			<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
-			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="end with">attrib.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
+			<Image name="MitreRef=ToDo,Technique=,Alert=Process/Session/User Query with query.exe" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration,Alert=Traceroute Enumeration,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=ToDo,Technique=,Alert=tree of directory structure disclosure" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
+			<Image name="MitreRef=T1134,Technique=Access Token Manipulation,Alert=Token Manipulation with runas.exe" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef=ToDo,Technique=,Alert=Command Line task kill" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure with klist" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible driver load with odbcconf" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Program Compatibility bypass" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
+			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land,Alert=Attrib bypass" condition="end with">attrib.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible credential modification or disclosure with cmdkey" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,AlertNLTest=" condition="end with">nltest.exe</Image>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=NLTest" condition="contains">nltest.exe</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">ExtExport</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash -c</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash.exe -c</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey.exe /list</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">cmdkey /list</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">cmdkey.exe /list</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil -urlcache -split -f</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -out:</CommandLine>
+			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=csc compile output" condition="contains">csc -out:</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -target:library</CommandLine>
@@ -280,7 +279,7 @@
 			<!--Detect Output Redirection-->
 			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
 			<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
-			<CommandLine name="Alert=Output Redirection" condition="contains">></CommandLine>
+			<CommandLine name="Alert=Output Redirection" condition="contains">&gt;</CommandLine>
 			<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Multiple Commands-->
@@ -301,17 +300,17 @@
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">pssh</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sdelete</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">shareenum</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sekurlsa</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">reg SAVE</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sekurlsa</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">reg SAVE</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Shellcode</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WmiCommand</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-TimedScreenshot</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-CredentialInjection</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimikatz</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimikatz</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
@@ -353,7 +352,7 @@
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellWMI</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Exfiltration</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Persistence</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Do-Exfiltration</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Do-Exfiltration</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Start-CaptureServer</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
@@ -389,25 +388,33 @@
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-SSP</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-BackdoorLNK</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerBreach</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SiteListPassword</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-System</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">BypassUAC</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Tater</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerUp</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerUp</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerView</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RickAstley</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-Fruit</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">HTTP-Login</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-TrustedDocuments</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Paranoia</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WinEnum</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WinEnum</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ARPScan</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReverseDNSLookup</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">smbscanner</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-FruityC2</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Stager</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">process call create</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">call set priority</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">call terminate</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events/WMIC product listing,Tactic=Privilege Escalation" condition="contains">product get name</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events/WMIC bios serial query,Tactic=Privilege Escalation" condition="contains">bios, get serialNumber</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events/WMIC query vmware,Tactic=Privilege Escalation" condition="contains">onboarddevice get</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events/WMIC User Modifications,Tactic=Privilege Escalation" condition="contains">useraccount where name</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events/WMIC Eventlog modifications,Tactic=Privilege Escalation" condition="contains">nteventlog where filename</CommandLine>
+			<CommandLine name="Alert=Hacking Command Line events/WMIC Eventlog modifications,Tactic=Privilege Escalation" condition="contains">cleareventlog</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\default</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">FilterToConsumerBinding</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\subscription</CommandLine>
@@ -418,9 +425,9 @@
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Wmiclass</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">WmiCl'+'as'+'s</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ntdsutil</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
 			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
 			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">AdjustTokenPrivileges</CommandLine>
 			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">IMAGE_NT_OPTIONAL_HDR64_MAGIC</CommandLine>
@@ -453,7 +460,7 @@
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">^h^t^t^p</CommandLine>
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">h"t"t"p</CommandLine>
 			<!--Suspicious Windows tools-->
-			<Image name="MitreRef=T1001,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<CommandLine name="MitreRef=T1216,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="contains">script:http</CommandLine> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
@@ -464,11 +471,11 @@
 			<Image name="Alert=Psexec Utilities" condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
 			<Image name="Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
 			<Image name="Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image><!--Detect PsShutdown-->
-			<Image condition="contains">psservice</Image><!--Detect PsService-->
-			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
+			<Image name="Alert=Sysinternals PSService" condition="contains">psservice</Image><!--Detect PsService-->
+			<Image name="Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
 			<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<Image name="Alert=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
-			<Image name="Alert=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
+			<Image name="Note=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
+			<Image name="Note=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
 			<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->
 			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
 			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
@@ -477,20 +484,20 @@
 			<Image name="Alert=Secure Shell Execution" condition="image">kitty.exe</Image><!-- SSH -->
 			<Image name="Alert=Secure Shell Execution" condition="image">kitty_portable.exe</Image><!-- SSH -->
 			<Image name="Alert=Secure Shell FTP Execution" condition="image">psftp.exe</Image><!-- SFTP -->
-			<Image condition="image">tftp.exe</Image><!-- TFTP -->
-			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
+			<Image name="Alert=TFTP Execution" condition="image">tftp.exe</Image><!-- TFTP -->
+			<Image name="Note=WMI Querying" condition="image">wmic.exe</Image><!-- wmic /node logging -->
 			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
-			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image name="Alert=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
 			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
 			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
 			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
 			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
 			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
-			<Image condition="image">curl.exe</Image>
-			<Image condition="image">wget.exe</Image>
-			<Image condition="image">www.exe</Image>
-			<Image condition="image">awk.exe</Image>
-			<Image condition="image">sed.exe</Image>
+			<Image name="Alert=Linux tools installed on windows" condition="image">curl.exe</Image>
+			<Image name="Alert=Linux tools installed on windows" condition="image">wget.exe</Image>
+			<Image name="Alert=Linux tools installed on windows" condition="image">www.exe</Image>
+			<Image name="Alert=Linux tools installed on windows" condition="image">awk.exe</Image>
+			<Image name="Alert=Linux tools installed on windows" condition="image">sed.exe</Image>
 			<!--SECTION: Crypto Currency Miners-->
 			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">stratum+tcp</CommandLine>
 			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">coinhive</CommandLine>
@@ -538,6 +545,14 @@
 			<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
 			<CommandLine name="Note=Windows Firewall Modifications" condition="contains">netsh advfirewall firewall</CommandLine>
 			<Image condition="contains">\</Image>
+			<CommandLine name="Alert=Windows Defender Disabled" condition="contains">DisableRealtimeMonitoring </CommandLine>
+			<CommandLine name="Alert=Ramnit Banker Malware!" condition="contains">--disable-http2 --disable-quic</CommandLine>
+			<Hashes name="Alert=Ramnit Banker Malware!" condition="contains">291ff87948e45914424cec9510c297da</Hashes><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
+			<Hashes name="Alert=Ramnit Banker Malware!" condition="contains">304772c80b157a916c7041f2f15939fb</Hashes><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
+			<Hashes name="Alert=Docusign Spam/Phishing!" condition="contains">5E022694C0DBD1FBBC263D608E577949</Hashes><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
+			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">71345b139166482acaa568ac8816c7bc</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
+			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">1b60021baedc3f9201bcdb40e9b87f62</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
+			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">c7c8d584758854bbe0d8e64ef53ae1a8</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
 		</ProcessCreate>
 		<ProcessCreate onmatch="exclude">
 			<!--SECTION: Microsoft Windows-->
@@ -685,6 +700,9 @@
 			<!--SECTION: Adobe-->
 			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
 			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
+			<CommandLine condition="contains">"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
+			<CommandLine condition="contains">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /ac /id</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
+			<ParentCommandLine condition="contains">"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id</ParentCommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
 			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
 			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
@@ -922,35 +940,36 @@
 		<NetworkConnect onmatch="include">
 			<!--Suspicious sources for network-connecting binaries-->
 			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
-			<Image condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
-			<Image condition="contains">$RECYCLE.BIN</Image> <!--Network Connection in Temp Directories-->
+			<Image name="Alert=Temp file location network connection,suspicious_net_event=True" condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
+			<Image name="Alert=Network connection in Recycle Bin,suspicious_net_event=True" condition="contains">$RECYCLE.BIN</Image> <!--Network Connection in Temp Directories-->
 			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
 			<Image condition="begin with">C:\Perflogs\</Image>
 			<Image condition="contains">config\systemprofile\</Image>
 			<Image condition="contains">\Windows\Fonts\</Image>
 			<Image condition="contains">\Windows\IME\</Image>
-			<Image condition="contains">\Windows\addins\</Image>
+			<Image name="Alert=Network connection in addins,suspicious_net_event=True" condition="contains">\Windows\addins\</Image>
 			<Image condition="contains">chrome.exe</Image>
 			<Image condition="contains">iexplore.exe</Image>
 			<Image condition="contains">firefox.exe</Image>
 			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
 			<Image condition="contains">MicrosoftEdge.exe</Image>
 			<Image condition="contains">explorer.exe</Image>
-			<!--<Image name="Alert=Non-Exe Connecting to network" condition="excludes">.exe</Image>-->
-			<Image name="Alert=Unknown Process Connecting to network" condition="contains">unknown process</Image>
+			<!--<Image name="Info=Non-Exe Connecting to network" condition="excludes">.exe</Image>-->
+			<Image name="Info=Unknown Process Connecting to network" condition="contains">unknown process</Image>
 			<!--Suspicious Windows tools-->
-			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
-			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
-			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
+			<Image name="Alert=AT.EXE Task Scheduler Network Connection,suspicious_net_event=True" condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
+			<Image name="Alert=SCHTasks.exe Task Scheduler Network Connection,suspicious_net_event=True" condition="image">schtasks.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
+			<Image name="Alert=Certutil Connecting to network,suspicious_net_event=True" condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
+			<Image name="Alert=CMD Prompt network Connection,suspicious_net_event=True" condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
+			<Image name="Alert=Cscript network Connection,suspicious_net_event=True" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image name="Alert=WSCRIPT Network connection,suspicious_net_event=True" condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
 			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
 			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
-			<Image condition="image">mshta.exe</Image>
-			<Image condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
+			<Image name="Alert=MSHTA Network Connection,suspicious_net_event=True" condition="image">mshta.exe</Image>
+			<Image name="Info=Powershell Network Connection,suspicious_net_event=True" condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
 			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
 			<Image condition="contains">pskill</Image><!--Detect pskill-->
 			<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
@@ -959,49 +978,74 @@
 			<Image condition="image">java.exe</Image>
 			<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
 			<Image condition="image">installutil.exe</Image>
-			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
-			<Image condition="image">reg.exe</Image><!-- Remote Registry -->
+			<Image name="Alert=MSIExec Network connection,suspicious_net_event=True" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
+			<Image name="Alert=REG.EXE Network Connection,suspicious_net_event=True" condition="image">reg.exe</Image><!-- Remote Registry -->
 			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
-			<Image condition="image">telnet.exe</Image><!-- Telnet -->
+			<Image name="Alert=Telnet Connection,suspicious_net_event=True" condition="image">telnet.exe</Image><!-- Telnet -->
 			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
 			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
-			<Image condition="image">ssh.exe</Image><!-- SSH -->
-			<Image condition="image">putty.exe</Image><!-- SSH -->
-			<Image condition="image">kitty.exe</Image><!-- SSH -->
-			<Image condition="image">kitty_portable.exe</Image><!-- SSH -->
-			<Image condition="image">psftp.exe</Image><!-- SFTP -->
-			<Image condition="image">tftp.exe</Image><!-- TFTP -->
+			<Image name="Alert=SSH Connection with ssh.exe,suspicious_net_event=True" condition="image">ssh.exe</Image><!-- SSH -->
+			<Image name="Alert=SSH Connection with Putty,suspicious_net_event=True" condition="image">putty.exe</Image><!-- SSH -->
+			<Image name="Alert=SSH Connection with Kitty,suspicious_net_event=True" condition="image">kitty.exe</Image><!-- SSH -->
+			<Image name="Alert=SSH Connection with Kitty,suspicious_net_event=True" condition="image">kitty_portable.exe</Image><!-- SSH -->
+			<Image name="Alert=PSFTP Connection" condition="image">psftp.exe</Image><!-- SFTP -->
+			<Image name="Alert=PSFTP Connection" condition="image">tftp.exe</Image><!-- TFTP -->
 			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
 			<Image condition="image">net.exe</Image><!-- net use/net view-->
-			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
+			<Image name="Alert=NBTSTAT Query" condition="image">nbtstat.exe</Image><!-- Netbios stat-->
 			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
 			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
 			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
-			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
+			<Image name="Alert=SC.exe Network Connection,suspicious_net_event=True" condition="image">sc.exe</Image><!-- Service Control Manager-->
 			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
-			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
+			<Image name="Alert=User enumeration,suspicious_net_event=True" condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
 			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
 			<!--Tor-->
-			<Image condition="image">tor.exe</Image><!-- Tor-->
+			<Image name="Alert=Tor Connection" condition="image">tor.exe</Image>
+			<DestinationIp name="Alert=Tor Connection" condition="is">185.41.154.130</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">37.252.190.176</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">82.118.17.235</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">83.163.164.15</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">69.163.34.173</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">159.89.151.231</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">212.47.246.229</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">84.40.112.70</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">2.137.16.245</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">199.249.223.62</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">185.22.172.237</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">88.99.216.194</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">185.13.39.197</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">162.247.72.201</DestinationIp>
+			<DestinationIp name="Alert=Tor Connection" condition="is">174.127.217.73</DestinationIp>
+			<!-- Tor-->
 			<!--Hack tools hosting-->
-			<DestinationHostname condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
-			<DestinationHostname condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
+			<DestinationHostname name="Alert=Connection to Github,suspicious_net_event=True" condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
+			<DestinationHostname name="Alert=Connection to Github,suspicious_net_event=True" condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
 			<!--Suspicious destinations-->
-			<DestinationHostname condition="contains">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname condition="contains">goo.gl</DestinationHostname>
-			<DestinationHostname condition="contains">git.io</DestinationHostname>
-			<DestinationHostname condition="contains">bit.ly</DestinationHostname>
-			<DestinationHostname condition="contains">t.co</DestinationHostname>
-			<DestinationHostname condition="contains">ow.ly</DestinationHostname>
-			<DestinationHostname condition="contains">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ident.me</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ip.sb</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">www.myexternalip.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ip.anysrc.net</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">wtfismyip.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">myexternalip.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ip.sb</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipecho.net</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">checkip.amazonaws.com</DestinationHostname> <!--Malware uses to get external IP address-->
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">goo.gl</DestinationHostname>
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">git.io</DestinationHostname>
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">bit.ly</DestinationHostname>
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">t.co</DestinationHostname>
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ow.ly</DestinationHostname>
+			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
 			<!--Dynamic DNS Providers-->
 			<DestinationHostname condition="contains">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
 			<DestinationHostname condition="contains">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
@@ -1109,71 +1153,71 @@
 			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
 			<DestinationPort name="Service=VNC" condition="is">5800</DestinationPort>
 			<DestinationPort name="Service=VNC" condition="is">5900</DestinationPort>
-			<DestinationPort name="Service=OpenVPN" condition="is">1194</DestinationPort>
-			<DestinationPort name="Service=L2TP" condition="is">1701</DestinationPort>
-			<DestinationPort name="Service=TOR" condition="is">1723</DestinationPort>
+			<DestinationPort name="Service=OpenVPN,suspicious_net_event=True" condition="is">1194</DestinationPort>
+			<DestinationPort name="Service=L2TP,suspicious_net_event=True" condition="is">1701</DestinationPort>
+			<DestinationPort name="Service=TOR,suspicious_net_event=True" condition="is">1723</DestinationPort>
 			<DestinationPort name="Service=IPSec" condition="is">1293</DestinationPort>
-			<DestinationPort name="Service=Tor" condition="is">4500</DestinationPort>
+			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">4500</DestinationPort>
 			<DestinationPort name="Service=Socks Proxy Port" condition="is">1080</DestinationPort>
 			<DestinationPort name="Service=Socks Proxy Port" condition="is">8080</DestinationPort>
 			<DestinationPort name="Service=Socks Proxy Port" condition="is">3128</DestinationPort>
-			<DestinationPort name="Service=Tor" condition="is">9001</DestinationPort>
-			<DestinationPort name="Service=Tor" condition="is">9030</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4443</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">2448</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">8143</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1777</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1443</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">243</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">65535</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13506</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3360</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">200</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">198</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">49180</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13507</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3360</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">6625</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4444</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4438</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1904</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13505</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13504</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12102</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">9631</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5445</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">2443</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">777</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13394</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13145</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12103</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5552</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3939</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3675</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">666</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">473</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5649</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4455</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4433</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1817</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">100</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">65520</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1960</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1515</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">743</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">700</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14154</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14103</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14102</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12322</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">10101</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">7210</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4040</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">9943</DestinationPort>
+			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">9001</DestinationPort>
+			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">9030</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4443</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">2448</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">8143</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1777</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1443</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">243</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">65535</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13506</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3360</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">200</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">198</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">49180</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13507</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3360</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">6625</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4444</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4438</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1904</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13505</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13504</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12102</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">9631</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5445</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">2443</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">777</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13394</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13145</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12103</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5552</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3939</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3675</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">666</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">473</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5649</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4455</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4433</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1817</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">100</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">65520</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1960</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1515</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">743</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">700</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14154</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14103</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14102</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12322</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">10101</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">7210</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4040</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">9943</DestinationPort>
 			<!--Ports: Threats-->
-			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:7777" condition="is">7777</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:9943" condition="is">9943</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:666" condition="is">666</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:7777,suspicious_net_event=True" condition="is">7777</DestinationPort>
+			<DestinationPort name="Info=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:9943,suspicious_net_event=True" condition="is">9943</DestinationPort>
+			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:666,suspicious_net_event=True" condition="is">666</DestinationPort>
 		</NetworkConnect>
 		<NetworkConnect onmatch="exclude">
 			<!--SECTION: Microsoft -->
@@ -1185,6 +1229,88 @@
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
+			<!--Ignore Microsoft Connections-->
+			<!--Microsoft Net Connections-->
+			<!--Microsoft ASN IP Block-->
+			<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
+			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">bing.com</DestinationHostname>
+			<DestinationHostname condition="end with">cdn.onenote.net</DestinationHostname>
+			<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
+			<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
+			<DestinationHostname condition="end with">ctldl.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">cy2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">fe3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">fe3.delivery.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">g.akamaiedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">g.live.com</DestinationHostname>
+			<DestinationHostname condition="end with">g.msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">geo-prod.do.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">geo-prod.dodsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">ile-service.weather.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
+			<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
+			<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
+			<DestinationHostname condition="end with">odern.watson.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
+			<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
+			<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">sls.update.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">storecatalogrevocation.storequality.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">storeedgefd.dsx.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">telecommand.telemetry.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">tile-service.weather.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">tlu.dl.delivery.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">windows.net</DestinationHostname>
+			<DestinationHostname condition="end with">msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
+			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
+			<DestinationHostname condition="end with">outlook.com</DestinationHostname>
+			<DestinationHostname condition="end with">lync.com</DestinationHostname>
+			<DestinationHostname condition="end with">cloudapp.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ec2-34-204-73-148.compute-1.amazonaws.com</DestinationHostname>
+			<DestinationHostname condition="end with">ec2-52-201-35-219.compute-1.amazonaws.com</DestinationHostname>
+			<DestinationHostname condition="end with">ec2-34-230-137-236.compute-1.amazonaws.com</DestinationHostname>
+			<DestinationHostname condition="end with">ec2-52-45-9-47.compute-1.amazonaws.com</DestinationHostname>
+			<DestinationHostname condition="end with">ec2-52-71-74-246.compute-1.amazonaws.com</DestinationHostname>
+			<DestinationHostname condition="end with">ec2-54-89-54-171.compute-1.amazonaws.com</DestinationHostname>
+			<DestinationHostname condition="end with">eset.com</DestinationHostname>
+			<DestinationHostname condition="end with">n-able.com</DestinationHostname>
+			<DestinationHostname condition="end with">www.agentexchange.com</DestinationHostname>
+			<DestinationHostname condition="end with">map2.hwcdn.net</DestinationHostname>
 			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
 			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
 			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
@@ -1222,16 +1348,33 @@
 			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
 			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
 			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
+			<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
 			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
-			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
+			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
+			<SourcePort condition="is">53</SourcePort>  <!--DNS Lookups-->
+			<SourcePort condition="is">67</SourcePort>  <!--Bootp Lookups-->
+			<DestinationPort condition="is">67</DestinationPort>  <!--Bootp Lookups-->
+			<SourcePort condition="is">1812</SourcePort> <!--Radius-->
+			<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
+			<SourcePort condition="is">49154</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">49154</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">59241</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">59241</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">52176</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">52176</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">49209</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">49209</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">6007</SourcePort>  <!--Exchange WMI Spam-->
+			<DestinationPort condition="is">6007</DestinationPort>  <!--Exchange WMI Spam-->
+			<Image condition="end with">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
 			<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
 			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
 			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
 			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
-			<Image condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
-			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
+			<Image condition="end with">C:\Windows\LTSvc\LTSVC.exe</Image>
+			<Image condition="end with">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
 			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
 			<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
@@ -1308,6 +1451,7 @@
 			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
 			<ImageLoaded name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence,Alert=Cobalt Strike Netsh Helper Beacon" condition="contains">NetshHelperBeacon</ImageLoaded>
 			<Image name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence" condition="contains">netsh.exe</Image>
+			<ImageLoaded name="Alert=Ramnit Banker Malware!" condition="contains">rmnsoft.dll</ImageLoaded>
 		</ImageLoad>
 		<ImageLoad onmatch="exclude">
 			<SignatureStatus condition="is">Valid</SignatureStatus>
@@ -1399,7 +1543,7 @@
 
 		<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
 		<CreateRemoteThread onmatch="include">
-			<StartFunction name="MitreRef=T1055,Technique=DLL Injection via LoadLibrary API Call,Tactic=Defense Evasion" condition="contains">LoadLibrary</StartFunction>
+			<StartFunction name="MitreRef=T1055,Technique=DLL Injection via LoadLibrary API Call,Tactic=Defense Evasion,Alert=DLL Injection via LoadLibrary API Call" condition="contains">LoadLibrary</StartFunction>
 			<SourceImage condition="contains">\</SourceImage>
 		</CreateRemoteThread>
 		<CreateRemoteThread onmatch="exclude">
@@ -1461,7 +1605,6 @@
 			PROCESS_VM_WRITE (0x0020)
 			PROCESS_VM_READ (0x0010)
 			PROCESS_VM_OPERATION (0x0008)
-          
 			0x1410 (potential memory read) is common activity. E.g. by taskmgr.exe. We only want to capture this against lsass.exe and winlogon.exe, but this logic is in the subscription.
 			-->
 			<GrantedAccess condition="is">0x40</GrantedAccess>
@@ -1472,7 +1615,6 @@
 			<GrantedAccess condition="is">0x3200</GrantedAccess>
 			<GrantedAccess condition="is">0x101400</GrantedAccess>
 			<GrantedAccess condition="is">0x101001</GrantedAccess>
-			
 			<!-- These binaries appear to access lsass legitimately -->
 			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
 			<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage>
@@ -1654,11 +1796,7 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRAB</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cerber</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt-</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.cerber</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore_files</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES</TargetFilename>
@@ -1773,7 +1911,7 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowwhereismyfiles</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptional</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowreadfordecryp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HERMES</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.HERMES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_szesnl</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-IF-YOU-WANT-DEC-FILES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.evillock</TargetFilename>
@@ -1800,7 +1938,7 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">powerfulldecrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">opensourcemail.org</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">contains(to_string($message.file_created), "READ_ME_TO_DECRYPT_YOU_INFORMA</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_ME_TO_DECRYPT_YOU_INFORMA</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">file0locked</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CryptoRansomware</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VBRANSOM</TargetFilename>
@@ -1824,7 +1962,7 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.firecrypt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_DEAD</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.airacropencrypted!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">mail.ru</TargetFilename>
+			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">@mail.ru</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WHERE-YOUR-FILES</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Whereisyourfiles</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">india.com</TargetFilename>
@@ -1858,7 +1996,6 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Important!.txt</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_HOW_TO_RESTORE_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RECOVER_FILES_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_RESTORE_FILES_</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ThxForYurTyme</TargetFilename>
@@ -2026,7 +2163,6 @@
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">files_are_encrypted.</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptmyfiles</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_instructions.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-recover-</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!recover!</TargetFilename>
 			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover}-</TargetFilename>
@@ -2136,12 +2272,12 @@
 			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.stubbin</TargetFilename>
 			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.berkshire</TargetFilename>
 			<!--SamSam Ransomware File drops -->
-			<TargetFilename condition="contains">www.exe</TargetFilename>
-			<TargetFilename condition="contains">ps.exe</TargetFilename>
-			<TargetFilename condition="contains">nt.exe</TargetFilename>
-			<TargetFilename condition="contains">doliohdyjkajd.dll</TargetFilename>
-			<TargetFilename condition="contains">run2.exe</TargetFilename>
-			<TargetFilename condition="contains">ping2.exe</TargetFilename>
+			<TargetFilename name="Alert=SamSam file created!" condition="end with">\www.exe</TargetFilename>
+			<TargetFilename name="Alert=SamSam file created!" condition="end with">\ps.exe</TargetFilename>
+			<TargetFilename name="Alert=SamSam file created!" condition="end with">\nt.exe</TargetFilename>
+			<TargetFilename name="Alert=SamSam file created!" condition="end with">\doliohdyjkajd.dll</TargetFilename>
+			<TargetFilename name="Alert=SamSam file created!" condition="end with">\run2.exe</TargetFilename>
+			<TargetFilename name="Alert=SamSam file created!" condition="end with">\ping2.exe</TargetFilename>
 			<!--END: SamSam Ransomware File drops -->
 			<!--SECTION: Certificates -->
 			<TargetFilename condition="contains">.pem</TargetFilename>
@@ -2160,7 +2296,7 @@
 			<TargetFilename condition="contains">.sst</TargetFilename>
 			<TargetFilename condition="contains">.key</TargetFilename>
 			<!--SECTION: CIA Vault7 Leak -->
-			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Vault7 CIA Leak: Possible malformed file will escape IE sandbox -->
+			<TargetFilename name="Info=CIA Vault7 file created: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename> <!-- Vault7 CIA Leak: Possible malformed file will escape IE sandbox -->
 			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
 			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
 			<TargetFilename condition="contains">.manifest</TargetFilename>
@@ -2250,14 +2386,12 @@
 			<Image condition="is">C:\Windows\system32\printfilterpipelinesvc.exe</Image>
 			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe</Image>
 			<Image condition="end with">\Runtime\1.0\NodeRunner.exe</Image><!--Exchange NodeRunner-->
-			
 		</FileCreate>
 
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
 		<!--EVENT 12: "Registry object added or deleted"-->
 		<!--EVENT 13: "Registry value set-->
 		<!--EVENT 14: "Registry objected renamed"-->
-		
 		<!--NOTE:	"contains" conditions below are formatted to reduce CPU load, so they may appear written inconsistently, but this is on purpose from tuning.-->
 		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
 		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
@@ -2278,7 +2412,7 @@
 				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
 				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
 				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
@@ -2286,7 +2420,6 @@
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
 			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<TargetObject name="MitreRef=T1209,Technique=Time Provider Keys,Tactic=Persistence,Alert=Detect Malicious Time Provider DLL" condition="begin with">HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\</TargetObject>
 			<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers</TargetObject> <!-- Print Provider DLL's loaded at startup can be malicious, lets monitor those -->
@@ -2297,29 +2430,29 @@
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
 			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
 			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=Detect Autorun Key persistenence" condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
 			<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
 			<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
 			<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
 			<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
 			<TargetObject condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
 			<TargetObject condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
 			<TargetObject condition="contains">SafeBoot\AlternateShell</TargetObject>
 			<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
@@ -2380,7 +2513,7 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
-			<TargetObject name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
 			<!--Networking-->
@@ -2533,9 +2666,7 @@
 			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
 			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
 			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-
 		</RegistryEvent>
-
 		<RegistryEvent onmatch="exclude">
 		<!--COMMENT:	Remove low-information noise. Often these hide a process recreating an empty key and do not hide the values created subsequently.-->
 			<!--SECTION: Microsoft binaries-->
@@ -2569,6 +2700,7 @@
 			<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard-->
 			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
 			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
+			<TargetObject condition="end with">\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
 			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
 			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
 			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
@@ -2741,12 +2873,6 @@
 		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
 
 		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
-		<FileCreateStreamHash onmatch="exclude">
-			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
-			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
-			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename> <!--Exclude: IE Cache Spam-->
-			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> <!--Exclude: IE Cache Spam-->
-		</FileCreateStreamHash>
 		<FileCreateStreamHash onmatch="include">
 			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
@@ -2801,6 +2927,16 @@
 			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
 			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
 			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
+			<Hash name="Alert=Ramnit Banker Trojan!" condition="contains">291ff87948e45914424cec9510c297da</Hash><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
+			<Hash name="Alert=Ramnit Banker Trojan!" condition="contains">304772c80b157a916c7041f2f15939fb</Hash><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
+			<Hash name="Alert=Docusign Phish!" condition="contains">5E022694C0DBD1FBBC263D608E577949</Hash><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
+			<Hash name="Alert=Docusign Phish!" condition="contains">88ce6c0affcdbdc82abe53957dddfa12</Hash><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
+		</FileCreateStreamHash>
+		<FileCreateStreamHash onmatch="exclude">
+			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
+			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
+			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename> <!--Exclude: IE Cache Spam-->
+			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> <!--Exclude: IE Cache Spam-->
 		</FileCreateStreamHash>
 
 	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
@@ -2942,7 +3078,6 @@
 			<!--SECTION: Sophos VPN Client-->
 			<Image condition="is">c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe</Image>
 			<!--SECTION: Labtech-->
-			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
 			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
 			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
 			<!--SECTION: N-Able -->
@@ -2961,7 +3096,6 @@
 			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
-			<PipeName condition="contains">Anonymous Pipe</PipeName> <!-- NOTICE: Comment this out if you dont use Labtech, labtech nests processes and causes excessive noise -->
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
 			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe</Image>

From ba0d6d04f4a143f238f1f2b31f5e9cb9ef3168a2 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Tue, 21 Aug 2018 11:22:33 -0400
Subject: [PATCH 330/471] remove incorrect url not reflecting github changes

---
 Auto_Update.bat    | 2 +-
 Install Sysmon.bat | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Auto_Update.bat b/Auto_Update.bat
index c7fe1299..39d3b0cc 100644
--- a/Auto_Update.bat
+++ b/Auto_Update.bat
@@ -1,5 +1,5 @@
 @echo on
 cd C:\ProgramData\sysmon\
-@powershell (new-object System.Net.WebClient).DownloadFile('https://smartsync.omegapa.com/1/files/share/44/dev/omega-sysmon/sysmonconfig-export.xml/a0e2616fc58e1c','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
 sysmon64 -c sysmonconfig-export.xml
 exit
diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index 74e16906..5c0a7572 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -17,7 +17,7 @@ pushd "C:\ProgramData\sysmon\"
 echo [+] Downloading Sysmon...
 @powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe','C:\ProgramData\sysmon\sysmon64.exe')"
 echo [+] Downloading Sysmon config...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://smartsync.omegapa.com/1/files/share/44/dev/omega-sysmon/sysmonconfig-export.xml/a0e2616fc58e1c','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
 @powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
 sysmon64.exe -accepteula -i sysmonconfig-export.xml
 sc failure Sysmon64 actions= restart/10000/restart/10000// reset= 120

From 00fc760607969e9ba4654b6f1bd8472c41c22013 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 23 Aug 2018 23:19:14 -0400
Subject: [PATCH 331/471] updates

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index cccf84fa..184174c7 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -91,8 +91,8 @@
 			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
 			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=User enumeration/Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
 			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Alert=Network Configureation discovery with route.exe" condition="end with">\route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System information discovery with reg.exe" condition="contains">reg query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System information discovery with reg.exe" condition="contains">reg.exe query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
+			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg.exe query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
 			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Network Connection Discovery with netsh" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
 			<!--MITRE TACTIC: Execution-->
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</CommandLine>

From 5108626ea73c52b2fd2a886b78c070d4504c0ab7 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 30 Aug 2018 21:36:37 -0400
Subject: [PATCH 332/471] add some mitre references

---
 sysmonconfig-export.xml | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 184174c7..42b717ca 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -243,7 +243,8 @@
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
-	        <Image name="MitreRef=T1218,Technique=Mavinject" condition="end with">Mavinject.exe</Image>
+	        <Image name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="end with">Mavinject.exe</Image>
+	        <CommandLine name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="contains">/INJECTRUNNING</CommandLine>
 			<Image name="MitreRef=T1191,Technique=Mavinject" condition="end with">CMSTP.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
@@ -892,7 +893,7 @@
 			<CommandLine condition="contains">\sysmon\Auto_Update.bat</CommandLine>
 			<CommandLine condition="contains">ion-storm/sysmon-config</CommandLine>
 			 <!--Exclude: Netlogon scripts-->
-			<ParentCommandLine condition="contains">\netlogon\</ParentCommandLine>
+			<ParentCommandLine name="MitreRef=T1037,Technique=Logon Scripts,Tactic=Lateral Movement Persistence" condition="contains">\netlogon\</ParentCommandLine>
 			<CommandLine condition="contains">\netlogon\</CommandLine>
 			<ParentImage condition="is">C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE</ParentImage>
 			 <!--Exclude: Too noisy in a domain environment with legacy logon scripts-->
@@ -1142,14 +1143,14 @@
 			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">cryptmonero</DestinationHostname>
 			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
 			<!--Ports-->
-			<DestinationPort name="Service=HTTP Connection" condition="is">80</DestinationPort>
-			<DestinationPort name="Service=HTTPS Connection" condition="is">443</DestinationPort>
+			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">80</DestinationPort>
+			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">443</DestinationPort>
 			<DestinationPort name="Service=Remote Desktop Connection" condition="is">3389</DestinationPort>
 			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
-			<DestinationPort name="Service=SSH Connection" condition="is">22</DestinationPort>
-			<DestinationPort name="Service=Telnet" condition="is">23</DestinationPort>
-			<DestinationPort name="Service=SMTP" condition="is">25</DestinationPort>
-			<DestinationPort name="Service=SMB" condition="is">139</DestinationPort>
+			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">22</DestinationPort>
+			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">23</DestinationPort>
+			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">25</DestinationPort>
+			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">139</DestinationPort>
 			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
 			<DestinationPort name="Service=VNC" condition="is">5800</DestinationPort>
 			<DestinationPort name="Service=VNC" condition="is">5900</DestinationPort>
@@ -2519,7 +2520,7 @@
 			<!--Networking-->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
-			<TargetObject condition="end with">EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089" condition="end with">EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
 			<!--DLLs that get injected into every process launch-->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
@@ -2616,7 +2617,7 @@
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject> <!-- Detect disabling of machine password change -->
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject> <!-- Detect disabling of machine password change -->
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject> <!-- Causes the domain controller to refuse password change requests only from workstations or member servers -->
 			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
 			<!-- Lots of noise from multiple locations, need a better monitor

From 984e2f587c435fdda5a7c6fc28981900ef281e21 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 31 Aug 2018 09:21:18 -0400
Subject: [PATCH 333/471] add additional locations for file creation

---
 sysmonconfig-export.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 42b717ca..a1057a6b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1670,11 +1670,15 @@
 
 		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
 		<FileCreate onmatch="include">
+			<TargetFilename condition="begin with">C:\Windows\Prefetch</TargetFilename> <!--Microsoft:Windows: Prefetch Forensics that may possibly bypass sysmon-->
+			<TargetFilename condition="begin with">C:\Windows\System32\drivers</TargetFilename> <!--Microsoft:Windows: Monitor Driver Drops & hosts location-->
 			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
 			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
 			<TargetFilename name="MitreRef=T1060,Technique=Autorun Folder Entries,Tactic=Persistence" condition="contains">\Programs\Startup</TargetFilename> <!--Microsoft:Windows: Autorun Startup Folder-->
 			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
 			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
+			<TargetFilename condition="contains">$RECYCLE.BIN</TargetFilename> <!--Files created in Recycle bin-->
+			<TargetFilename condition="contains">\Microsoft\Office\Recent</TargetFilename> <!--Recent Office History-->
 			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
 			<TargetFilename condition="end with">.ocx</TargetFilename>
 			<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->
@@ -1738,6 +1742,10 @@
 			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename condition="begin with">C:\Windows\SysWow64\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename condition="begin with">C:\Windows\Minidump</TargetFilename> <!--Windows Minidumps -->
+			<TargetFilename condition="contains">Microsoft\Windows\WER\</TargetFilename> <!--Windows Minidumps -->
+			<TargetFilename condition="end with">MEMORY.dmp</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
 			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
 			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
@@ -2466,6 +2474,7 @@
 			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
 			<!--Windows COM-->
 			<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
 			<!--Windows shell hijack-->

From 0cde79da36c28661903328bc40416d5ceb07aa4f Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 13 Dec 2018 19:17:46 -0500
Subject: [PATCH 334/471] merge in a few changes and cleanup

---
 sysmonconfig-export.xml | 57 +++++------------------------------------
 1 file changed, 7 insertions(+), 50 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a1057a6b..cc152f31 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -800,56 +800,6 @@
 			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
 			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
 			<!--SECTION: Custom Apps-->
-			<!--SECTION: Labtech -->
-			<!--Since Labtech nests its processes, the following exclusions could be exploited, remove if you do not need-->
-			<!--TODO: Will define these more in the future-->
-			<ParentCommandLine condition="is">C:\Windows\LTSvc\LTSVC.exe -sLTService</ParentCommandLine> <!--Labtech Agent-->
-			<ParentImage condition="is">C:\Windows\LTSvc\LTSVC.exe</ParentImage> <!--Labtech Agent-->
-			<CurrentDirectory condition="is">C:\Windows\LTSvc\</CurrentDirectory><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">find /i "Listening"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">netstat -an</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">nslookup</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">nbtstat.exe</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">dsquery</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">sc query</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">interface tcp show global</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
-			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
-			<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
-			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">wmic path win32_operatingsystem get</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">sc queryex type= service</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">C:\Program Files\StorageCraft\ImageManager\ImageManager.exe</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">Get-WmiObject -Namespace Root\CimV2\TerminalServices</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">vssadmin list writers</ParentCommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">vssadmin  list writers</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">net view \\localhost | find " Print</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">net view \\localhost | find " Disk</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
-			<ParentImage condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</ParentImage> <!--Labtech Client-->
-			<ParentCommandLine condition="contains">C:\Windows\LTSvc\LTSvcMon.exe -sLTService</ParentCommandLine>
-			<ParentImage condition="is">C:\Windows\LTSvc\LTSvcMon.exe</ParentImage>
-			<Image condition="is">C:\Windows\LTSvc\LTTray.exe</Image>
-			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall</ParentCommandLine>
-			<CommandLine condition="contains">interface tcp show global</CommandLine>
-			<Image condition="is">nslookup.exe</Image><!--Labtech NStest.bat lookups-->
-			<!--END: Labtech-->
 			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
 			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
 			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
@@ -1546,6 +1496,7 @@
 		<CreateRemoteThread onmatch="include">
 			<StartFunction name="MitreRef=T1055,Technique=DLL Injection via LoadLibrary API Call,Tactic=Defense Evasion,Alert=DLL Injection via LoadLibrary API Call" condition="contains">LoadLibrary</StartFunction>
 			<SourceImage condition="contains">\</SourceImage>
+			<StartAddress name="Alert=Cobalt Strike Detected!"  condition="end with">0B80</StartAddress>
 		</CreateRemoteThread>
 		<CreateRemoteThread onmatch="exclude">
 			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
@@ -2311,6 +2262,7 @@
 			<TargetFilename condition="contains">.manifest</TargetFilename>
 			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
 			<TargetFilename condition="contains">HammerDrillStatus.dll</TargetFilename> <!-- Vault7 CIA Leak: HammerDrill DLL -->
+			<TargetFilename condition="contains">PSReadLine\ConsoleHost_history.txt</TargetFilename> <!-- Powershell History -->
 			<!--SECTION: Mimikatz-->
 			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
 		</FileCreate>
@@ -2585,10 +2537,12 @@
 			<TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
 			<TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
 			<TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
 			<TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
 			<TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
 			<TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
 			<TargetObject condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
+			<TargetObject condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
 			<!--Detect User Activity-->
 			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
@@ -2687,8 +2641,11 @@
 			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
 			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
 			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
+			<Image condition="contains">\Microsoft\Exchange Server</Image>
 			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\</TargetObject> <!-- Edge Extensions Creating Reg entries on launch -->
 			<!--Misc-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\ExchangeServer\</TargetObject>
+			<TargetObject condition="begin with">HKLM\CLUSTER\ExchangeActiveManager</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
 			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator</TargetObject>

From 0e4d97bdcc27cfb36aee167e73dd9671f9134bfc Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 13 Dec 2018 19:38:02 -0500
Subject: [PATCH 335/471] readme update regarding Sysmon 8.02 breaking changes.
  This config needs 8.00

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 5aea6230..a0bd94bf 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,9 @@
 # Sysmon Threat Intelligence Configuration #
 See the develop Branch for more bleeding edge updates: https://github.com/ion-storm/sysmon-config/tree/develop
 
+This config is based off of the OR logic in sysmon 8.00, sysmon 8.02 breaks this functionality, Mark Cook and Mark Russinovich will be
+making some changes to allow my config to work in future sysmon releases.  For now stay on 8.00, 8.02 has breaking changes.
+
 This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
 
 The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.

From af223866d9b8a9c5ea45b5cdd6ce518320dbff3e Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 13 Dec 2018 21:40:07 -0500
Subject: [PATCH 336/471] optimizations, stay on 8.00

---
 sysmonconfig-export.xml | 227 ++++++++++++++++++++++++----------------
 1 file changed, 139 insertions(+), 88 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index cc152f31..fa962810 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -35,22 +35,65 @@
 			<!--MITRE TACTIC: Defense Evasion-->
 			<ParentImage name="Alert=Unknown Process Execution" condition="contains">unknown process</ParentImage>
 			<Image name="Alert=Unknown Process Execution" condition="contains">unknown process</Image>
-			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion,Alert=BitsAdmin File Transfers" condition="end with">bitsadmin.exe</Image>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">eventvwr.exe</ParentImage>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">fodhelper.exe</ParentImage>
-			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="end with">InstallUtil.exe</Image>
+			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion,Alert=BitsAdmin File Transfers" condition="image">bitsadmin.exe</Image>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">eventvwr.exe</ParentImage>
+			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
+			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="image">InstallUtil.exe</Image>
 			<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
-			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
-	        <Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
-			<Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution" condition="end with">\control.exe</Image>
+			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">MSBuild.exe</Image>
+	        <Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">regsvcs.exe</Image>
+			<Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">regasm.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
+			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">control.exe</Image>
 	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">control.exe /name</CommandLine>
 			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
-			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="end with">mshta.exe</Image>
-			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="end with">wevutil.exe</Image>
+			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="image">mshta.exe</Image>
+			<ParentImage name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="image">mshta.exe</ParentImage>
+			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="image">wevutil.exe</Image>
 			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Alert=Eventlog Removal Detected" condition="contains">wevutil cl</CommandLine>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution,Alert=Font Folder execution" condition="begin with">C:\Windows\Fonts\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Fonts\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\htdocs\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Media\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Public\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\addins\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Debug\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\NetworkService\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\PerfLogs\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Default\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Help\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Intel\Logs\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\repair\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\$Recycle.bin\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\security\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\wwwroot\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\htdocs\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Media\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\addins\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\ProgramData</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\NetworkService\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Debug\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Temp</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Temp</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\PerfLogs\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Default\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Help\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Intel\Logs\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\repair\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\$Recycle.bin\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Public\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\security\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Fonts\</Image>
+			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\wwwroot\</Image>
+			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">MpCmdRun.exe</Image>
+			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">PsKill.exe</Image>
+			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">DisableIOAVProtection</CommandLine>
+			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">RemoveDefinitions</CommandLine>
+			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">Add-MpPreference</CommandLine>
 			<!--MITRE TACTIC: Discovery-->
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net user</CommandLine>
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  user</CommandLine>
@@ -80,23 +123,31 @@
 			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="begin with">net1.exe  group</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsadd </CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsmod </CommandLine>
-			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=DSQuery.EXE Discovery" condition="end with">dsquery.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod" condition="end with">dsmod.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsadd" condition="end with">dsadd.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Account Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
-			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System Information Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=System Network Connections Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=User enumeration/Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Alert=Network Configureation discovery with route.exe" condition="end with">\route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
+			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=DSQuery.EXE Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod" condition="image">dsmod.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsadd" condition="image">dsadd.exe</Image><!-- Query domain-->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Account Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="image">whoami.exe</Image>
+			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="image">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="image">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
+			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System Information Discovery" condition="image">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=System Network Connections Discovery" condition="image">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
+			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="image">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=User enumeration/Discovery" condition="image">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
+			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Alert=Network Configureation discovery with route.exe" condition="image">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
 			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
 			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg.exe query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Network Connection Discovery with netsh" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
+			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Network Connection Discovery with netsh" condition="image">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
 			<!--MITRE TACTIC: Execution-->
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">wscript.exe</Image>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">cscript.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">wscript.exe</ParentImage>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">cscript.exe</ParentImage>
 			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</CommandLine>
 			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</ParentCommandLine>
+			<ParentImage condition="image" name="MitreRef=T1086,Technique=Powershell,Tactic=Execution">powershell.exe</ParentImage>
+			<ParentImage condition="image" name="MitreRef=T1086,Technique=Powershell,Tactic=Execution">powershell_ise.exe</ParentImage>
 			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="begin with">powershell.exe -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
 			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
 			<ParentCommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</ParentCommandLine> <!--Microsoft:Windows: PowerShell interface-->
@@ -111,35 +162,34 @@
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
 			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on Windows Execution" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on windows execution" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=Child Process of psexec" condition="end with">psexesvc.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on Windows Execution" condition="image">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on windows execution" condition="image">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=Child Process of psexec" condition="image">psexesvc.exe</ParentImage>
 			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="end with">psexec.exe</ParentImage>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="image">psexec.exe</ParentImage>
 			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSKill Execution" condition="end with">pskill.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="end with">forfiles.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect command execution child process" condition="end with">forfiles.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="end with">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="end with">wsmprovhost.exe</ParentImage>
+			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSKill Execution" condition="image">pskill.exe</ParentImage>
+			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">forfiles.exe</Image>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect command execution child process" condition="image">forfiles.exe</ParentImage>
+			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="image">pcalua.exe</ParentImage>
+			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
+			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
 			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
 			<!--MITRE TACTIC: Persistence-->
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">osk.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
-			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation,Alert=Application Shimming" condition="end with">sdbinst.exe</Image>
-			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Task Scheduler execution" condition="end with">schtasks.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Child process from schtasks" condition="end with">schtasks.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="image">sethc.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">utilman.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
+			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
+			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
+			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Task Scheduler execution" condition="image">schtasks.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Child process from schtasks" condition="image">schtasks.exe</ParentImage>
 			<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks /create</CommandLine>
 			<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks.exe /create</CommandLine>
-			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="end with">\at.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="end with">\at.exe</ParentImage>
+			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
+			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
 			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Alert=Powershell Injection persistence bypass" condition="contains">System.Management.Automation</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=User added by Command line" condition="contains">net user /add</CommandLine>
 			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line,Alert=Adminstrator added via command line" condition="contains">net localgroup administrators /add</CommandLine>
@@ -147,7 +197,7 @@
 			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc.exe create</CommandLine>
 			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">new-service</CommandLine>
 			<!--MITRE TACTIC: Lateral Movement-->
-			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="end with">wmiprvse.exe</ParentImage>
+			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="image">wmiprvse.exe</ParentImage>
 			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow Alert" condition="contains">/shadow</CommandLine>
 			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">/noConsentPrompt</CommandLine>
 			<!--MITRE TECHNIQUE: Obfuscation-->
@@ -181,17 +231,17 @@
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
 			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">C^om^S^pEc</CommandLine>
 			<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef=ToDo,Technique=,Alert=Process/Session/User Query with query.exe" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration,Alert=Traceroute Enumeration,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
+			<Image name="MitreRef=ToDo,Technique=,Alert=Process/Session/User Query with query.exe" condition="image">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
+			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration,Alert=Traceroute Enumeration,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="image">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
 			<Image name="MitreRef=ToDo,Technique=,Alert=tree of directory structure disclosure" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
-			<Image name="MitreRef=T1134,Technique=Access Token Manipulation,Alert=Token Manipulation with runas.exe" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
-			<Image name="MitreRef=ToDo,Technique=,Alert=Command Line task kill" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
-			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure with klist" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
-			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible driver load with odbcconf" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Program Compatibility bypass" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
-			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land,Alert=Attrib bypass" condition="end with">attrib.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible credential modification or disclosure with cmdkey" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
+			<Image name="MitreRef=T1134,Technique=Access Token Manipulation,Alert=Token Manipulation with runas.exe" condition="image">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
+			<Image name="MitreRef=ToDo,Technique=,Alert=Command Line task kill" condition="image">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
+			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure with klist" condition="image">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
+			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure" condition="image">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible driver load with odbcconf" condition="image">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
+			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Program Compatibility bypass" condition="image">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
+			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land,Alert=Attrib bypass" condition="image">attrib.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible credential modification or disclosure with cmdkey" condition="image">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,AlertNLTest=" condition="end with">nltest.exe</Image>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=NLTest" condition="contains">nltest.exe</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">ExtExport</CommandLine>
@@ -239,43 +289,43 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">\cls.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="image">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->
-	        <Image name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="end with">Mavinject.exe</Image>
+	        <Image name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="image">Mavinject.exe</Image>
 	        <CommandLine name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="contains">/INJECTRUNNING</CommandLine>
-			<Image name="MitreRef=T1191,Technique=Mavinject" condition="end with">CMSTP.exe</Image>
+			<Image name="MitreRef=T1191,Technique=Mavinject" condition="image">CMSTP.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
 			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Adobe Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="end with">acrobat.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="end with">acrord32.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Browser Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="end with">chrome.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="end with">firefox.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="end with">iexplore.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdge.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="end with">vivaldi.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="end with">waterfox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="image">chrome.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="image">firefox.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="image">iexplore.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="image">MicrosoftEdgeCP.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="image">MicrosoftEdge.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="image">vivaldi.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="image">waterfox.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Java Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">java.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">javaw.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">java.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">javaw.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Spawned Office Parent Processes & Abuse-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">word.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">excel.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">POWERPNT.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">outlook.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">visio.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">msaccess.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">lync.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">skype.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">word.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">excel.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">POWERPNT.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">outlook.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">visio.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">msaccess.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">lync.exe</ParentImage>
+			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">skype.exe</ParentImage>
 	  		<!--                                                                                                                                            -->
 			<!--Detect Output Redirection-->
 			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
@@ -429,6 +479,8 @@
 			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
 			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
 			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
+			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-ma lsass.exe</CommandLine>
+			<Image name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ProcDump.exe</Image>
 			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
 			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">AdjustTokenPrivileges</CommandLine>
 			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">IMAGE_NT_OPTIONAL_HDR64_MAGIC</CommandLine>
@@ -462,7 +514,6 @@
 			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">h"t"t"p</CommandLine>
 			<!--Suspicious Windows tools-->
 			<CommandLine name="MitreRef=T1216,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="contains">script:http</CommandLine> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
 			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
@@ -530,12 +581,12 @@
 			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
 			<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
 			<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
-			<ParentImage condition="end with">explorer.exe</ParentImage>
-			<Image condition="end with">control.exe</Image>
-			<Image condition="end with">acrord32.exe</Image>
-			<Image condition="end with">installutil.exe</Image>
-			<Image name="Info=Registry modification/queries" condition="end with">\reg.exe</Image>
-			<Image name="Info=ipconfig discovery" condition="end with">ipconfig.exe</Image>
+			<ParentImage condition="image">explorer.exe</ParentImage>
+			<Image condition="image">control.exe</Image>
+			<Image condition="image">acrord32.exe</Image>
+			<Image condition="image">installutil.exe</Image>
+			<Image name="Info=Registry modification/queries" condition="image">\reg.exe</Image>
+			<Image name="Info=ipconfig discovery" condition="image">ipconfig.exe</Image>
 			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
 			<Image condition="contains">\programdata\</Image>
 			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->

From 18b3b458c75fec66da60a9e24d3c6045783d83e8 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Thu, 13 Dec 2018 22:12:11 -0500
Subject: [PATCH 337/471] more optimizations

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index fa962810..95460ef3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -242,7 +242,7 @@
 			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Program Compatibility bypass" condition="image">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
 			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land,Alert=Attrib bypass" condition="image">attrib.exe</Image>
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible credential modification or disclosure with cmdkey" condition="image">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,AlertNLTest=" condition="end with">nltest.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,AlertNLTest=" condition="image">nltest.exe</Image>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=NLTest" condition="contains">nltest.exe</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">ExtExport</CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash -c</CommandLine>
@@ -289,7 +289,7 @@
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
 			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">cls.exe</Image>
+			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="image">cls.exe</Image>
 			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="image">doskey.exe</Image>
 	  		<!--                                                                                                                                            -->
 			<!--Mavinject -->

From 08ddc0c3ab6cb06a62e4d950bcef96178eeb49f9 Mon Sep 17 00:00:00 2001
From: ionstorm <defconoii@gmail.com>
Date: Fri, 25 Jan 2019 11:31:43 -0500
Subject: [PATCH 338/471] Update README.md

---
 README.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index a0bd94bf..49da7d39 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,7 @@
 # Sysmon Threat Intelligence Configuration #
 See the develop Branch for more bleeding edge updates: https://github.com/ion-storm/sysmon-config/tree/develop
 
-This config is based off of the OR logic in sysmon 8.00, sysmon 8.02 breaks this functionality, Mark Cook and Mark Russinovich will be
-making some changes to allow my config to work in future sysmon releases.  For now stay on 8.00, 8.02 has breaking changes.
+This config is based off of the OR logic in sysmon 8.00 and 8.04, sysmon 8.02 breaks this functionality.  Also 8.00 introduced a memory leak that will consume all available memory on your system if you frequently reload the config file.  Upgrading to 8.04 is mandatory.
 
 This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
 
@@ -54,4 +53,4 @@ sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B
 
 ### Graylog Configuration ###
 
-(https://github.com/ion-storm/Graylog_Sysmon)
\ No newline at end of file
+(https://github.com/ion-storm/Graylog_Sysmon)

From c7c362710dbd94b21f3b543011e3dd7903332e1a Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 1 Sep 2022 17:19:45 -0400
Subject: [PATCH 339/471] Merge in Sysmon ATT&CK Changes Update to Sysmon v14
 compatibility.

---
 sysmonconfig-export.xml | 8346 +++++++++++++++++++++++++--------------
 1 file changed, 5365 insertions(+), 2981 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 95460ef3..79fd3ea8 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1,1247 +1,2409 @@
 <!--
-  sysmon-config | A sysmon configuration focused on default high-quality event tracing and easy customization by the community
-  Master version:	50 | Date: 2017-03-02
-  Master author:	@SwiftOnSecurity, with contributors also credited in-line or on Git.
-  Master project:	https://github.com/SwiftOnSecurity/sysmon-config
-  Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+	   ____                           ___ ________________    _______ __
+	  / __/_ _____ __ _  ___  ___    / _ /_  __/_  __/ __/___/ ___/ //_/
+	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
+	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
+		/___/                                                           
+	author:	ionstorm
+	project:	https://github.com/ion-storm/sysmon-config
+	license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+	Methodology: Detect the Most Techniques per Data source in MITRE ATT&CK.
+				 Provide Visibility into Forensic Artifact Events for UEBA.
+				 Detect Exploitation events with wide CVE Coverage.
+				 Risk Scoring of CVE, UEBA, Forensic, MITRE ATT&CK Events.
+				 
+				 Tags Added:
+				 Attack: Mitre ATT&CK Identifier
+				 Technique: Mitre ATT&CK Technique
+				 Tactic: Mitre ATT&CK Tactic
+				 Alert: Alert Text for SIEM/XDR
+				 Info: Informational Alert Text
+				 Level: The level field contains one of five string values. It describes the criticality of a triggered rule. 
+				 While low and medium level events have an informative character, events with high and critical level should 
+				 lead to immediate reviews by security analysts.
+				 
+				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
+				 kp=y 	Kill process with child processes
+				 kpp=y 	Kill Parent Processes & all Child Processes
+				 kc=y    Kill network connections
+				 ki=y    Kill Injected Thread
+				 sd=y 	Shutdown System
+				 fw=y	Add Windows Firewall Rule to block inbound/outbound network connectivity from process
+				 yara=y  Yara Scan file
+				 ydel=y  Delete on Yara Detection
+				 rf=y    Restore Deleted File
+				 nr=y 	Null route ip
+				 iso=y Isolate Host
+				 SD=y Service Desk Ticket
+				 SOC=y SOC Ticket Creation
+				 
+				 Risk Score ratings: (Risk=??)
+				 Low Risk: 1-39
+				 Medium Risk: 40-69
+				 High Risk: 70-89
+				 Critical Risk: 90-100
+				 
+				 Levels: (from Sigma)
+				 (0) informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered 
+				 by such rules because it is expected that a huge amount of events will match these rules.
+				 (1) low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. 
+				 Immediate reaction shouldn't be necessary, but a regular review is recommended.
+				 (2) medium: Relevant event that should be reviewed manually on a more frequent basis.
+				 (3) high: Relevant event that should trigger an internal alert and requires a prompt review.
+				 (4) critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
+				 
+				 False Positive Rates: (FP=?)
+				 (0) Zero False Positives rate
+				 (1) Some False Positives rate
+				 (2) Medium False Positive rate
+				 (3) High False Positive rate
+-->
+<Sysmon schemaversion="4.82">
+	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
+	<CheckRevocation/>
+	<EventFiltering>
+	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
+	<RuleGroup name="RG=ProcessCreate Include Group" groupRelation="or">
+		<ProcessCreate onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=3,Alert=Nessus Scan Detected,Risk=100" groupRelation="or">
+				<ParentCommandLine condition="contains any">TEMP\nessus_;nessus_task_list</ParentCommandLine>
+				<CommandLine condition="contains any">TEMP\nessus_;nessus_task_list</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe</CommandLine>
+				<OriginalFileName condition="is any">advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</OriginalFileName>
+				<Product condition="contains any">Network Scanner;Advanced IP Scanner</Product>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=ADFind.exe Discovery,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains">adfind</OriginalFileName>
+				<Product condition="contains">adfind</Product>
+				<CommandLine condition="contains any">-gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
 
-  Fork version:	300
-  Fork author:	ionstorm
-  Fork project:	https://github.com/ion-storm/sysmon-config
-  Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
+				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
+			</Rule>
+			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
 
-  REQUIRED: Sysmon version 8.00 or higher, it's recommended you stay updated.
--->
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=WMI Execution Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">process;call;create</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=Suspicious WMIC Commands,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
+				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
+				<ParentImage condition="image">cmd.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<CommandLine condition="excludes">Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\</CommandLine>
+				<CommandLine condition="excludes">mysql server</CommandLine>
+				<CommandLine condition="excludes">select-object displayversion,displayname</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from Scripting Utilities,Risk=50" groupRelation="and">
+				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from cscript or wscript,Risk=50" groupRelation="and">
+				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Powershell Launched from mshta,Risk=100" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<ParentImage condition="image">mshta.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,UEBA=Suspicious WSCRIPT Command Line,Risk=50" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<CommandLine condition="excludes any">IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
+				<Image condition="image">wscript.exe</Image>
+				<CommandLine condition="contains">.jse</CommandLine>
+				<CommandLine condition="contains">.js</CommandLine>
+				<CommandLine condition="contains">.vba</CommandLine>
+				<CommandLine condition="contains">.vbe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
+				<Image condition="image">cscript.exe</Image>
+				<CommandLine condition="contains">.js</CommandLine>
+				<CommandLine condition="contains">.jse</CommandLine>
+				<CommandLine condition="contains">.vba</CommandLine>
+				<CommandLine condition="contains">.vbe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine>
+				<CommandLine condition="contains any">.jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.003,Technique=Scripting,Tactic=Execution,Level=4,Alert=Possible WinNTI Malware,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
+				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
+			</Rule>
+			<Rule name="T1204,Technique=User Execution,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
+				<Image condition="image">regedit.exe</Image>
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
+			<Rule name="T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
+			<Rule name="UEBA=Unusual Child Process,Risk=30" groupRelation="and">
+				<Image condition="is any">svchost.exe;spoolsv.exe;taskhostw.exe;userinit.exe;smss.exe;csrss.exe;wininit.exe;winlogon.exe;lsass.exe;logonui.exe;services.exe</Image>
+				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
+				<ParentImage condition="excludes any">wininit.exe;winlogon.exe;services.exe;dwm.exe;System;smss.exe;svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>
+				<Image condition="excludes any">C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe</Image>
+				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
+				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
+			</Rule>
+			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
+			<CommandLine name="Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
+			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<ParentImage condition="begin with">C:\users\</ParentImage>
+				<ParentImage condition="excludes">Microsoft VS Code\Code.exe</ParentImage>
+				<ParentImage condition="excludes">\Deployment tool extract\setupodt.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
+			<Image name="Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
+			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
+			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Browser Exploitation Detected,Risk=90" groupRelation="and">
+				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+				<CommandLine condition="excludes all">.cmd;-</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
+				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
+				<Image condition="begin with">C:\Users\</Image>
+				<Image condition="end with">.exe</Image>
+				<Product condition="excludes">Zoom Video</Product>
+				<Product condition="excludes">Firefox</Product>
+				<Product condition="excludes">Microsoft Edge</Product>
+				<Product condition="excludes">Microsoft Teams</Product>
+				<Image condition="excludes">GrammarlyAddInSetupe</Image>
+				<Image condition="excludes">Teams.exe</Image>
+				<Image condition="excludes">Zoom.exe</Image>
+				<Image condition="excludes">browser_broker.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">edge.exe</Image>
+				<Image condition="excludes">firefox.exe</Image>
+				<Image condition="excludes">iexplore.exe</Image>
+				<Image condition="excludes">vivaldi.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Info=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</ParentImage>
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<Product condition="excludes">Firefox</Product>
+				<Product condition="excludes">Microsoft Edge</Product>
+				<Product condition="excludes">Microsoft Teams</Product>
+				<Product condition="excludes">Zoom Video</Product>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
+				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">apache;w3wp.exe;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>				
+				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
+				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">sqlservr</ParentImage>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
+				<Image condition="is">control.exe</Image>
+				<CommandLine condition="excludes any">input.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="is">msdt.exe</Image>
+				<OriginalFileName condition="is">msdt.exe</OriginalFileName>
+				<CommandLine condition="contains all">BrowseForFile=;PCWDiagnostic</CommandLine>
+				<CommandLine condition="contains any">/af;-af</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="is">msdt.exe</Image>
+				<ParentImage condition="is not">pcwrun.exe</ParentImage>
+				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
+				<CommandLine condition="contains any">/af;-af</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="is">msdt.exe</Image>
+				<CommandLine condition="contains any">/cab;-cab</CommandLine>
+				<CommandLine condition="contains">.diagcab</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
+				<Image condition="is">msdt.exe</Image>
+			</Rule>
+			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
+				<Image condition="is">FLTLDR.EXE</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution" condition="contains any">/dde;-dde</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
+				<Image condition="image">schtasks.exe</Image>
+				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
+			</Rule>
+			<OriginalFileName name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
+				<Image condition="image">schtasks.exe</Image>
+				<CommandLine condition="contains any">/Run;-run</CommandLine>
+				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
+			</Rule>
+			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=Child process from schtasks" condition="image">schtasks.exe</ParentImage>
+			<Image name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
+			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
+				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
+				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
+				<CommandLine condition="excludes all">netsvcs;-p;-s;Schedule</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=Service Stop detected,Risk=0" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains">stop</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=NET.EXE Service Start detected,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains">start</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 1,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
+				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;/Q /c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 2,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
+				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;-Q -c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PowerSploit/Empire Persistence,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">schtasks;Create;ONLOGON;TN;Updater;TR;powershell</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service added via SC,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains">create</CommandLine>
+				<CurrentDirectory condition="excludes any">\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
+				<Image condition="contains any">cmd.exe;powershell.exe</Image>
+				<ParentImage condition="image">services.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
+				<Description condition="contains">Execute processes remotely</Description>
+				<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
+				<Description condition="contains">PsExec Service</Description> 
+				<Description condition="contains">PsExec Launched</Description> 
+			</Rule>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
+			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
 
-<Sysmon schemaversion="4.10">
-	<!--SYSMON META CONFIG-->
-	<HashAlgorithms>md5,imphash,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
-	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
+				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
+				<CommandLine condition="contains">&gt;</CommandLine>
+				<CommandLine condition="contains">cmd.exe" /c cd</CommandLine>
+			</Rule>
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
+				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s</CommandLine>
+			</Rule>
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
+				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
+				<ParentCommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</ParentCommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
+			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
+			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
+			<!--Suspicious/Malicious Hash Detection-->
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
+				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
+			</Rule>
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
+				<CommandLine condition="contains any">e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 2" groupRelation="and">
+				<CommandLine condition="contains all">FromBase64String</CommandLine>
+				<CommandLine condition="contains any">JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 3" groupRelation="and">
+				<CommandLine condition="contains any">/v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 4" groupRelation="and">
+				<CommandLine condition="contains any">JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Emotet Command Line detection" groupRelation="and">
+				<CommandLine condition="contains any">e^;^en^;^nc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Obfuscation Character" groupRelation="and">
+				<CommandLine condition="contains">^</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
+				<CommandLine condition="contains any">..\;\..</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Formbook detections" groupRelation="and">
+				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
 
-	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
-	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
-	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
+				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
+				<CommandLine condition="contains any">user;group;localgroup</CommandLine>
+				<CommandLine condition="contains any">remove;delete;active;del</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<Rule name="Attack=T1098,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Created,Risk=80" groupRelation="and">
+				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
+				<CommandLine condition="contains">user</CommandLine>
+				<CommandLine condition="contains any">add</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" condition="image">dsmod.exe</Image>
+			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
-	<EventFiltering>
-	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
-		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
-			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
-			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
-			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
-			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
-		<ProcessCreate onmatch="include">
-			<!--Mitre ATT&CK Rules-->
-			<!--MITRE TACTIC: Defense Evasion-->
-			<ParentImage name="Alert=Unknown Process Execution" condition="contains">unknown process</ParentImage>
-			<Image name="Alert=Unknown Process Execution" condition="contains">unknown process</Image>
-			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion,Alert=BitsAdmin File Transfers" condition="image">bitsadmin.exe</Image>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">eventvwr.exe</ParentImage>
-			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
-			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="image">InstallUtil.exe</Image>
-			<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
-			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">MSBuild.exe</Image>
-	        <Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">regsvcs.exe</Image>
-			<Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">regasm.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
-			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">control.exe</Image>
-	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">control.exe /name</CommandLine>
-			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
-			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="image">mshta.exe</Image>
-			<ParentImage name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="image">mshta.exe</ParentImage>
-			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="image">wevutil.exe</Image>
-			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Alert=Eventlog Removal Detected" condition="contains">wevutil cl</CommandLine>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution,Alert=Font Folder execution" condition="begin with">C:\Windows\Fonts\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Fonts\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\htdocs\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Public\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\addins\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Debug\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\NetworkService\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\PerfLogs\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Default\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Help\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Intel\Logs\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\repair\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\$Recycle.bin\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\security\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\wwwroot\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\htdocs\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\addins\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\ProgramData</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\NetworkService\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Debug\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Temp</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Temp</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\PerfLogs\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Default\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Help\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Intel\Logs\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\repair\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\$Recycle.bin\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Public\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\security\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Fonts\</Image>
-			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\wwwroot\</Image>
-			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">MpCmdRun.exe</Image>
-			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">PsKill.exe</Image>
-			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">DisableIOAVProtection</CommandLine>
-			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">RemoveDefinitions</CommandLine>
-			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">Add-MpPreference</CommandLine>
-			<!--MITRE TACTIC: Discovery-->
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1  user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe  user</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1  localgroup</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe group</CommandLine>
-			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="begin with">net1.exe  group</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsadd </CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsmod </CommandLine>
-			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=DSQuery.EXE Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod" condition="image">dsmod.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsadd" condition="image">dsadd.exe</Image><!-- Query domain-->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Account Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="image">whoami.exe</Image>
-			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="image">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="image">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
-			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System Information Discovery" condition="image">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=System Network Connections Discovery" condition="image">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
-			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="image">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=User enumeration/Discovery" condition="image">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
-			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Alert=Network Configureation discovery with route.exe" condition="image">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
-			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg.exe query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
-			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Network Connection Discovery with netsh" condition="image">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
-			<!--MITRE TACTIC: Execution-->
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">wscript.exe</Image>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">cscript.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">wscript.exe</ParentImage>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">cscript.exe</ParentImage>
-			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</CommandLine>
-			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</ParentCommandLine>
-			<ParentImage condition="image" name="MitreRef=T1086,Technique=Powershell,Tactic=Execution">powershell.exe</ParentImage>
-			<ParentImage condition="image" name="MitreRef=T1086,Technique=Powershell,Tactic=Execution">powershell_ise.exe</ParentImage>
-			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="begin with">powershell.exe -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
-			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
-			<ParentCommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</ParentCommandLine> <!--Microsoft:Windows: PowerShell interface-->
-			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution,Alert=Powershell Downgrade attack" condition="begin with">powershell -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on Windows Execution" condition="image">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on windows execution" condition="image">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=Child Process of psexec" condition="image">psexesvc.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="image">psexec.exe</ParentImage>
-			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
-			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSKill Execution" condition="image">pskill.exe</ParentImage>
-			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">forfiles.exe</Image>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect command execution child process" condition="image">forfiles.exe</ParentImage>
-			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="image">pcalua.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
-			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
-			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
-			<!--MITRE TACTIC: Persistence-->
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="image">sethc.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">utilman.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
-			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
-			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
-			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Task Scheduler execution" condition="image">schtasks.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Child process from schtasks" condition="image">schtasks.exe</ParentImage>
-			<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks /create</CommandLine>
-			<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks.exe /create</CommandLine>
-			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
-			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
-			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Alert=Powershell Injection persistence bypass" condition="contains">System.Management.Automation</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=User added by Command line" condition="contains">net user /add</CommandLine>
-			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line,Alert=Adminstrator added via command line" condition="contains">net localgroup administrators /add</CommandLine>
-			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc create</CommandLine>
-			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc.exe create</CommandLine>
-			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">new-service</CommandLine>
-			<!--MITRE TACTIC: Lateral Movement-->
-			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="image">wmiprvse.exe</ParentImage>
-			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow Alert" condition="contains">/shadow</CommandLine>
-			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">/noConsentPrompt</CommandLine>
-			<!--MITRE TECHNIQUE: Obfuscation-->
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">FromBase64String</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings,Alert=Powershell Secure String creation" condition="contains">convertto-securestring</CommandLine>
-			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation,Alert=Powershell Obfuscation with VerbosePreference" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">runtime.interopservices.marshal</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">VerbosePreference.ToString</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyle h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyl h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowsty h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowst h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windows h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-window h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windo h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wind h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-w h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hi</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hid</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidd</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidde</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidden</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Nop</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Noni</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-encodedc</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
-			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">C^om^S^pEc</CommandLine>
-			<!--Native Windows tools - Living off the land-->
-			<Image name="MitreRef=ToDo,Technique=,Alert=Process/Session/User Query with query.exe" condition="image">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
-			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration,Alert=Traceroute Enumeration,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="image">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
-			<Image name="MitreRef=ToDo,Technique=,Alert=tree of directory structure disclosure" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
-			<Image name="MitreRef=T1134,Technique=Access Token Manipulation,Alert=Token Manipulation with runas.exe" condition="image">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
-			<Image name="MitreRef=ToDo,Technique=,Alert=Command Line task kill" condition="image">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
-			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure with klist" condition="image">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
-			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure" condition="image">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible driver load with odbcconf" condition="image">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
-			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Program Compatibility bypass" condition="image">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
-			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land,Alert=Attrib bypass" condition="image">attrib.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible credential modification or disclosure with cmdkey" condition="image">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,AlertNLTest=" condition="image">nltest.exe</Image>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=NLTest" condition="contains">nltest.exe</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">ExtExport</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash -c</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash.exe -c</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">cmdkey /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">cmdkey.exe /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil -urlcache -split -f</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=csc compile output" condition="contains">csc -out:</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -target:library</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmd.exe /k</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp.exe /ni /s</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp /ni /s</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl.exe /y \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl /y \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec http</CommandLine>
-			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">diskshadow</ParentImage>
-			<!--LoLBin Applocker bypasses-->
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">advpack.dll,LaunchINFSection</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">/s /n /u /i:http:</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bginfo.bgi /popup /nolicprompt</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">set </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">setx </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">pushd</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">popd</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">subst</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">ren </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">move </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">md </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">del </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">rd </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">expand </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">find.exe</CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
-			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="image">cls.exe</Image>
-			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="image">doskey.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<!--Mavinject -->
-	        <Image name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="image">Mavinject.exe</Image>
-	        <CommandLine name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="contains">/INJECTRUNNING</CommandLine>
-			<Image name="MitreRef=T1191,Technique=Mavinject" condition="image">CMSTP.exe</Image>
-	  		<!--                                                                                                                                            -->
-			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
-			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Spawned Adobe Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Spawned Browser Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="image">chrome.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="image">firefox.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="image">iexplore.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="image">MicrosoftEdgeCP.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="image">MicrosoftEdge.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="image">vivaldi.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="image">waterfox.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Spawned Java Parent Processes-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">java.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">javaw.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
-			<!--Detect Spawned Office Parent Processes & Abuse-->
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">word.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">excel.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">POWERPNT.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">outlook.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">visio.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">msaccess.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">lync.exe</ParentImage>
-			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">skype.exe</ParentImage>
-	  		<!--                                                                                                                                            -->
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<CommandLine condition="contains all">echo;\pipe\;></CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<CommandLine condition="contains all">/c;copy;dll;\\;admin$</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Exec DLL Detected" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;StartW</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 1" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;update;appdata;temp;/i:</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 2" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;update;appdata;temp;-i:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass Child Processes" groupRelation="and">
+				<ParentImage condition="image">dllhost.exe</ParentImage>
+				<ParentCommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass" groupRelation="and">
+				<Image condition="image">dllhost.exe</Image>
+				<CommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<Rule name="Attack=T1548,Technique=Abuse Elevation Control Mechanism,Tactic=Privilege Escalation,Level=3,Alert=Abused Debug priviledge by Arbitrary Parent Process,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;pwsh.exe;cmd.exe</Image>
+				<User condition="contains any">AUTHORI;AUTORI</User>
+				<CommandLine condition="excludes any">route ; ADD </CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
+			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Risk=20" groupRelation="and">
+				<ParentImage condition="image">eventvwr.exe</ParentImage>
+				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
+			</Rule>
+			<ParentImage name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
+			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
+			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
+			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
+			<OriginalFileName name="Technique=T1548.002,Technique=Bypass User Account Control" condition="is">computerdefaults.exe</OriginalFileName>
+			<OriginalFileName name="Technique=T1548.002,Technique=Bypass User Account Control" condition="is">dism.exe</OriginalFileName>
+			<ParentImage name="Technique=T1548.002,Technique=Bypass User Account Control" condition="is">fodhelper.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<Rule name="Attack=T1088,Technique=Access Token Manipulation,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
+				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
+				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
+			</Rule>
+			<ParentCommandLine name="Level=0,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
+			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=Utilman Lock Screen Bypass,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
+				<ParentImage condition="image">winlogon.exe</ParentImage>
+				<Image condition="image">utilman.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=sethc.exe Lock Screen Bypass,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
+				<ParentImage condition="image">winlogon.exe</ParentImage>
+				<Image condition="image">sethc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=4,Alert=Utilman Priv Escalation" groupRelation="and">
+				<ParentImage condition="image">utilman.exe</ParentImage>
+				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
+			</Rule>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
+			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
+				<Image condition="excludes">C:\Windows\Setup</Image>
+				<Image condition="excludes">C:\Windows\SysWOW64</Image>
+				<Image condition="excludes">C:\Windows\System32</Image>
+				<Image condition="excludes">C:\Windows\WinSxS</Image>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
+				<ParentImage condition="image">consent.exe</ParentImage>
+				<CommandLine condition="contains">http</CommandLine>
+				<Image condition="image">iexplore.exe</Image>
+				<User condition="contains">SYSTEM</User>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
+				<ParentImage condition="image">dwm.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=7zip Priv Escalation Detection,CVE=CVE-2022-29072" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">7zFM.exe</ParentImage>
+				<CommandLine condition="excludes any">;/c;-c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=Possible InstallerFileTakeOver LPE,CVE=CVE-2021-41379" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">elevation_service.exe</ParentImage>
+				<IntegrityLevel condition="contains">System</IntegrityLevel>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<Image condition="contains">unknown process</Image>
+			<Image name="Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
+			<ParentImage name="Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Hidden/SuperHidden File or Folder created" groupRelation="and">
+				<CommandLine condition="contains any">+s;+h</CommandLine>
+				<Image condition="image">attrib.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Powershell Hidden File or Folder created" groupRelation="and">
+				<CommandLine condition="contains all">Hidden;Attributes</CommandLine>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+				<Product condition="is">Sysinternals Sysmon</Product>
+				<CommandLine condition="contains any">/u;/c;-u;-c</CommandLine>
+				<CurrentDirectory condition="excludes">C:\ProgramdData\sysmon\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
+				<Image condition="image">MpCmdRun.exe</Image>
+				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
+			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Level=4,Alert=PSTools PSKill,Risk=8">PsKill.exe</Image>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Risk=100,Level=4,Alert=Disabling of Windows Defender Features" groupRelation="and">
+				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
+				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
+			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
+			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
+				<Image condition="image">wevtutil.exe</Image>
+				<CommandLine condition="contains"> cl </CommandLine>
+				<CommandLine condition="excludes">wevtutil im</CommandLine>
+				<CommandLine condition="excludes">wevtutil.exe im</CommandLine>
+				<CurrentDirectory condition="excludes">ClickToRun</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,Risk=50" groupRelation="and">
+				<OriginalFileName condition="is">fltMC.exe</OriginalFileName>
+				<CommandLine condition="contains any">detach;unload</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Level=4,Alert=IIS Log disablement,Risk=80" groupRelation="and">
+				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
+				<CommandLine condition="contains all">DontLog;True</CommandLine>
+				<Image condition="excludes">iisetup.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
+				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp</CommandLine>
+			</Rule>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
+
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
+			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">.com</Image>
+			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
+
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
+				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
+			</Rule>		
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
+			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
+			<ParentCommandLine name="Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
+				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
+				<CommandLine condition="contains">:</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Code Page Switch,Risk=50" groupRelation="and">
+				<Image condition="image">chcp.exe</Image>
+				<CommandLine condition="contains">936</CommandLine>
+				<CommandLine condition="contains">1256</CommandLine>
+				<CommandLine condition="contains">864</CommandLine>
+				<CommandLine condition="contains">1258</CommandLine>
+				<CommandLine condition="contains">855</CommandLine>
+				<CommandLine condition="contains">866</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Command Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Hidden Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-noni;/noni</CommandLine>
+				<CommandLine condition="excludes">Import-Module FileServerResourceManager</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\LogicMonitor</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1027,Tactic=Defense Evasion,Technique=Obfuscated Files or Information,Level=4,Alert=Powershell Obfuscation Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
+			<CommandLine name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Common Obfuscated Commands,Risk=100" condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
+			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains any">decode;encode</CommandLine>
+			</Rule>
+			<!--FIX MITRE Mapping-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
+				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
+				<CommandLine condition="contains">0x</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
+			<Rule name="Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+				<Image condition="image">csc.exe</Image>
+				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=Suspicious Parent of Csc.exe,Risk=80" groupRelation="and">
+				<Image condition="image">csc.exe</Image>
+				<ParentImage condition="image">wscript.exe</ParentImage>
+				<ParentImage condition="image">cscript.exe</ParentImage>
+				<ParentImage condition="image">mshta.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=MOFComp compilation of .Mof File,Risk=80" groupRelation="and">
+				<Image condition="image">mofcomp.exe</Image>
+				<CommandLine condition="contains">.mof</CommandLine>
+				<CurrentDirectory condition="excludes">C:\WINDOWS\Installer\MSI</CurrentDirectory>
+				<ParentImage condition="excludes">MsMpEng.exe</ParentImage>
+				<ParentImage condition="excludes">aspnet_regiis.exe</ParentImage>
+				<ParentImage condition="excludes">msiexec.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
+				<ParentImage condition="is">csc.exe</ParentImage>
+				<CommandLine condition="contains any">out:;target:library</CommandLine>
+			</Rule>
+			<Image name="Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<Rule name="Level=0,Desc=InstallUtil 1" groupRelation="and">
+				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
+				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
+			</Rule>
+			<Rule name="Level=0,Desc=InstallUtil 2" groupRelation="and">
+				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
+				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName>
+				<CommandLine condition="contains">INJECTRUNNING</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 1,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">/ni;/s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 2,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">/ns;/s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 3,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">-ni;-s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 4,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">-ns;-s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="or">
+				<CommandLine condition="contains all">control;name</CommandLine>
+				<CommandLine condition="contains all">rundll32.exe;shell32.dll;Control_RunDLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
+				<Image condition="image">odbcconf.exe</Image>
+				<CommandLine condition="contains any">/S /A {REGSVR;-S -A {REGSVR</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">bginfo</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">cbd</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
+			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
+			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">SyncAppvPublishingServer.exe</Image>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ATBroker.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">Appvlp.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">InfDefaultInstall.EXE</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">PresentationHost.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider2.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ScriptRunner.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">csi.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">extexport.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">msconfig.EXE</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">rasdlui.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">tttracer.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">verclsid.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">csi.exe</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">bginfo</ParentCommandLine>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">devtoolslauncher.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wsreset.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
+			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
+			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
+			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
+			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains">DllRegisterServer</CommandLine>
+				<CommandLine condition="excludes any">xapauthenticodesip.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Suspicious Regsvr32 loading in Appdata temp" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine> 
+			</Rule>
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Defense Evasion/Execution,Level=4,Alert=Suspicious Regsvr32 loading in Public User folder" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
+			</Rule>
+			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution" condition="contains">Microsoft(C) Register Server</Description>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
+			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<CommandLine condition="contains any">/y;-y</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\DartSock.dll</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\ImageViewer2.OCX</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\SysTray.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg6.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\todg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\todgub7.dll</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\xarraydb.ocx</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=MSIExec Signed Binary Proxy Execution,Risk=70" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<CommandLine condition="contains any">/i;-i</CommandLine>
+				<CommandLine condition="contains any">http</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Rundll32-->
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Rundll32 Suspicious call by Ordinal,Risk=80" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">,;#</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\resources\themes\Aero\AeroLite.msstyles</CommandLine>
+				<CommandLine condition="excludes">uxtheme.dll</CommandLine>
+				<CommandLine condition="excludes">ImageView_Fullscreen</CommandLine>
+				<CommandLine condition="excludes">EDGEHTML.dll</CommandLine>
+				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
+				<CurrentDirectory condition="excludes">\AppData\Local\WebEx\WebEx\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Executing Powershell,Risk=70" groupRelation="and">
+				<ParentImage condition="image">RUNDLL32.EXE</ParentImage>
+				<OriginalFileName condition="contains">powershell</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenURL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">url.dll;OpenURL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious FileProtocolHandler Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RouteTheCall Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">zipfldr.dll;RouteTheCall</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious Control_RunDLL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">Shell32.dll;Control_RunDLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious javascript Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains">javascript:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RegisterXLL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains">RegisterXLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Public User folder" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Public</CommandLine>
+				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine> 
+				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage> 
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Appdata Temp" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine>
+				<CommandLine condition="excludes any">ImageView_</CommandLine>
+				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine>
+				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
+			<CommandLine condition="contains">InstallHinfSection</CommandLine>
+			<Image name="Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MSHTA-->
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
+				<ParentImage condition="image">mshta.exe</ParentImage>
+				<Image condition="contains any">cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin</Image>
+			</Rule>
+			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Odbcconf-->
+			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
+
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=Powershell Calling MSBuild" groupRelation="and">
+				<ParentImage condition="contains any">powershell.exe;powershell_ise.exe</ParentImage>
+				<Image condition="image">msbuild.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<Image condition="contains">regasm</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<Image condition="image">userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Building from xml - Silent Trinity" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<ParentCommandLine condition="contains">.xml</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=RegAsm Parent process" groupRelation="and">
+				<ParentImage condition="image">regasm.exe</ParentImage>
+				<Image condition="excludes">\conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild building from lnk file" groupRelation="and">
+				<Image condition="image">msbuild.exe</Image>
+				<CommandLine condition="contains">.lnk</CommandLine>
+			</Rule>
+			<CommandLine name="Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
+			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=Network Sniffing tool Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">sniff</CommandLine>
+				<CommandLine condition="excludes">C:\Program Files\Adobe\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=PCAP Sniffing tool Detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="is any">tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe</OriginalFileName>
+				<CommandLine condition="contains any">windump;tshark;tcpdump;windump;wireshark</CommandLine>
+				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
+			</Rule>
+			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
+				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
+			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
+			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
+			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
+			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
+			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump.exe</Image>
+			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
+			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
+			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
+				<CommandLine condition="contains all">list;text;password</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
+				<CommandLine condition="excludes">/domain</CommandLine>
+				<CommandLine condition="excludes">SUService</CommandLine>
+				<CommandLine condition="excludes">\users</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=Domain User or Group Discovery,Risk=50" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
+				<CommandLine condition="contains any">/domain</CommandLine>
+				<CommandLine condition="excludes">SUService</CommandLine>
+				<CommandLine condition="excludes">\users</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=Sharphound Discovery,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus</CommandLine>
+				<Company condition="contains any">sharphound;bloodhound</Company>
+				<Description condition="contains any">sharphound;bloodhound</Description>
+				<Image condition="contains any">sharphound;bloodhound</Image>
+				<OriginalFileName condition="contains any">sharphound;bloodhound</OriginalFileName>
+				<ParentImage condition="contains any">sharphound;bloodhound</ParentImage>
+				<Product condition="contains any">sharphound;bloodhound</Product>
+			</Rule>
+			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
+			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
+			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
+			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
+			<Image name="Level=0,Desc=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
+			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" groupRelation="or">
+				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="is">fltMC.exe</OriginalFileName>
+				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="contains">misc::mflt</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
+			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
+			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="contains any">get;list;show</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Changes with netsh,Risk=60" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="excludes any">get;list;show</CommandLine>
+			</Rule>
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
+				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="contains any">add;del;set</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=NBTStat DNS Lookup,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">nbtstat</CommandLine> 
+				<CommandLine condition="excludes">nessus</CommandLine> 
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=route.exe discovery,Risk=60" groupRelation="and">
+				<Image condition="image">route.exe</Image>
+				<CommandLine condition="contains">print</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Route Modification,Risk=40" groupRelation="and">
+				<Image condition="image">route.exe</Image>
+				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
+			</Rule>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
+			<Image name="Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
+			
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<Rule name="Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
+				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
+				<Image condition="excludes">Microsoft Office\root\Office</Image>
+				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Tactic=Lateral Movement,Technique=SMB/Windows Admin Shares,Level=3,Alert=Command Ran over Admin Share" groupRelation="and">
+				<CommandLine condition="contains">admin$</CommandLine>
+				<CommandLine condition="excludes any">davclnt.dll</CommandLine>
+				<ParentCommandLine condition="excludes any">WebClientGroup</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
+				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+				<ParentImage condition="image">dns.exe</ParentImage>
+				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1210,Tactic=Lateral Movement,Technique=Exploitation of Remote Services,CVE=CVE-2019-0708,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
+				<CommandLine condition="excludes any">perfenabled</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1210,Tactic=Lateral Movement,Technique=Exploitation of Remote Services,CVE=CVE-2021-26857,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
+				<CommandLine condition="excludes any">perfenabled</CommandLine>
+				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Execution,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<Image condition="contains any">\wwwroot\</Image>
+			</Rule>
+			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Execution,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
+				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
+				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Execution,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
+				<ParentImage condition="end with">\jre\bin\java.exe</ParentImage>
+				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
+				<!--Allow Confluence Rule to fire-->
+				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
+				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
+				<CommandLine condition="contains">dest:rdp-tcp:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Emotet Executed via WMI,Risk=100" groupRelation="and">
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+				<Image condition="contains">\Users\</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Network Detective System Scan Detected,Risk=100" groupRelation="and">
+				<Image condition="contains">NetworkDetective</Image>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Remote Tenable Malware Scan Detected,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains">tenable</CommandLine>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD.exe Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+				<CommandLine condition="excludes any">do_vbsUpload;Spiceworks</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=regsvr32.exe Executed via WMI,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">regsvr32.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD Executed via WMI,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">cmd.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=RSAT Tool Launch,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">dsa.msc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=HyperV Remote Management Tool Launch,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">virtmgmt.msc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Potential Malicious Remote WMI Execution Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="image">wmiprvse.exe</ParentImage>
+				<Image condition="excludes">CompMgmtLauncher.exe</Image>
+				<Image condition="excludes">DismHost.exe</Image>
+				<Image condition="excludes">Microsoft.NET\Framework</Image>
+				<Image condition="excludes">NetEvtFwdr.exe</Image>
+				<Image condition="excludes">ServerManager.exe</Image>
+				<Image condition="excludes">WerFault.exe</Image>
+				<Image condition="excludes">chcp.com</Image>
+				<Image condition="excludes">g2mupdate.exe</Image>
+				<Image condition="excludes">slack.exe</Image>
+			</Rule>
+			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
+			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
+			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
+			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
+			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
+			<ParentImage name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="end with">winrshost.exe</ParentImage>
+			<ParentImage name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
+			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
+				<ParentImage condition="image">wmiprvse.exe</ParentImage>
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
+				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
+			</Rule>
+			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
+				<Image condition="contains any">sftp;psftp</Image><!-- SSH -->
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
+				<CommandLine condition="is">rundll32.exe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">..\;,</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot 2,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,StartW</CommandLine>
+			</Rule>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
+			<Image name="Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
+			<Image name="Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
+				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
+				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
+			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,Level=4,Alert=Dark Halo Protected zip file creation,Risk=100" groupRelation="and">
+				<Image condition="image">7z.exe</Image>
+				<CommandLine condition="contains any">a -mx9 -r0 -p;a -v500m -mx9 -r0 -p</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
+			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data injected into clipboard,Risk=30" condition="is">clip.exe</Image>
+			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">New-MailboxExportRequest</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
+				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
+				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
+				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
+				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded powershell" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<CommandLine condition="contains any">AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Attack=T1105,Technique=Remote File Copy,Tactic=Command and Control,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
+				<Image condition="image">certutil.exe</Image>
+				<CommandLine condition="contains all">urlcache;split;f</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Command Line file transfer,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest</CommandLine>
+				<Image condition="contains any">powershell.exe;cmd.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
+				<OriginalFileName condition="is">bitsadmin.exe</OriginalFileName>
+				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
+				<CommandLine condition="excludes all">util;setieproxy;localsystem;AUTODETECT</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
+				<Description condition="contains">BITS administration utility</Description><!-- to detect renamed ones -->
+				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 1,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains all">split;f</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 2,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains any">verifyctl;URL</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
+			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image><!-- Tor-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">psexec</OriginalFileName>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Exfiltration,Level=0,Desc=SCP Data exfiltration detected,Risk=100" groupRelation="and">
+				<Image condition="contains any">winscp.exe;winscp.com;scp.exe;pscp</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv >>;rsync -r</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=merlin CnC exfiltration detected 4,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">.exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=DNS Exfil detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">-q=txt;/q=txt</CommandLine>
+				<Image condition="image">nslookup.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration to Cloud Storage,Tactic=Exfiltration,Level=4,Alert=Rclone detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains any">rclone</OriginalFileName>
+				<Description condition="contains any">Rsync for cloud storage</Description>
+				<Product condition="contains any">rclone</Product>
+				<Company condition="contains any">rclone</Company>
+				<Image condition="contains any">\rclone</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=S3browser detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains any">s3browser</OriginalFileName>
+				<Description condition="contains any">s3browser</Description>
+				<Product condition="contains any">s3browser</Product>
+				<Image condition="contains any">s3browser</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=FTP exfiltration detected,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">add-ftp;.UploadFile(</CommandLine>
+				<Image condition="contains any">ftp.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Tactic=Exfiltration,Technique=Exfiltration to Cloud Storage,Level=0,Desc=Webdav Share Mounted" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">davclnt.dll;DavSetCookie</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
+				<Image condition="image">bcdedit.exe</Image>
+				<CommandLine condition="contains">safeboot</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
+				<Image condition="image">bootcfg.exe</Image>
+				<CommandLine condition="contains">safeboot</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Virtual Machine,Risk=60" groupRelation="and">
+				<CommandLine condition="contains any">-startvm;vrun.exe -vm</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with vssadmin Detected,Risk=100" groupRelation="and">
+				<Image condition="image">vssadmin.exe</Image>
+				<CommandLine condition="contains any">delete;resize</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowcopy delete Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">shadowcopy;delete</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wbadmin.exe</OriginalFileName>
+				<CommandLine condition="contains all">SYSTEMSTATEBACKUP;delete</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowstorage Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains">wmic shadowstorage SET MaxSpace=</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Destructive WMIC Commands Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains any">cleareventlog;call disable;nteventlog where filename</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with diskpart" groupRelation="and">
+				<OriginalFileName condition="contains">diskpart.exe</OriginalFileName>
+				<CommandLine condition="contains any">format;clean;delete;remove</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.exe" groupRelation="and">
+				<OriginalFileName condition="contains">manage-bde.exe</OriginalFileName>
+				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.wsf" groupRelation="and">
+				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
+				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
+			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
+			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-p -nw</CommandLine><!-- vshadow -->
+			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
+			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=File Deletion,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all"> del ; /f </CommandLine>
+				<CommandLine condition="contains all"> del ; -f </CommandLine>
+				<CommandLine condition="contains all"> rmdir ; /s ; /q </CommandLine>
+				<CommandLine condition="contains all"> rmdir ; -s ; -q </CommandLine>
+				<CommandLine condition="contains all"> rd ; /s ; /q </CommandLine>
+				<CommandLine condition="contains all"> rd ; -s ; -q </CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
+				<Image condition="image">fsutil.exe</Image>
+				<CommandLine condition="contains">deletejournal</CommandLine>
+				<CommandLine condition="contains">usn</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
+			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+			<!--Crypto Currency Miner Detections-->
+			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
+				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
+			</Rule>
+			<!--Malware Hashes-->
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
+			</Rule>
+			<Hashes condition="end with" name="Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
+			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
+			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
+			<!--UEBA Activities-->
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="excludes">pwd=</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Video and Audio Session Start" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="contains">zc=0</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Screen Share,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="contains">zc=1</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Microsoft Teams URL clicked" groupRelation="and">
+				<CommandLine condition="contains">msteams:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Webex URL clicked" groupRelation="and">
+				<CommandLine condition="contains">wbx:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files within Downloads,Risk=30" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">\Downloads\</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">Content.Outlook</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">\Desktop\</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\awk.exe;\sed.exe</Image>
+			</Rule>
+			<CommandLine condition="contains">listena</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
+			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
+			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
+			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
+			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
+			<Description name="Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
+			<Description name="Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
+			<Description name="Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
+			<Description name="Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
+			<Image name="Level=0,Desc=Auditpol System Audit Policy Change - Should be set via group policy instead" condition="image">auditpol.exe</Image><!-- Auditpol-->
+			<ParentCommandLine name="Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
+			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
+			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
+			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
+			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
+			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
 			<!--Detect Output Redirection-->
-			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
-			<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
-			<CommandLine name="Alert=Output Redirection" condition="contains">&gt;</CommandLine>
-			<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
-	  		<!--                                                                                                                                            -->
+			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
+			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
+			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
 			<!--Detect Multiple Commands-->
-			<CommandLine name="Alert=Multiple Commands" condition="contains">&amp;</CommandLine>
-			<CommandLine name="Alert=Multiple Commands" condition="contains">;</CommandLine>
-			<CommandLine name="Alert=Command Pipe" condition="contains">|</CommandLine>
-			<CommandLine name="Alert=interactive command to slow output" condition="contains">more</CommandLine>
-			<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
-	  		<!--Hacking Command Line Events-->
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wmic shadowcopy delete</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wbadmin delete catalog</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation,Note=BCDEdit disabling auto repair" condition="contains">/set {default} recoveryenabled no</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">telnet</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-dumpcr</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">putty</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">bash.exe</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">pssh</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sdelete</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">shareenum</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sekurlsa</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">reg SAVE</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Shellcode</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WmiCommand</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-TimedScreenshot</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-CredentialInjection</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimikatz</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">VolumeShadowCopyTools</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-UserHunter</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-GPOLocation</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ACLScanner</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DowngradeAccount</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceUnquoted</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceFilePermission</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServicePermission</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ServiceAbuse</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-ServiceBinary</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAutoLogon</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnAutoRun</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnSchTask</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-UnattendedInstallFile</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-WebConfig</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ApplicationHost</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAlwaysInstallElevated</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Unconstrained</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-RegBackdoor</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-ScrnSaveBackdoor</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Gupt-Backdoor</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ADSBackdoor</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Enabled-DuplicateToken</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsUaCme</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Remove-Update</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Check-VM</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-LSASecret</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-PassHashes</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Show-TargetScreen</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Port-Scan</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">netscan</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">psscan</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PoshRatHttp</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellTCP</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellWMI</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Exfiltration</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Persistence</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Do-Exfiltration</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Start-CaptureServer</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ShellCode</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ChromeDump</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ClipboardContents</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-FoxDump</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-IndexedItem</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Screenshot</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Inveigh</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NetRipper</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-EgressCheck</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PSInject</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-RunAs</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">MailRaider</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">New-HoneyHash</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-MacAttribute</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DCSync</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerDump</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Exploit-Jboss</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ThunderStruck</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-VoiceTroll</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-Wallpaper</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-InveighRelay</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsExec</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-SSHCommand</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SecurityPackages</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-SSP</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-BackdoorLNK</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerBreach</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SiteListPassword</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-System</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">BypassUAC</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Tater</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerUp</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerView</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RickAstley</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-Fruit</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">HTTP-Login</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-TrustedDocuments</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Paranoia</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WinEnum</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ARPScan</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReverseDNSLookup</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">smbscanner</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-FruityC2</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Stager</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">process call create</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">call set priority</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">call terminate</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events/WMIC product listing,Tactic=Privilege Escalation" condition="contains">product get name</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events/WMIC bios serial query,Tactic=Privilege Escalation" condition="contains">bios, get serialNumber</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events/WMIC query vmware,Tactic=Privilege Escalation" condition="contains">onboarddevice get</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events/WMIC User Modifications,Tactic=Privilege Escalation" condition="contains">useraccount where name</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events/WMIC Eventlog modifications,Tactic=Privilege Escalation" condition="contains">nteventlog where filename</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events/WMIC Eventlog modifications,Tactic=Privilege Escalation" condition="contains">cleareventlog</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\default</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">FilterToConsumerBinding</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\subscription</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">stratum+tcp</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-donate-level=</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Wmiclass</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">WmiCl'+'as'+'s</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ntdsutil</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
-			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-ma lsass.exe</CommandLine>
-			<Image name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ProcDump.exe</Image>
-			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">AdjustTokenPrivileges</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">IMAGE_NT_OPTIONAL_HDR64_MAGIC</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Management.Automation.RuntimeException</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Microsoft.Win32.UnsafeNativeMethods</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">ReadProcessMemory.Invoke</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Runtime.InteropServices</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SE_PRIVILEGE_ENABLED</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Security.Cryptography</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Runtime.InteropServices</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">LSA_UNICODE_STRING</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">MiniDumpWriteDump</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">PAGE_EXECUTE_READ</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Net.Sockets.SocketFlags</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Reflection.Assembly</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SECURITY_DELEGATION</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ADJUST_PRIVILEGES</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ALL_ACCESS</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ASSIGN_PRIMARY</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_DUPLICATE</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ELEVATION</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_IMPERSONATE</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_INFORMATION_CLASS</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_PRIVILEGES</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_QUERY</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Metasploit</CommandLine>
-			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Mimikatz</CommandLine>
-			<!--Malware IOC's-->
-			<CommandLine name="Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">^h^t^t^p</CommandLine>
-			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">h"t"t"p</CommandLine>
-			<!--Suspicious Windows tools-->
-			<CommandLine name="MitreRef=T1216,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="contains">script:http</CommandLine> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
-			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
-			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
-			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
-			<Image condition="image">mshta.exe</Image>
-			<Image name="Alert=Psexec Utilities" condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
-			<Image name="Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
-			<Image name="Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image><!--Detect PsShutdown-->
-			<Image name="Alert=Sysinternals PSService" condition="contains">psservice</Image><!--Detect PsService-->
-			<Image name="Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
-			<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<Image name="Note=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
-			<Image name="Note=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
-			<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->
-			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
-			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
-			<Image name="Alert=Secure Shell Execution" condition="image">ssh.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell Execution" condition="image">putty.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell Execution" condition="image">kitty.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell Execution" condition="image">kitty_portable.exe</Image><!-- SSH -->
-			<Image name="Alert=Secure Shell FTP Execution" condition="image">psftp.exe</Image><!-- SFTP -->
-			<Image name="Alert=TFTP Execution" condition="image">tftp.exe</Image><!-- TFTP -->
-			<Image name="Note=WMI Querying" condition="image">wmic.exe</Image><!-- wmic /node logging -->
-			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
-			<Image name="Alert=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
-			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
-			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
-			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
-			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
-			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
-			<Image name="Alert=Linux tools installed on windows" condition="image">curl.exe</Image>
-			<Image name="Alert=Linux tools installed on windows" condition="image">wget.exe</Image>
-			<Image name="Alert=Linux tools installed on windows" condition="image">www.exe</Image>
-			<Image name="Alert=Linux tools installed on windows" condition="image">awk.exe</Image>
-			<Image name="Alert=Linux tools installed on windows" condition="image">sed.exe</Image>
-			<!--SECTION: Crypto Currency Miners-->
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">stratum+tcp</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">coinhive</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">minergate</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ccminer</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">cgminer</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">sgminer</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">rainbowminer</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">xmrMiner</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolpassword</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolurl</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ahashpool</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blazepool</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasters</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">nicehash</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">yiimp</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpool</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</CommandLine>
-			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zpool</CommandLine>
-			<!--Tor-->
-			<Image condition="image">tor.exe</Image><!-- Tor-->
-			<!--                                                                                                                                            -->
-			<!--Suspicious Command Line Locations-->
-			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
-			<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
-			<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
-			<ParentImage condition="image">explorer.exe</ParentImage>
-			<Image condition="image">control.exe</Image>
-			<Image condition="image">acrord32.exe</Image>
-			<Image condition="image">installutil.exe</Image>
-			<Image name="Info=Registry modification/queries" condition="image">\reg.exe</Image>
-			<Image name="Info=ipconfig discovery" condition="image">ipconfig.exe</Image>
-			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
-			<Image condition="contains">\programdata\</Image>
-			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
-			<Image condition="contains">\ProgramData</Image>
-			<Image condition="contains">\Windows\</Image>
-			<Image condition="contains">\Perflogs\</Image>
-			<Image condition="contains">\config\systemprofile\</Image>
-			<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
-			<CommandLine name="Note=Windows Firewall Modifications" condition="contains">netsh advfirewall firewall</CommandLine>
-			<Image condition="contains">\</Image>
-			<CommandLine name="Alert=Windows Defender Disabled" condition="contains">DisableRealtimeMonitoring </CommandLine>
-			<CommandLine name="Alert=Ramnit Banker Malware!" condition="contains">--disable-http2 --disable-quic</CommandLine>
-			<Hashes name="Alert=Ramnit Banker Malware!" condition="contains">291ff87948e45914424cec9510c297da</Hashes><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
-			<Hashes name="Alert=Ramnit Banker Malware!" condition="contains">304772c80b157a916c7041f2f15939fb</Hashes><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
-			<Hashes name="Alert=Docusign Spam/Phishing!" condition="contains">5E022694C0DBD1FBBC263D608E577949</Hashes><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
-			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">71345b139166482acaa568ac8816c7bc</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
-			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">1b60021baedc3f9201bcdb40e9b87f62</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
-			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">c7c8d584758854bbe0d8e64ef53ae1a8</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
+			<Rule  name="Level=0,Desc=SVCHost Processes" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+			</Rule>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Pipe">\pipe\</CommandLine>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine name="Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
+			<CommandLine name="Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
+			<Description name="Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
+			<Description name="Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
+			<Image name="Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
+			<Image name="Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
+			<Image name="Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
+			<ParentImage name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
+			<Rule name="Information=Uncategorized Events" groupRelation="and">
+				<ParentCommandLine condition="contains any">/;\;-;unknown</ParentCommandLine>
+				<ParentImage condition="excludes any">explorer.exe;rundll32.exe</ParentImage>
+				<ParentCommandLine condition="excludes">Appinfo</ParentCommandLine>
+				<ParentCommandLine condition="excludes">DcomLaunch</ParentCommandLine>
+				<ParentCommandLine condition="excludes">JABzA</ParentCommandLine>
+				<ParentCommandLine condition="excludes">RemoteRegistry</ParentCommandLine>
+				<ParentCommandLine condition="excludes">comspec</ParentCommandLine>
+				<ParentCommandLine condition="excludes">iissvcs</ParentCommandLine>
+				<ParentCommandLine condition="excludes">mshta</ParentCommandLine>
+				<ParentCommandLine condition="excludes">nessus</ParentCommandLine>
+				<Image condition="excludes any">rundll32.exe</Image>
+			</Rule>
 		</ProcessCreate>
+	</RuleGroup>
+	<RuleGroup name="RG=Process Create Exclude Group" groupRelation="or">
 		<ProcessCreate onmatch="exclude">
-			<!--SECTION: Microsoft Windows-->
-			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
-			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
-			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
-			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
-			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
-			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
-			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
-			<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
-			<Image condition="is">C:\Windows\System32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
-			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
-			<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->
-			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
-			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
-			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
-			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
-			<ParentCommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</ParentCommandLine> <!--Microsoft:Windows 10 Noise-->
-			<CommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</CommandLine> <!--Microsoft:Windows 10 Noise-->
-			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
-			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
-			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
-			<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
-			<CommandLine condition="contains">net.exe use</CommandLine> <!-- Silence domain login scripts -->
-			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
-			<CommandLine condition="contains">net1 use</CommandLine> <!-- Silence domain login scripts -->
-			<CommandLine condition="contains">net.exe time</CommandLine> <!-- Silence domain login scripts -->
-			<CommandLine condition="contains">net time</CommandLine> <!-- Silence domain login scripts -->
-			<CommandLine condition="contains">net1 time</CommandLine> <!-- Silence domain login scripts -->
-			<!--SECTION: Microsoft:Windows:Defender-->
-			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
-			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
-			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
-			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
-			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
-			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
-			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
-			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
-			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
-			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
-			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine><!--Microsoft:Windows: Search Indexer-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine><!--Microsoft:Windows 10-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine><!--Microsoft:Windows 10-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k UnistackSvcGroup</CommandLine><!--Microsoft:Windows 10-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k defragsvc</CommandLine><!--Microsoft:Windows Defrag-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k RPCSS</CommandLine><!--Microsoft:Windows Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k utcsvc</CommandLine><!--Microsoft:Windows Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup</CommandLine><!--Microsoft:Windows Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k DcomLaunch</CommandLine><!--Microsoft:Windows Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Microsoft:Windows:Network: BitLocker Drive Encryption-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Microsoft:Windows:Network: Background Intelligent File Transfer (BITS) -->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Microsoft:Windows: Windows Management Instrumentation (WMI) -->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc</CommandLine> <!--Microsoft:Windows:Network: Group Policy -->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Microsoft:Windows:Network: DNS caching, other uses -->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Microsoft:Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Microsoft:Windows:Network: Network Location Awareness-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Microsoft:Windows:Network: Terminal Services (RDP)-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
-			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows 10-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k GPSvcGroup</CommandLine><!--Microsoft:Windows Network Services-->
-			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k tapisrv</CommandLine><!--Microsoft:Windows Network Services-->
-			<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
-			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
-			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
-			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
-			<ParentImage condition="is">C:\Windows\System32\taskeng.exe</ParentImage><!--Microsoft:Scheduled Task noise, we already detect creation-->
-			<!--SECTION: Microsoft dotNet-->
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
-			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
-			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
-			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
-			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
-			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
-			<!--SECTION: Microsoft Office-->
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
-			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
-			<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
-			<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-			<Image condition="is">C:\Windows\splwow64.exe</Image> <!--Microsoft:Office: Print Driver Host spam -->
-			<!--SECTION: Microsoft:Windows: Media player-->
-			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
-			<!--SECTION: Microsoft Exchange-->
-			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
-			<CommandLine condition="contains">C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1</CommandLine>
-			<!--SECTION: Microsoft Misc-->
-			<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
-			<!--SECTION: Google-->
-			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
-			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
-			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
-			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
-			<!--SECTION: Firefox-->
-			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
-			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
-			<!--SECTION: Adobe-->
-			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
-			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<CommandLine condition="contains">"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<CommandLine condition="contains">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /ac /id</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<ParentCommandLine condition="contains">"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id</ParentCommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
-			<!--SECTION: Adobe:Acrobat DC-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
-			<!--SECTION: Adobe:Acrobat 2015-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
-			<!--SECTION: Adobe:Acrobat Reader DC-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
-			<!--SECTION: Adobe:Flash-->
-			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
-			<!--SECTION: Adobe:Updater-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
-			<!--SECTION: Adobe:Supporting processes-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
-			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
-			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
-			<!--SECTION: Adobe:Creative Cloud-->
-			<!--SECTION: Cisco-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
-			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
-			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
-			<!--SECTION: Drivers-->
-			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
-			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
-			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
-			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
-			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
-			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
-			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
-			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
-			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
-			<!--SECTION: Dropbox-->
-			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
-			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
-			<!--SECTION: Dell-->
-			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
-			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
-			<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
-			<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine>			
-			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
-			<!--SECTION: Lenovo-->
-			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
-			<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
-			<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
-			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
-			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
-			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
-			<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
-			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
-			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
-			<ParentCommandLine condition="contains">C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</ParentCommandLine> <!--Lenovo: Modern Apps Plugin Host-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
-			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
-			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
-			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
-			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
-			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
-			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe</ParentImage>
-			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe</ParentImage>
-			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsu.exe</ParentImage>
-			<Image condition="contains">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
-			<!--SECTION: MSI: Micro-Star International Computers-->
-			<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
-			<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
-			<ParentImage condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</ParentImage><!-- MSI: Helpdesk Updater-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
-			<ParentImage condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</ParentImage><!-- MSI: Dragon Center Updater-->
-			<!--SECTION: Intel-->
-			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
-			<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
-			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe</Image><!--Intel: Graphics Driver-->
-			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe</Image><!--Intel: Graphics Driver-->
-			<!--SECTION: Antivirus-->
-			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
-			<CommandLine condition="contains">C:\Program Files (x86)\Webroot\WRSA.exe" -ul</CommandLine> <!--Webroot-->
-			<ParentCommandLine condition="is">"C:\Program Files (x86)\Webroot\WRSA.exe" -service</ParentCommandLine> <!--Webroot-->
-			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image><!--Webroot-->
-			<!--SECTION: Synaptics Touchpad-->
-			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
-			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
-			<!--SECTION: Custom Apps-->
-			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
-			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
-			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
-			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
-			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
-			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
-			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
-			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
-			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
-			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
-			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
-			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage> <!--Enpass Password Manager-->
-			<Image condition="contains">C:\Program Files (x86)\Enpass\Enpass.exe</Image> <!--Enpass Password Manager-->
-			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
-			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentImage> <!--FortiClient Noise -->
-			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
-			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
-			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
-			<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
-			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
-			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
-			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
-			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
-			<!--Exclude: MSPaint.exe-->
-			<Hashes condition="contains">56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900</Hashes>
-			<!--Exclude: N-Able/N-Central-->
-			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
-			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
-			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage>
-			<ParentCommandLine condition="contains">N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentCommandLine>
-			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</ParentImage>			
-			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>			
-			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\installer\installer.exe	</ParentImage>
-			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epupdateservice.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\ShadowProtectDataReader.exe</ParentImage>
-			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
-			<!--Exclude: Sysmon Auto-Update-->
-			<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>
-			<CommandLine condition="contains">\sysmon\Auto_Update.bat</CommandLine>
-			<CommandLine condition="contains">ion-storm/sysmon-config</CommandLine>
-			 <!--Exclude: Netlogon scripts-->
-			<ParentCommandLine name="MitreRef=T1037,Technique=Logon Scripts,Tactic=Lateral Movement Persistence" condition="contains">\netlogon\</ParentCommandLine>
-			<CommandLine condition="contains">\netlogon\</CommandLine>
-			<ParentImage condition="is">C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE</ParentImage>
-			 <!--Exclude: Too noisy in a domain environment with legacy logon scripts-->
-			<CommandLine condition="contains">net use</CommandLine>
-			<CommandLine condition="contains">net.exe use</CommandLine>
-			<CommandLine condition="contains">net1 use</CommandLine>
-			<CommandLine condition="contains">net1.exe use</CommandLine>
-			<CommandLine condition="contains">net time</CommandLine>
-			<CommandLine condition="contains">net.exe time</CommandLine>
-			<CommandLine condition="contains">net1 time</CommandLine>
-			<CommandLine condition="contains">C:\Windows\system32\cmd.exe /c UsrLogon.cmd</CommandLine>
-			<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
-			<ParentImage condition="is">C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe</ParentImage>
-			<CommandLine condition="contains">chrome.nativeMessaging.out</CommandLine>
+			<Rule name="exclude werfault from wmi" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
+				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
+			</Rule>
 		</ProcessCreate>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
-		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->
-
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
+	<RuleGroup name="RG=FileCreateTime Include Group" groupRelation="or">
 		<FileCreateTime onmatch="include">
-			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
-			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
-			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
+			<Image name="Attack=T1070.006,Technique=Timestomp" condition="begin with">C:\Users</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp" condition="begin with">C:\ProgramData</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp" condition="contains">\Temp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp" condition="contains">\tmp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp" condition="contains">\drivers\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp" condition="contains">\Download</Image>
 		</FileCreateTime>
-
+	</RuleGroup>
+	<RuleGroup name="RG=FileCreateTime Exclude Group" groupRelation="or">
 		<FileCreateTime onmatch="exclude">
 			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
-			<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
-			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
-			<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
-			<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->
-			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Chrome constantly changes file times-->
-			<Image condition="contains">setup</Image> <!--Ignore setups-->
+			<Image condition="image">TrustedInstaller.exe</Image>
+			<Image condition="image">OneDrive.exe</Image>
+			<Image condition="image">vivaldi.exe</Image>
+			<Image condition="image">chrome.exe</Image>
+			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image>
+			<Image condition="contains">setup</Image>
+			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
+			<Image condition="end with">\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe</Image>
 		</FileCreateTime>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
-		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
-		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
-		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
-		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
-		<!--TECHNICAL:	These exe do not initiate their connections, and thus including does not work in this section: BITSADMIN.exe-->
-
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
+	<RuleGroup name="RG=NetworkConnect Include Group" groupRelation="or">
 		<NetworkConnect onmatch="include">
-			<!--Suspicious sources for network-connecting binaries-->
-			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
-			<Image name="Alert=Temp file location network connection,suspicious_net_event=True" condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
-			<Image name="Alert=Network connection in Recycle Bin,suspicious_net_event=True" condition="contains">$RECYCLE.BIN</Image> <!--Network Connection in Temp Directories-->
-			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
-			<Image condition="begin with">C:\Perflogs\</Image>
-			<Image condition="contains">config\systemprofile\</Image>
-			<Image condition="contains">\Windows\Fonts\</Image>
-			<Image condition="contains">\Windows\IME\</Image>
-			<Image name="Alert=Network connection in addins,suspicious_net_event=True" condition="contains">\Windows\addins\</Image>
-			<Image condition="contains">chrome.exe</Image>
-			<Image condition="contains">iexplore.exe</Image>
-			<Image condition="contains">firefox.exe</Image>
-			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
-			<Image condition="contains">MicrosoftEdge.exe</Image>
-			<Image condition="contains">explorer.exe</Image>
-			<!--<Image name="Info=Non-Exe Connecting to network" condition="excludes">.exe</Image>-->
-			<Image name="Info=Unknown Process Connecting to network" condition="contains">unknown process</Image>
-			<!--Suspicious Windows tools-->
-			<Image name="Alert=AT.EXE Task Scheduler Network Connection,suspicious_net_event=True" condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
-			<Image name="Alert=SCHTasks.exe Task Scheduler Network Connection,suspicious_net_event=True" condition="image">schtasks.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
-			<Image name="Alert=Certutil Connecting to network,suspicious_net_event=True" condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
-			<Image name="Alert=CMD Prompt network Connection,suspicious_net_event=True" condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
-			<Image name="Alert=Cscript network Connection,suspicious_net_event=True" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
-			<Image name="Alert=WSCRIPT Network connection,suspicious_net_event=True" condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
-			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
-			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
-			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
-			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
-			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
-			<Image name="Alert=MSHTA Network Connection,suspicious_net_event=True" condition="image">mshta.exe</Image>
-			<Image name="Info=Powershell Network Connection,suspicious_net_event=True" condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
-			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
-			<Image condition="contains">pskill</Image><!--Detect pskill-->
-			<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
-			<Image condition="contains">psservice</Image><!--Detect PsService-->
-			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
-			<Image condition="image">java.exe</Image>
-			<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<Image condition="image">installutil.exe</Image>
-			<Image name="Alert=MSIExec Network connection,suspicious_net_event=True" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
-			<Image name="Alert=REG.EXE Network Connection,suspicious_net_event=True" condition="image">reg.exe</Image><!-- Remote Registry -->
-			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
-			<Image name="Alert=Telnet Connection,suspicious_net_event=True" condition="image">telnet.exe</Image><!-- Telnet -->
-			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
-			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
-			<Image name="Alert=SSH Connection with ssh.exe,suspicious_net_event=True" condition="image">ssh.exe</Image><!-- SSH -->
-			<Image name="Alert=SSH Connection with Putty,suspicious_net_event=True" condition="image">putty.exe</Image><!-- SSH -->
-			<Image name="Alert=SSH Connection with Kitty,suspicious_net_event=True" condition="image">kitty.exe</Image><!-- SSH -->
-			<Image name="Alert=SSH Connection with Kitty,suspicious_net_event=True" condition="image">kitty_portable.exe</Image><!-- SSH -->
-			<Image name="Alert=PSFTP Connection" condition="image">psftp.exe</Image><!-- SFTP -->
-			<Image name="Alert=PSFTP Connection" condition="image">tftp.exe</Image><!-- TFTP -->
-			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
-			<Image condition="image">net.exe</Image><!-- net use/net view-->
-			<Image name="Alert=NBTSTAT Query" condition="image">nbtstat.exe</Image><!-- Netbios stat-->
-			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
-			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
-			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
-			<Image name="Alert=SC.exe Network Connection,suspicious_net_event=True" condition="image">sc.exe</Image><!-- Service Control Manager-->
-			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
-			<Image name="Alert=User enumeration,suspicious_net_event=True" condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
-			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
-			<!--Tor-->
-			<Image name="Alert=Tor Connection" condition="image">tor.exe</Image>
-			<DestinationIp name="Alert=Tor Connection" condition="is">185.41.154.130</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">37.252.190.176</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">82.118.17.235</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">83.163.164.15</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">69.163.34.173</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">159.89.151.231</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">212.47.246.229</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">84.40.112.70</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">2.137.16.245</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">199.249.223.62</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">185.22.172.237</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">88.99.216.194</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">185.13.39.197</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">162.247.72.201</DestinationIp>
-			<DestinationIp name="Alert=Tor Connection" condition="is">174.127.217.73</DestinationIp>
-			<!-- Tor-->
-			<!--Hack tools hosting-->
-			<DestinationHostname name="Alert=Connection to Github,suspicious_net_event=True" condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
-			<DestinationHostname name="Alert=Connection to Github,suspicious_net_event=True" condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
-			<!--Suspicious destinations-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ident.me</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ip.sb</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">www.myexternalip.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ip.anysrc.net</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">wtfismyip.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">myexternalip.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ip.sb</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipecho.net</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">checkip.amazonaws.com</DestinationHostname> <!--Malware uses to get external IP address-->
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">goo.gl</DestinationHostname>
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">git.io</DestinationHostname>
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">bit.ly</DestinationHostname>
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">t.co</DestinationHostname>
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ow.ly</DestinationHostname>
-			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
-			<!--Dynamic DNS Providers-->
-			<DestinationHostname condition="contains">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<DestinationHostname condition="contains">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
-			<!--Tor2Web Providers-->
-			<DestinationHostname condition="contains">onion.to</DestinationHostname>
-			<DestinationHostname condition="contains">onion.cab</DestinationHostname>
-			<DestinationHostname condition="contains">onion.sh</DestinationHostname>
-			<DestinationHostname condition="contains">onion.nu</DestinationHostname>
-			<DestinationHostname condition="contains">onion.direct</DestinationHostname>
-			<DestinationHostname condition="contains">tor2web.org</DestinationHostname>
-			<DestinationHostname condition="contains">tor2web.fi</DestinationHostname>
-			<DestinationHostname condition="contains">tor2web.io</DestinationHostname>
-			<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
-			<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
-			<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
-			<!--Public Port Scan Detection-->
-			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shodan</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shadow</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">researchscan</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">sl-reverse</DestinationHostname>
-			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">scanhub</DestinationHostname>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">.edu</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">71.6.216.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">137.226.113.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">138.246.252.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">128.32.30.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">208.93.152.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">162.216.46.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">169.229.3.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.254.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">98.143.148.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.222.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">134.147.203.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">69.170.62.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">159.203.213.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">209.236.120.</DestinationIp>
-			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6</DestinationIp>
-			<!--Crypto Currency Mining pools-->
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blazepool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasters</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nicehash</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">yiimp</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zpool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">slushpool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minexmr</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minergate</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">dwarfpool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nanopool.org</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">viaxmr.com</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashvault.pro</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">moriaxmr.com</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">suprnova.cc</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">usxmrpool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">xmrpool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">poolto.be</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash.net</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mine.bz</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mypool.online</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">bohemianpool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">iwanttoearn.money</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">pool.xmr</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">crypto-pool</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miners.pro</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minercircle.com</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero.lindon-pool.win</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">teracycle.net</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">ratchetmining.com</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">cryptmonero</DestinationHostname>
-			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
-			<!--Ports-->
-			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">80</DestinationPort>
-			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">443</DestinationPort>
-			<DestinationPort name="Service=Remote Desktop Connection" condition="is">3389</DestinationPort>
-			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
-			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">22</DestinationPort>
-			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">23</DestinationPort>
-			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">25</DestinationPort>
-			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">139</DestinationPort>
-			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
-			<DestinationPort name="Service=VNC" condition="is">5800</DestinationPort>
-			<DestinationPort name="Service=VNC" condition="is">5900</DestinationPort>
-			<DestinationPort name="Service=OpenVPN,suspicious_net_event=True" condition="is">1194</DestinationPort>
-			<DestinationPort name="Service=L2TP,suspicious_net_event=True" condition="is">1701</DestinationPort>
-			<DestinationPort name="Service=TOR,suspicious_net_event=True" condition="is">1723</DestinationPort>
-			<DestinationPort name="Service=IPSec" condition="is">1293</DestinationPort>
-			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">4500</DestinationPort>
-			<DestinationPort name="Service=Socks Proxy Port" condition="is">1080</DestinationPort>
-			<DestinationPort name="Service=Socks Proxy Port" condition="is">8080</DestinationPort>
-			<DestinationPort name="Service=Socks Proxy Port" condition="is">3128</DestinationPort>
-			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">9001</DestinationPort>
-			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">9030</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4443</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">2448</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">8143</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1777</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1443</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">243</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">65535</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13506</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3360</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">200</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">198</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">49180</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13507</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3360</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">6625</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4444</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4438</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1904</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13505</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13504</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12102</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">9631</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5445</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">2443</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">777</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13394</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13145</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12103</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5552</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3939</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3675</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">666</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">473</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5649</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4455</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4433</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1817</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">100</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">65520</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1960</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1515</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">743</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">700</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14154</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14103</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14102</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12322</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">10101</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">7210</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4040</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">9943</DestinationPort>
-			<!--Ports: Threats-->
-			<DestinationPort name="Info=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:7777,suspicious_net_event=True" condition="is">7777</DestinationPort>
-			<DestinationPort name="Info=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:9943,suspicious_net_event=True" condition="is">9943</DestinationPort>
-			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:666,suspicious_net_event=True" condition="is">666</DestinationPort>
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,Level=4,Alert=WSCRIPT Network connection,Risk=80" groupRelation="and">
+				<Image condition="image">wscript.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
+				<Image condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
+				<DestinationIp condition="excludes any">127.0.0.1</DestinationIp>		
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
+				<Image condition="contains">\wwwroot\</Image>
+			</Rule>
+			<Image name="Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Recycle Bin,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
+			<Image name="Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
+			<Image name="Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Attack=T1027.004,Tactic=Defense Evasion,Technique=Compile After Delivery,Level=4,Alert=CSC Network Conections" groupRelation="and">
+				<Image condition="image">CSC.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
+			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Installutil-->
+			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Msiexec-->
+			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvcs/regasm-->
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
+				<Image condition="contains any">regasm.exe;regsvcs.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
+			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<Rule name="Attack=T1127,Tactic=Defense Evasion,Technique=Signed Binary Proxy Execution,Level=4,Alert=MSBuild Network Conections" groupRelation="and">
+				<Image condition="image">msbuild.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=4,Alert=NBTSTAT Query,Risk=30" condition="contains">nbtstat</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
+			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3389,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
+				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
+				<Image condition="excludes">FSAssessment.exe</Image>
+				<Image condition="excludes">FSDiscovery.exe</Image>
+				<Image condition="excludes">MobaRTE.exe</Image>
+				<Image condition="excludes">RDCMan.exe</Image>
+				<Image condition="excludes">RSSensor.exe</Image>
+				<Image condition="excludes">RTS2App.exe</Image>
+				<Image condition="excludes">RTSApp.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager.exe</Image>
+				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
+				<Image condition="excludes">Terminals.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">mRemote.exe</Image>
+				<Image condition="excludes">mRemoteNG.exe</Image>
+				<Image condition="excludes">mstsc.exe</Image>
+				<Image condition="excludes">spiceworks-finder.exe</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<Image condition="excludes">thor64.exe</Image>
+				<Image condition="excludes">thor.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3391</DestinationPort>
+				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
+				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
+				<Image condition="excludes">FSAssessment.exe</Image>
+				<Image condition="excludes">FSDiscovery.exe</Image>
+				<Image condition="excludes">MobaRTE.exe</Image>
+				<Image condition="excludes">RDCMan.exe</Image>
+				<Image condition="excludes">RSSensor.exe</Image>
+				<Image condition="excludes">RTS2App.exe</Image>
+				<Image condition="excludes">RTSApp.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager.exe</Image>
+				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
+				<Image condition="excludes">Terminals.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">mRemote.exe</Image>
+				<Image condition="excludes">mRemoteNG.exe</Image>
+				<Image condition="excludes">mstsc.exe</Image>
+				<Image condition="excludes">spiceworks-finder.exe</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<Image condition="excludes">thor64.exe</Image>
+				<Image condition="excludes">thor.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
+				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
+			</Rule>
+			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
+				<Image condition="image">wsmprovhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
+				<Image condition="image">psftp.exe</Image><!-- SFTP -->
+			</Rule>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">omniinet.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">hpsmhd.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<Rule name="Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
+				<DestinationPort condition="is">50050</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
+				<DestinationPort condition="is">25</DestinationPort>
+				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
+				<Initiated>true</Initiated>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Powershell Network Connection,Risk=30" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<DestinationIp condition="excludes any">0:0:0:0:0:0:0:;127.0.0.1</DestinationIp>
+			</Rule>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
+			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
+			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<!-- DNS Over HTTPS-->
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<DestinationHostname name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!--UEBA Rules-->
+			<Rule name="Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+				<DestinationPort condition="is not">3389</DestinationPort>
+				<DestinationPort condition="is not">22</DestinationPort>
+				<DestinationPort condition="is not">21</DestinationPort>
+				<DestinationPort condition="is not">5985</DestinationPort>
+				<Initiated>false</Initiated>
+			</Rule>
+			<Rule name="Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+				<Initiated>true</Initiated>
+				<SourcePort condition="is not">135</SourcePort>
+				<SourcePort condition="is not">445</SourcePort>
+				<DestinationPort condition="is not">5985</DestinationPort>
+			</Rule>
+			<Rule name="Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
+				<Image condition="is not">System</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<DestinationPort condition="is">445</DestinationPort>
+			</Rule>
+			<Rule name="Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
+				<Image condition="is not">System</Image>
+				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
+				<DestinationPort condition="is">389</DestinationPort>
+			</Rule>
+			<Rule name="Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
+				<DestinationPort condition="is">389</DestinationPort>
+				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
+				<SourceHostname condition="excludes any">EXCH</SourceHostname>
+				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
+				<Initiated>false</Initiated>
+			</Rule>
+			<Rule name="Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
+				<Image condition="image">notepad.exe</Image>
+				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
+			</Rule>
+			<Rule name="Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is not">80</DestinationPort>
+				<DestinationPort condition="is not">443</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<DestinationHostname name="Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
+			<DestinationHostname name="Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
+			<Rule name="Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is">80</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is">443</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Level=0,Desc=Apache Webserver" groupRelation="and">
+				<Image condition="image">apache.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=JAVA Network Connections" groupRelation="and">
+				<Image condition="image">java.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=PHP Webserver" groupRelation="and">
+				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Setup Network connectivity" groupRelation="and">
+				<Image condition="contains">setup</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
+				<Image condition="contains">tomcat</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
+				<Image condition="contains">unins</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
+				<Image condition="contains">unknown process</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
+				<Image condition="contains">explorer.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Windows SMTP Server" groupRelation="and">
+				<Image condition="image">inetinfo.exe</Image>
+			</Rule>
+			<!--3rd Party tools-->
+			<Image name="Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
+			<Image name="Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
+			<Image name="Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
+			<Image name="Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
+				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
+			</Rule>
+			<!--Destination Ports to Monitor-->
+			<DestinationPort name="Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
+			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
+			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
+			<DestinationPort name="Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
+			<DestinationPort name="Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
+			<DestinationPort name="Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
+			<DestinationPort name="Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
+			<DestinationPort name="Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
+			<DestinationPort name="Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
+			<DestinationPort name="Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
+			<!--Source Ports to Monitor-->
+			<SourcePort name="Level=0,Desc=Port: 0" condition="is">0</SourcePort>
+			<Rule name="Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
+				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is">443</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
+				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is">80</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<SourcePort name="Level=0,Desc=HTTP" condition="is">80</SourcePort>
+			<SourcePort name="Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Level=0,Desc=LDAPS" condition="is">636</SourcePort>
+			<SourcePort name="Level=0,Desc=VNC" condition="is">5900</SourcePort>
+			<SourcePort name="Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<!--Suspicious network connections-->
+			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
 		</NetworkConnect>
+	</RuleGroup>
+	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
 		<NetworkConnect onmatch="exclude">
+			<Protocol condition="contains">udp</Protocol>
+			<!--Exclude Inter-process coms over localhost, may be dangerous at expense for noise reduction -->
+			<Rule name="exclude interprocess communications with localhost" groupRelation="and">
+				<Image condition="contains any">System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe</Image>
+				<SourceIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
+				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
+			</Rule>
+			<!--SECTION: Custom -->
+			<Rule name="exclude dest ldap port 88" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
+				<DestinationPort condition="is">88</DestinationPort>
+			</Rule>
+			<!--Disable Monitoring of Protocols-->
+			<DestinationPortName condition="is">epmap</DestinationPortName>
+			<DestinationPortName condition="is">llmnr</DestinationPortName>
+			<DestinationPortName condition="is">microsoft-ds</DestinationPortName>
+			<DestinationPortName condition="is">netbios-dgm</DestinationPortName>
+			<DestinationPortName condition="is">ntp</DestinationPortName>
+			<DestinationPortName condition="is">ssdp</DestinationPortName>
+			<SourcePortName condition="is">epmap</SourcePortName>
+			<SourcePortName condition="is">llmnr</SourcePortName>
+			<SourcePortName condition="is">microsoft-ds</SourcePortName>
+			<SourcePortName condition="is">netbios-dgm</SourcePortName>
+			<SourcePortName condition="is">ntp</SourcePortName>
+			<SourcePortName condition="is">ssdp</SourcePortName>
+			<!--Disable Monitoring on Ports-->
+			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
+			<DestinationPort condition="is">67</DestinationPort>  <!--Bootp Lookups-->
+			<DestinationPort condition="is">68</DestinationPort>  <!--Bootp Lookups-->
+			<DestinationPort condition="is">1434</DestinationPort>  <!--SQL spam.-->
+			<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
+			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
+			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
+			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
+			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
+			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
+			<DestinationPort condition="is">5989</DestinationPort>  <!--Vcenter Secure server for CIM.-->
+			<DestinationPort condition="is">6007</DestinationPort>  <!--Exchange WMI Spam-->
+			<DestinationPort condition="is">49154</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">49209</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">52176</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">59241</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">53</SourcePort>  <!--DNS Lookups-->
+			<SourcePort condition="is">67</SourcePort>  <!--Bootp Lookups-->
+			<SourcePort condition="is">68</SourcePort>  <!--Bootp Lookups-->
+			<SourcePort condition="is">1812</SourcePort> <!--Radius-->
+			<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
+			<SourcePort condition="is">6007</SourcePort>  <!--Exchange WMI Spam-->
+			<SourcePort condition="is">49154</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">49209</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
+			<SourcePort condition="is">52176</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">59241</SourcePort>  <!--DFRS/ADFS Replication spam-->
 			<!--SECTION: Microsoft -->
-			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
-			<Image condition="is">C:\Windows\System32\find.exe</Image><!-- Oddly find.exe connects to localhost and creates spam -->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
-			<!--Ignore Microsoft Connections-->
-			<!--Microsoft Net Connections-->
-			<!--Microsoft ASN IP Block-->
+			<DestinationHostname condition="end with">.bing.com</DestinationHostname>
+			<DestinationHostname condition="end with">.cloudapp.net</DestinationHostname>
+			<DestinationHostname condition="end with">.lync.com</DestinationHostname>
+			<DestinationHostname condition="end with">.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">.outlook.com</DestinationHostname>
+			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname>
 			<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
-			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
 			<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
 			<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
 			<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">bing.com</DestinationHostname>
-			<DestinationHostname condition="end with">cdn.onenote.net</DestinationHostname>
+			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
 			<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
 			<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
 			<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
@@ -1250,8 +2412,8 @@
 			<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
 			<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
 			<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
 			<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
@@ -1267,8 +2429,13 @@
 			<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
 			<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
 			<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">msn.com</DestinationHostname>
 			<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
 			<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
 			<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
@@ -1276,8 +2443,8 @@
 			<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
 			<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
 			<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
 			<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
@@ -1290,100 +2457,20 @@
 			<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
 			<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
 			<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
+			<DestinationHostname condition="end with">windows.net</DestinationHostname>
 			<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
 			<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
 			<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
 			<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">windows.net</DestinationHostname>
-			<DestinationHostname condition="end with">msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
-			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
-			<DestinationHostname condition="end with">outlook.com</DestinationHostname>
-			<DestinationHostname condition="end with">lync.com</DestinationHostname>
-			<DestinationHostname condition="end with">cloudapp.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ec2-34-204-73-148.compute-1.amazonaws.com</DestinationHostname>
-			<DestinationHostname condition="end with">ec2-52-201-35-219.compute-1.amazonaws.com</DestinationHostname>
-			<DestinationHostname condition="end with">ec2-34-230-137-236.compute-1.amazonaws.com</DestinationHostname>
-			<DestinationHostname condition="end with">ec2-52-45-9-47.compute-1.amazonaws.com</DestinationHostname>
-			<DestinationHostname condition="end with">ec2-52-71-74-246.compute-1.amazonaws.com</DestinationHostname>
-			<DestinationHostname condition="end with">ec2-54-89-54-171.compute-1.amazonaws.com</DestinationHostname>
-			<DestinationHostname condition="end with">eset.com</DestinationHostname>
-			<DestinationHostname condition="end with">n-able.com</DestinationHostname>
-			<DestinationHostname condition="end with">www.agentexchange.com</DestinationHostname>
-			<DestinationHostname condition="end with">map2.hwcdn.net</DestinationHostname>
-			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
-			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
-			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
-			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
-			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
-			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
-			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
-			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
-			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
-			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
-			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
-			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
-			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
-			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname> <!--Bing & Cortana Searches-->
-			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
-			<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
-			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
-			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
-			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
-			<DestinationPortName condition="is">epmap</DestinationPortName> <!--Silence LDAP-->
-			<SourcePortName condition="is">epmap</SourcePortName> <!--Silence LDAP-->
-			<SourcePort condition="is">135</SourcePort>  <!--epmap Port-->
-			<DestinationPort condition="is">135</DestinationPort>  <!--epmap Port-->
-			<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
-			<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
-			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
-			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
-			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->
-			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
-			<DestinationPortName condition="is">netbios-ns</DestinationPortName> <!--Netbios DNS Resolution-->
-			<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
-			<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
-			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
-			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
-			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
-			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
-			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
-			<SourcePort condition="is">53</SourcePort>  <!--DNS Lookups-->
-			<SourcePort condition="is">67</SourcePort>  <!--Bootp Lookups-->
-			<DestinationPort condition="is">67</DestinationPort>  <!--Bootp Lookups-->
-			<SourcePort condition="is">1812</SourcePort> <!--Radius-->
-			<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
-			<SourcePort condition="is">49154</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">49154</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">59241</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">59241</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">52176</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">52176</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">49209</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">49209</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">6007</SourcePort>  <!--Exchange WMI Spam-->
-			<DestinationPort condition="is">6007</DestinationPort>  <!--Exchange WMI Spam-->
-			<Image condition="end with">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
-			<Image condition="end with">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
-			<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
-			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
-			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
-			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
-			<Image condition="end with">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
-			<Image condition="end with">C:\Windows\LTSvc\LTSVC.exe</Image>
-			<Image condition="end with">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
-			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
-			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
-			<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
-			<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
-			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
-			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
+			<Image condition="image">EdgeTransport.exe</Image>
+			<Image condition="image">MSExchangeDelivery.exe</Image>
+			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
+			<Image condition="image">MSExchangeHMWorker.exe</Image>
+			<Image condition="image">MSExchangeSubmission.exe</Image>
+			<Image name="Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
 		</NetworkConnect>
+	</RuleGroup>
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
 
 		<!--DATA: UtcTime, State, Version, SchemaVersion-->
@@ -1391,1602 +2478,2559 @@
 
 	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
 		<!--COMMENT:	Useful data in building infection timelines.-->
-
-		<!--DATA: Rulename, UtcTime, ProcessGuid, ProcessId, Image-->
+		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
 		<ProcessTerminate onmatch="include">
-		<!--COMMENT:	Useful data in building infection timelines.-->
-			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
-			<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
-			<Image condition="contains">\Temp\</Image> <!--Process terminations in temp directories-->
-			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
-			<Image condition="end with">Sysmon64.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
+			<Rule name="Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe;C:\Windows\System32\conhost.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Process Termination Events in System32" groupRelation="and">
+				<Image condition="begin with">C:\Windows\system32\</Image>
+				<Image condition="excludes">config\systemprofile\</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
+				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
+				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
+				<Image condition="excludes">:\PROGRA~</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\ProgramData\</Image>
+				<Image condition="excludes">:\Users\</Image>
+				<Image condition="excludes">:\Windows\</Image>
+				<Image condition="excludes">:\inetpub\</Image>
+				<Image condition="excludes">:\$SysReset</Image>
+				<Image condition="excludes">:\$WinREAgent</Image>
+				<Image condition="excludes">:\inetpub\</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
+				<Image condition="begin with">\</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
+				<Image condition="begin with">C:\Users\</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
+				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
+				<Image condition="begin with">C:\inetpub\</Image>
+			</Rule>
+		<!-- Useful data in building infection timelines.-->
+			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
+			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
+			<Image name="Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
+			<Image condition="contains">\Temp\</Image>
+			<Image name="Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
 		</ProcessTerminate>
-
+	</RuleGroup>
+	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
+			<ProcessTerminate onmatch="exclude">
+			<Image condition="end with">Microsoft\Teams\current\Teams.exe</Image>
+			<Image condition="end with">\git.exe</Image>
+			<Image condition="end with">Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe</Image>
+			<Image condition="begin with">C:\ProgramData\Lenovo\ImController\</Image>
+		</ProcessTerminate>
+	</RuleGroup>
 	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
-		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
-			about what you exclude from monitoring. Low event volume, little incentive to exclude.
-			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
-		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
-
-		<!--DATA: RuleName, UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+	<RuleGroup name="RG=DriverLoad Include Group" groupRelation="or">
+		<DriverLoad onmatch="include">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst driver hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
+			<ImageLoaded name="Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
+			<ImageLoaded name="Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
+			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
+			<SignatureStatus condition="contains">?</SignatureStatus>
+			<SignatureStatus condition="contains">Revoked</SignatureStatus>
+			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
+			<SignatureStatus condition="contains">Valid</SignatureStatus>
+			<Signed name="Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
+		</DriverLoad>
+	</RuleGroup>
+	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
 		<DriverLoad onmatch="exclude">
 		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
 				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
-			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
-			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft drivers-->
-			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
-			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel drivers-->
-			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
-			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic drivers-->
-			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia drivers-->
-			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom drivers-->
-			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD drivers-->
-			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware drivers-->
-			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek drivers-->
-			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI drivers-->
-			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
-			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
-			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
-			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed Fortinet drivers-->
-			<Signature condition="contains">Webroot</Signature> <!--Exclude signed Webroot drivers-->
-			<Signature condition="is">NoVirusThanks Company Srl</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">Invincea</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">ShoreTel</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">Synology</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">Citrix</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">SonicWall</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">Sophos</Signature> <!--Exclude signed drivers-->
-			<Signature condition="contains">OpenVPN</Signature> <!--Exclude signed drivers-->
 		</DriverLoad>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
 		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
-
 		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+	<RuleGroup name="RG=Image Load Includes" groupRelation="or">
 		<ImageLoad onmatch="include">
-			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
-			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
-			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
-			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
-			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
-			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
-			<ImageLoaded name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence,Alert=Cobalt Strike Netsh Helper Beacon" condition="contains">NetshHelperBeacon</ImageLoaded>
-			<Image name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence" condition="contains">netsh.exe</Image>
-			<ImageLoaded name="Alert=Ramnit Banker Malware!" condition="contains">rmnsoft.dll</ImageLoaded>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="is">msdt.exe</Image>
+				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
+				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
+				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
+			</Rule>
+			<Rule name="T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\</ImageLoaded>
+				<Image condition="contains any">spoolsv.exe;printisolationhost.exe</Image>
+				<SignatureStatus condition="excludes">Valid</SignatureStatus>
+				<Company condition="excludes any">Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard</Company>
+			</Rule>
+			<Rule name="Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
+				<Image condition="image">EQNEDT32.EXE</Image>
+				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=0,Desc=Windows Active Directory Service Interfaces API in User Directories,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll</ImageLoaded>
+				<Image condition="contains any">C:\Users;\Temp\;ProgramData</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
+				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
+				<Image condition="image">wmiprvse.exe</Image>
+				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<ImageLoaded condition="is">msi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
+				<Image condition="contains">powershell</Image>
+				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
+				<Image condition="excludes">powershell</Image>
+				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Office clr.dll Load" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="is">clr.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
+				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
+				<Image condition="contains any">installutil.exe</Image>
+				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
+				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Automation DLL Loaded" groupRelation="and">
+				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
+				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
+				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
+				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
+				<ImageLoaded condition="begin with">\\</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
+				<ImageLoaded condition="end with">.wll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
+				<ImageLoaded condition="end with">.xll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
+				<ImageLoaded condition="contains any">.xla</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains">tor-lib.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
+				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<ImageLoaded condition="contains all">vaultcli.dll;wlanapi.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">combase.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">cryptdll.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">imm32.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">logoncli.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">netapi32.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">ntasn1.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">ntdsapi.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">samlib.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
+				<Image condition="image">C:\Windows\Explorer.EXE</Image>
+				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
+				<ImageLoaded condition="end with">.exe</ImageLoaded>
+				<Company condition="excludes">Adobe</Company>
+				<Image condition="excludes">C:\ProgramData\Lenovo\</Image>
+				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
+				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
+				<ImageLoaded condition="end with">.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
+				<Signed condition="is">false</Signed>
+			</Rule>
+			<Rule name="Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
+				<SignatureStatus condition="is">Revoked</SignatureStatus>
+			</Rule>
+			<Rule name="Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
+				<SignatureStatus condition="is">Expired</SignatureStatus>
+			</Rule>
+			<Rule name="Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
+			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" condition="is">C:\Windows\System32\wlanapi.dll</ImageLoaded>
+			<ImageLoaded name="Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 		</ImageLoad>
+	</RuleGroup>
+	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
 		<ImageLoad onmatch="exclude">
-			<SignatureStatus condition="is">Valid</SignatureStatus>
-			<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
-			<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
-			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
-			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
-			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
-			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
-			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
-			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
-			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
-			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
-			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
-			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
-			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
-			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
-			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
-			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
-			<Company condition="contains">Microsoft</Company>
-			<Product condition="contains">Microsoft</Product>
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
-			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
-			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
-			<Image condition="is">C:\Windows\sysmon64.exe</Image>
-			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
-			<ImageLoaded condition="is">C:\Windows\sysmon64.exe</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\conhost.exe</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\pcwum.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\kernel32.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\user32.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\dns.exe</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\zvprtmon5.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\System32\termsrv.dll</ImageLoaded>
-			<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
-			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
-			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
-			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
-			<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
-			<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
-			<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll</ImageLoaded>
-			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
-			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
-			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
-			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
-			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
-			<!-- Custom App Exclusions -->
-			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
-			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
-			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
-			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
-			<Image condition="is">C:\Windows\System32\VSSVC.</Image>
-			<Image condition="is">C:\Windows\System32\conhost.exe</Image>
-			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
-			<Image condition="is">C:\Windows\System32\NETSTAT.EXE</Image>
-			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
-			<Image condition="is">C:\Windows\System32\tasklist.exe</Image>
-			<Image condition="is">C:\Windows\System32\nslookup.exe</Image>
-			<Image condition="is">C:\Windows\System32\find.exe</Image>
-			<Image condition="is">C:\cs\tools\php\php-cgi.exe</Image>
-			<Image condition="is">C:\Windows\System32\nbtstat.exe</Image>
-			<Image condition="is">C:\Windows\System32\dsquery.exe</Image>
-			<Image condition="is">C:\Windows\System32\netsh.exe</Image>
-			<Image condition="is">C:\Windows\System32\taskeng.exe</Image>
-			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image>
-			<Image condition="contains">SQL Server</Image>
-			<ImageLoaded condition="contains">SQL Server</ImageLoaded>
-			<Image condition="contains">Exchange Server</Image>
-			<ImageLoaded condition="contains">Exchange Server</ImageLoaded>
+			<Rule name="Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+				<Image condition="contains">\Microsoft Office\</Image>
+				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+				<Image condition="contains">\Microsoft Office\</Image>
+				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
+				<Signed condition="is">true</Signed>
+			</Rule>
+			<!--Universal Exclusions: Be Careful-->
+			<Company condition="contains">Fortinet</Company>
+			<Company condition="contains">Lenovo</Company>
+			<Company condition="contains">Sophos</Company>
+			<Image condition="end with">mscorsvw.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\InstallAgentUserBroker.exe</Image>
+			<Image condition="image">C:\Windows\System32\RuntimeBroker.exe</Image>
+			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="image">C:\Windows\System32\SettingSyncHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\sppsvc.exe</Image>
+			<Image condition="image">C:\Windows\System32\taskhost.exe</Image>
+			<Image condition="image">C:\Windows\System32\taskhostw.exe</Image>
+			<Image condition="image">C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe</Image>
+			<Image condition="image">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
+			<Image condition="image">HxTsr.exe</Image>
+			<Image condition="image">SearchUI.exe</Image>
+			<ImageLoaded condition="contains">C:\Program Files (x86)\Common Files\BIExcelFunctions1.1\32bit\Sage.</ImageLoaded>
+			<ImageLoaded condition="contains">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Pfx.</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Adist64.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\SysWOW64\sppc.dll</ImageLoaded>
+			<ImageLoaded condition="is">Microsoft.Office.Interop.VisOcx.dll</ImageLoaded>
+			<ImageLoaded condition="is">Microsoft.Office.Interop.Word.dll</ImageLoaded>
+			<ImageLoaded condition="is">Microsoft.Vbe.Interop.dll</ImageLoaded>
+			<ImageLoaded condition="is">OFFICE.DLL</ImageLoaded>
 		</ImageLoad>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
-		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
-		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
-
-		<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
+	<RuleGroup name="RG=CreateRemoteThread Include Group" groupRelation="or">
 		<CreateRemoteThread onmatch="include">
-			<StartFunction name="MitreRef=T1055,Technique=DLL Injection via LoadLibrary API Call,Tactic=Defense Evasion,Alert=DLL Injection via LoadLibrary API Call" condition="contains">LoadLibrary</StartFunction>
-			<SourceImage condition="contains">\</SourceImage>
-			<StartAddress name="Alert=Cobalt Strike Detected!"  condition="end with">0B80</StartAddress>
+			<!--Custom Rules-->
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
+				<StartAddress condition="is">0x001A0000</StartAddress>
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privledge Escalation,Level=4,Alert=CreateRemoteThread with msiexec,Risk=100" groupRelation="and">
+				<SourceImage condition="contains any">msiexec.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
+				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
+				<StartAddress condition="is">0x001A0000</StartAddress>
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=Rundll32 LSASS Credential dumping,Risk=70" groupRelation="and">
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="image">c:\windows\system32\rundll32.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=4,Alert=Remote Thread Process debugging detected,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">DbgUiRemoteBreakin</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=0,Desc=Remote Query Debug info,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">QueryProcessDebugInformationRemote</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Tactic=Defense Evasion,Level=0,Desc=Query Debug info 2,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">isdebuggerpresent</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Process Debugging Detected,Tactic=Defense Evasion,Level=3,Alert=Process Debug of active Process,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">DebugActiveProcess</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1055.001,Technique=Process Injection: Dynamic-link Library Injection,Tactic=Defense Evasion,Level=3,Alert=LoadLibrary DLL Injection,Risk=70" groupRelation="and">
+				<StartFunction condition="contains">LoadLibrary</StartFunction>
+				<SourceImage condition="excludes">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\igfxEM.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\igfxHK.exe</SourceImage>
+				<SourceImage condition="excludes">Enterprise\Common7\IDE\devenv.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
+				<StartFunction condition="contains any">CreateFileMapping;MapViewOfFile</StartFunction>
+			</Rule>			
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=LdrLoadDll DLL Injection,Risk=70" groupRelation="and">
+				<StartFunction condition="contains any">LdrLoadDll</StartFunction>
+			</Rule>
+			<Rule name="Attack=T1106,Technique=Native API,Tactic=Execution,Level=0,Desc=Crypt API Usage" groupRelation="and">
+				<StartFunction condition="contains any">CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey</StartFunction>
+			</Rule>
+			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=0,Desc=Clipboard Usage Detected" groupRelation="and">
+				<SourceImage condition="image">c:\windows\system32\csrss.exe</SourceImage>
+				<StartFunction condition="contains">CrtlRoutine</StartFunction>
+			</Rule>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
+			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
 		</CreateRemoteThread>
+	</RuleGroup>
+	<RuleGroup name="RG=CreateRemoteThread Exclude Group" groupRelation="or">
 		<CreateRemoteThread onmatch="exclude">
 			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
-			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>			
-			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
-			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
-			<SourceImage condition="contains">FireSvc.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
-			<TargetImage condition="end with">controls\cef\ConnectWise.exe</TargetImage>
-			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epsecurityservice.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPSecurityService.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\Remote Debugger\x64\msvsmon.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\System32\rdpclip.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\sysmon64.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\sysmon.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\audiodg.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\services.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\svchost.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\wininit.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\winlogon.exe</SourceImage>
 		</CreateRemoteThread>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
-		<!--EVENT 9: "RawAccessRead detected"-->
-		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
-			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
-			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
-		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
-
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, Device-->
+	<RuleGroup name="RG=RawAccessRead Include Group" groupRelation="or">
 		<RawAccessRead onmatch="include">
 		</RawAccessRead>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
-		<!--EVENT 10: "Process accessed"-->
-		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
-		<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
+	<RuleGroup name="RG=ProcessAccess Include Group" groupRelation="or">
 		<ProcessAccess onmatch="include">
-			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
-			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
-			<SourceImage condition="contains">powershell.exe</SourceImage>
-			<TargetImage condition="contains">verclsid.exe</TargetImage>
-			<CallTrace condition="contains">VBE7.dll</CallTrace>
-			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
-		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
-				Disabled by default since including even one entry here activates this component. Reward/performance decision.
-				Encourage you to experiment with this feature yourself.
-				Uses 4mbs+ IO -->
+			<!--Custom Rules-->
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\System32\SHELL32.dll+9b5bd</CallTrace>
+				<TargetImage condition="excludes">\LocalBridge.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
+				<CallTrace condition="contains any">C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2cb3e</CallTrace>
+				<TargetImage condition="excludes any">C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2b496</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\dbgcore.DLL+6cfb</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
+			</Rule>
+			<Rule name="Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
+				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
+			</Rule>
+			<Rule name="Level=0,Desc=DInvoke detected,Risk=100" groupRelation="and">
+				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 2,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">"UNKNOWN(;)|UNKNOWN(</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 3,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">"UNKNOWN</CallTrace>
+				<GrantedAccess condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
+				<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
+				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
+				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1FFFFF</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+				<CallTrace condition="excludes">WmiPerfClass.dll</CallTrace>
+				<SourceImage condition="excludes any">C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="image">C:\Windows\system32\wsmprovhost.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1FFFFF</GrantedAccess>
+				<CallTrace condition="contains all">python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="begin with">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+				<CallTrace condition="contains all">|C:\WINDOWS\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
+				<CallTrace condition="excludes any">wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange</CallTrace>
+				<SourceImage condition="excludes any">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
+				<GrantedAccess>0x1F3FFF</GrantedAccess>
+				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
+				<SourceImage condition="end with">.exe</SourceImage>
+				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
+				<GrantedAccess>0x1C00</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1F1FFF</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1010</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x143A</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1fffff</GrantedAccess>
+				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
+				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
+				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
+			</Rule>
+			<Rule name="Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
+				<SourceImage condition="image">powershell.exe</SourceImage>
+				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
+			</Rule>
+			<Rule name="Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
+				<CallTrace condition="contains">getasynckeystate</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
+				<CallTrace condition="contains">cmlua.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
+				<CallTrace condition="contains">System.Management.Automation</CallTrace>
+				<CallTrace condition="excludes">C:\ProgramData\Microsoft\Windows Defender\platform\</CallTrace>
+				<CallTrace condition="excludes">ctiuser.dll</CallTrace>
+				<SourceImage condition="is not">C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V16\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\SysWOW64\sdiagnhost.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\Temp\ExchangeSetup\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe</SourceImage>
+				<TargetImage condition="is not">C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\HOSTNAME.EXE</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\ROUTE.exe</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\query.exe</TargetImage>
+				<TargetImage condition="is not">MsMpEng.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="contains">comsvcs.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE7,Risk=80" groupRelation="and">
+				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE6,Risk=80" groupRelation="and">
+				<CallTrace condition="contains any">VBE6.dll;VBEUI.DLL;VBE6INTL.DLL</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=verclsid Office Execution,Risk=80" groupRelation="and">
+				<SourceImage condition="contains">Office</SourceImage>
+				<TargetImage condition="contains">verclsid.exe</TargetImage>
+				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
+				<CallTrace condition="contains any">|UNKNOWN(</CallTrace>
+				<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
+				<SourceImage condition="contains">C:\Program Files\Microsoft Office\Root\Office</SourceImage>
+				<CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
+				<CallTrace condition="contains" >C:\Windows\System32\SHELL32.dll+ae3b9</CallTrace>
+				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
+				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
+			</Rule>
+			<CallTrace name="Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
+				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
+				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
+			</Rule>
+			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
+				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
+				<CallTrace condition="contains">:\Windows\Microsoft.NET\Framework64\v2.</CallTrace>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+				<GrantedAccess condition="contains">0x147a</GrantedAccess>
+			</Rule>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
+			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME -->
+			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
+			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME -->
+			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
+			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
+			<SourceImage name="Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
+			<SourceImage name="Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
+			<SourceImage condition="end with">jjs.exe</SourceImage>
+			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
+			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
+			<CallTrace name="Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
 		</ProcessAccess>
+	</RuleGroup>
+	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
 		<ProcessAccess onmatch="exclude">
-			<!-- Filter out common access masks
-			A reference is available here for the mask: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880%28v=vs.85%29.aspx
-			Ideally an access mask with any of the following is useful:
-			PROCESS_VM_WRITE (0x0020)
-			PROCESS_VM_READ (0x0010)
-			PROCESS_VM_OPERATION (0x0008)
-			0x1410 (potential memory read) is common activity. E.g. by taskmgr.exe. We only want to capture this against lsass.exe and winlogon.exe, but this logic is in the subscription.
-			-->
-			<GrantedAccess condition="is">0x40</GrantedAccess>
-			<GrantedAccess condition="is">0x101000</GrantedAccess>
-			<GrantedAccess condition="is">0x1000</GrantedAccess>
-			<GrantedAccess condition="is">0x1400</GrantedAccess>
-			<GrantedAccess condition="is">0x100000</GrantedAccess>
-			<GrantedAccess condition="is">0x3200</GrantedAccess>
-			<GrantedAccess condition="is">0x101400</GrantedAccess>
-			<GrantedAccess condition="is">0x101001</GrantedAccess>
+			<Rule name="wmi accessing lsass" groupRelation="and">
+				<SourceImage condition="image">wmiprvse.exe</SourceImage>
+				<TargetImage condition="image">lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="lsass accessing winlogon" groupRelation="and">
+				<SourceImage condition="image">lsass.exe</SourceImage>
+				<TargetImage condition="image">winlogon.exe</TargetImage>
+			</Rule>
 			<!-- These binaries appear to access lsass legitimately -->
-			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
-			<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
-			<SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe</SourceImage>
-			<SourceImage condition="contains">taskmgr</SourceImage>
-			<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
-			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
-			<SourceImage condition="end with">\EMET_GUI.exe</SourceImage>
-			<SourceImage condition="end with">\procexp64.exe</SourceImage>
-			<SourceImage condition="contains">processhacker</SourceImage>
-			<SourceImage condition="end with">\Bin\FMS.exe</SourceImage> <!-- Exchange Process -->
-			<SourceImage condition="contains">\Exchange Server\</SourceImage>
-			<SourceImage condition="contains">SQL</SourceImage>
-			<SourceImage condition="end with">:\Windows\System32\smss.exe</SourceImage>
-			<SourceImage condition="end with">:\Windows\system32\csrss.exe</SourceImage>
-			<SourceImage condition="end with">:\Windows\system32\wininit.exe</SourceImage>
-			<SourceImage condition="end with">\Google\Update\GoogleUpdate.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\Webroot\WRSA.exe</SourceImage>
-			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
-			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
-			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
-			<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
-			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
-			<SourceImage condition="contains">ScreenConnect</SourceImage>
+			<Rule name="legitimate lsass access" groupRelation="and">
+				<TargetImage condition="contains">lsass.exe</TargetImage>
+				<SourceImage condition="excludes any">C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; <!-- Exchange Process -->\EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe</SourceImage>
+			</Rule>
 			<!-- These binaries get or access processes running .NET -->
 			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
 			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
 			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<SourceImage condition="contains">ShadowProtect</SourceImage>
-			<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
-			<SourceImage condition="end with">Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
-			<SourceImage condition="end with">Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
-			<SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
-			<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
-			<SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage>
-			<SourceImage condition="end with">\Trusteer\Rapport\bin\RapportMgmtService.exe</SourceImage>
-			<SourceImage condition="end with">Adobe\AdobeGCClient\AGMService.exe</SourceImage>
-			<SourceImage condition="end with">NT-ware Shared\MomAdmSvc\MomAdmSvc.exe</SourceImage>
-			<SourceImage condition="end with">\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe</SourceImage>
+			<Rule name="Level=0,Desc=Direct System Call Events" groupRelation="and">
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
+			</Rule>
 		</ProcessAccess>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
-		<!--EVENT 11: "File created"-->
-		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
-		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
-
 		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
+	<RuleGroup name="RG=FileCreate Include Group" groupRelation="or">
 		<FileCreate onmatch="include">
-			<TargetFilename condition="begin with">C:\Windows\Prefetch</TargetFilename> <!--Microsoft:Windows: Prefetch Forensics that may possibly bypass sysmon-->
-			<TargetFilename condition="begin with">C:\Windows\System32\drivers</TargetFilename> <!--Microsoft:Windows: Monitor Driver Drops & hosts location-->
-			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
-			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
-			<TargetFilename name="MitreRef=T1060,Technique=Autorun Folder Entries,Tactic=Persistence" condition="contains">\Programs\Startup</TargetFilename> <!--Microsoft:Windows: Autorun Startup Folder-->
-			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
-			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
-			<TargetFilename condition="contains">$RECYCLE.BIN</TargetFilename> <!--Files created in Recycle bin-->
-			<TargetFilename condition="contains">\Microsoft\Office\Recent</TargetFilename> <!--Recent Office History-->
-			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
-			<TargetFilename condition="end with">.ocx</TargetFilename>
-			<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->
-			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
-			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
-			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
-			<TargetFilename condition="end with">.com</TargetFilename> <!--Batch scripting: Batch scripts can also use the .com extension -->
-			<TargetFilename condition="end with">.btm</TargetFilename> <!--Batch scripting: Batch scripts can also use the .btm extension -->
-			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.msc</TargetFilename> <!--Executable-->
-			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.ws</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.wsh</TargetFilename> <!--Scripting-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
-			<TargetFilename condition="end with">.ps1xml</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.psc1</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.psd1</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.psm1</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.pssc</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.cdxml</TargetFilename> <!--PowerShell's other file extensions: -->
-			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
-			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
-			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
-			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
-			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
-			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
-			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.vbsript</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename condition="end with">.js</TargetFilename> <!--Java Scripting-->
-			<TargetFilename condition="end with">.jse</TargetFilename> <!--Java Scripting-->
-			<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
-			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
-			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
-			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
-			<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
-			<TargetFilename condition="end with">.SettingContent-ms</TargetFilename> <!--More info: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39-->
-			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
-			<TargetFilename condition="contains">\Desktop</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
-			<TargetFilename condition="contains">\Documents</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
-			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
-			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
-			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
-			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
-			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks-->
-			<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
-			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
-			<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
-			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
-			<TargetFilename condition="begin with">C:\Windows\SysWow64\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
-			<TargetFilename condition="begin with">C:\Windows\Minidump</TargetFilename> <!--Windows Minidumps -->
-			<TargetFilename condition="contains">Microsoft\Windows\WER\</TargetFilename> <!--Windows Minidumps -->
-			<TargetFilename condition="end with">MEMORY.dmp</TargetFilename> <!--Microsoft:ScheduledTasks -->
-			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
-			<!--SECTION: Other suspicious file types to monitor-->
-			<TargetFilename condition="end with">.ICL</TargetFilename>
-			<TargetFilename condition="end with">.FON</TargetFilename>
-			<TargetFilename condition="end with">.FOT</TargetFilename>
-			<TargetFilename condition="end with">.ico</TargetFilename>
-			<TargetFilename condition="end with">.lnk</TargetFilename>
-			<TargetFilename condition="end with">.eml</TargetFilename>
-			<TargetFilename condition="end with">.msg</TargetFilename>
-			<TargetFilename condition="end with">.SCT</TargetFilename>
-			<TargetFilename condition="end with">.SCR</TargetFilename>
-			<TargetFilename condition="end with">.SHB</TargetFilename>
-			<TargetFilename condition="end with">.SHS</TargetFilename>
-			<TargetFilename condition="end with">.PAF</TargetFilename>
-			<TargetFilename condition="end with">.JSE</TargetFilename>
-			<TargetFilename condition="end with">.gadget</TargetFilename>
-			<TargetFilename condition="end with">.cpl</TargetFilename>
-			<TargetFilename condition="end with">.inf</TargetFilename>
-			<!--SECTION: Ransomware-->
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ReadDecryptFilesHere</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_file_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Recovery_file_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILE.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowtoRestore_Files</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRAB</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.cerber</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore_files</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ReadDecryptFilesHere</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_file</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Recovery_File_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_DECRYPT_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptAllFiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILE.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowtoRestore_File</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+ recoveryfile_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoverfile_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_ReCoVeRy_+</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.zzzzz </TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">aeroware</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">contains(to_string($message.file_created), "howrecover+</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!READ_TO_UNLOCK!!!.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">openforyou@india.com</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.warn_wallet</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">hacks.at.sigaint.org</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.MATRIX</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Crytp0l0cker</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypted_files.dat</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">padcrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Vape Launcher.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_ME_!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.enjey</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Aescrypt.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PINGY@INDIA.COM</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WORMKILLER@INDIA.COM.XTBL</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CEBER3</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IF_WANT_FILES_BACK_PLS_READ.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zXz.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_ME_PLEASE.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_RECOVERY_HELP_!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READIT-IF_YOU-WANT.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.filegofprencrp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COME_RIPRISTINARE_I_FILE.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">fattura_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_steaveiwalker@india.com_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COMO_ABRIR_ARQUIVOS.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">info@kraken.cc_worldcza@email.cz</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COMO_RESTAURAR_ARCHIVOS</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">What happen to my files.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ASSISTANCE_IN_RECOVERY</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_ASSISTANCE_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BTC_DECRYPT_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.TheTrumpLocker</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ-READ-READ</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.weencedufiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.powned</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">[KASISKI]</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCCIONES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_USE_TO_FIX_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.happydayzz</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">001-READ-FOR-DECRYPT-FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INFORMATION</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Rans0m_N0te_Read_ME</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowwhereismyfiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptional</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowreadfordecryp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.HERMES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_szesnl</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-IF-YOU-WANT-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.evillock</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.letmetrydecfiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.yourransom</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.lambda_l0cked</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.gefickt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.sigaint.org</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.HakunaMatata</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRYPTOSHIELD</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.weareyourfriends</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">MERRY_I_LOVE_YOU_BRUCE.hta</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How decrypt files.hta</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">unCrypte</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decipher_ne</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.paytounlock</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">TRY-READ-ME-TO-DEC</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">protonmail.ch</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">LEER_INMEDIATAMENTE</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.killedXXX</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.doomed</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-No-PROBLEM-WE-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.noproblemwedecfiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">powerfulldecrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">opensourcemail.org</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_ME_TO_DECRYPT_YOU_INFORMA</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">file0locked</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CryptoRansomware</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VBRANSOM</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_Recover_Files_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.oops</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.deria</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.RMCM1</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Locked-by-Mafia</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-filesencrypted</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_Globe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.hnumkhotep</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.decrypt2017</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptFile</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.L0CKED</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">1025-7152.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">firstransomware.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP-ME-ENCED-FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">helpmeencedfiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">EdgeLocker</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.XBTL</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.firecrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_DEAD</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.airacropencrypted!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">@mail.ru</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WHERE-YOUR-FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Whereisyourfiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">india.com</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.hta</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.jpg</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_OPEN_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.gangbang</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">GJENOPPRETTING_AV_FILER</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!! HOW TO DECRYPT FILES !!!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.braincrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCTION RESTORE FILE</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Survey Locker.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Receipt.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WindowsApplication1.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HWID Lock.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">VIP72.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DALE_FILES.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_YOUR_DATA</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RESTORE_CORUPTED_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Cyber SpLiTTer Vbs.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-PLEASE-READ-WE-HELP</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VforVendetta</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">popcorn_time.exe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">OSIRIS-</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DesktopOsiris</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">inbox.ru</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.no_more_ransom</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.lovewindows</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.osiris</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.R.i.P</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Important!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_HOW_TO_RESTORE_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RECOVER_FILES_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_RESTORE_FILES_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ThxForYurTyme</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOW_TO_Decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_RECOVER_INSTRUCTIONS</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPTION INSTRUCTIONS.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt explanations.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_WHAT_is.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_liesmich_encryptor_raas</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Adatok_visszaallitasahoz_utasitasok</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_TO_RECURE_YOUR_FILES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files encrypted by our friends !!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README HOW TO DECRYPT YOUR FILES.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_IT.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Recovery_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION.url</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README!!!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">email-salazar_slytherin10</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">._AiraCropEncrypted!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_RECOVER_FILES_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.bmp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zzzzzzzzzzzzzzzzzyyy</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zycrypt.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt your file</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_H_e_l_p_RECOVER_INSTRUCTIONS+</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW-TO-DECRYPT-FILES.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_DECRYPT.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">exit.hhr.obleep</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UnblockFiles.vbs</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_HYDRA_ID_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_Readme.TXT.ReadMe</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt All Files</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowDecrypt.gif</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOURFILES.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW TO DECRYPT FILES.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BUYUNLOCKCODE</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BitCryptorFileList.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How_to_decrypt_your_files.jpg</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How_to_restore_files.hta</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Como descriptografar seus arquivos.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Recovery_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Read_this_file.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION!!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.lnk</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to decrypt aes files.lnk</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restore_files.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowDecrypt.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wie_zum_Wiederherstellen_von_Dateien.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">paycrypt.bmp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">maxcrypt.bmp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_decrypt.gif</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to get data.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help-file-decrypt.enc</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enigma_encr.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enigma.hta</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">default432643264.jpg</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">default32643264.bmp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decypt_your_files.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.bmp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cryptinfo.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">crjoker.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover_instructions.bmp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_H_e_l_p_RECOVER_INSTRUCTIONS</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_instructions.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_instructions.bmp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files encrypted by our friends !!! txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_LOCKED.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_ENCRYPTED.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_ENCRYPTED.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUGOTHACKED.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UNLOCK_FILES_INSTRUCTIONS.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UNLOCK_FILES_INSTRUCTIONS.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SIFRE_COZME_TALIMATI.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SHTODELATVAM.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Read Me (How Decrypt) !!!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RESTORE_FILES_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_THIS_TO_DECRYPT.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_HOW_TO_UNLOCK.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_HOW_TO_UNLOCK.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_UMBRE_ID_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_HYRDA_ID_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ ME FOR DECRYPT.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ IF YOU WANT YOUR FILES BACK.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Payment_Instructions.jpg</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ONTSLEUTELINGS_INSTRUCTIES.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">OKSOWATHAPPENDTOYOURFILES.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">MENSAGEM.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">KryptoLocker_README.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Instructionaga.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ISTRUZIONI_DECRITTAZIONE.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCTIONS_DE_DECRYPTAGE.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCCIONES_DESCIFRADO.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTALL_TOR.URL</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IMPORTANT.README</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IMPORTANT READ ME.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Howto_RESTORE_FILES.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How to decrypt your data.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How to decrypt LeChiffre files.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Help Decrypt.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Hacked_Read_me_to_decrypt_files.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_UNLOCK_FILES_README_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.URL</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RECOVER_FILES_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW TO DECRYPT FILES.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES.PNG</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES.bmp</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_RESTORE_FILES_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.URL</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.PNG</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">GetYouFiles.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">File Decrypt Help.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILES_BACK.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ENTSCHLUSSELN_HINWEISE.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptAllFiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DESIFROVANI_POKYNY.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_YOUR_FILES.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_YOUR_FILES.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_ReadMe1.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTION.URL</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTION.HTML</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPTION_HOWTO.Notepad</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Comment débloquer mes fichiers.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BUYUNLOCKCODE.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">AllFilesAreLocked</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">@ukr.net</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.fuckyourdata</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.encrypted.locked</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.Where_my_files.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.RSplited</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.KEYZ.KEYH0LES</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.How_To_Get_Back.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.How_To_Decrypt.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.Contact_Here_To_Recover_Your_Files.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.31392E30362E32303136_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.vbs</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Where_are_my_files!.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!README!!!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!-WARNING-!!!.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!-WARNING-!!!.html</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.magic_software_syndicate</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">maestro@pizzacrypts.info</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howtodecryptaesfiles.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.SecureCrypted</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt-instruct</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">files_are_encrypted.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptmyfiles</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_instructions.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!recover!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover}-</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_help_instruct</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_recover_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">+recover+</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">warning-!!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt my file</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_file_</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery+</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_for_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">install_tor</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howtodecrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_restore</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_your_file</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_instruct</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cryptolocker.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_instruction</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.hydracrypt_ID</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.cryptotorlocker</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.one-we_can-help_you</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.OMG!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.nochance</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.LOL!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CryptoTorLocker2015!</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.{CRYPTENDBLACKDC}</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.key</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery_key.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.hta</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">message.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery_file.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">confirmation.key</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enc_files.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">last_chance.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">want your files back.</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover_instructions.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoverfile</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Howto_Restore_FILES.TXT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover.txt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.SUPERCRYPT</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.helpdecrypt</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">only-we_can-help_you</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.fileiscryptedhard</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.blocatto</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.8lock8</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">==READ==THIS==PLEASE==</TargetFilename>
-			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">randomname</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weapologize</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">SORRY-FOR-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READ-WE-HELP.</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">CHECK-IT-HELP-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">HAPPEN-ENCED-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">HELP-ME-ENCED-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLS-DEC-MY-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">No-PROBLEM-WE-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">TRY-READ-ME-TO-DEC</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">IF-YOU-WANT-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">LET-ME-TRY-DEC-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-FOR-DECRYPT-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READIT-IF_YOU-WANT</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-READ-READ</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">WANT_FILES_BACK</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-FOR-DECCCC-FILESSS</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-README-AFFECTED-FILES</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">_DEC_FILES.</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.notfoundrans</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.VforVendetta</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.theworldisyours</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.helpmeencedfiles</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.wowwhereismyfiles</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.wowreadfordecryp</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.powerfulldecrypt</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.noproblemwedecfiles</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weareyourfriends</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.otherinformation</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.letmetrydecfiles</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.encryptedyourfiles</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weencedufiles</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.filegofprencrp</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.iaufkakfhsaraf</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.cifgksaffsfyghd</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.skjdthghh</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.ransom</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.breeding123</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.mention9823</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.suppose666</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.moments2900</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.country82000</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.supported2017</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.prosperous666</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.disposed2017</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.myrandsext2017</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.loveransisgood</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.areyoulovemyrans</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.stubbin</TargetFilename>
-			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.berkshire</TargetFilename>
-			<!--SamSam Ransomware File drops -->
-			<TargetFilename name="Alert=SamSam file created!" condition="end with">\www.exe</TargetFilename>
-			<TargetFilename name="Alert=SamSam file created!" condition="end with">\ps.exe</TargetFilename>
-			<TargetFilename name="Alert=SamSam file created!" condition="end with">\nt.exe</TargetFilename>
-			<TargetFilename name="Alert=SamSam file created!" condition="end with">\doliohdyjkajd.dll</TargetFilename>
-			<TargetFilename name="Alert=SamSam file created!" condition="end with">\run2.exe</TargetFilename>
-			<TargetFilename name="Alert=SamSam file created!" condition="end with">\ping2.exe</TargetFilename>
-			<!--END: SamSam Ransomware File drops -->
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst suspicious file writes,Risk=100" groupRelation="and">
+				<Image condition="contains any">solarwinds.businesslayerhost</Image>
+				<TargetFilename condition="contains any">.exe;.dll;.ps1;.mz;.jpg;.png</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst malware dll,Risk=100" groupRelation="and">
+				<TargetFilename condition="is">C:\WINDOWS\SysWOW64\netsetupsvc.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
+				<TargetFilename condition="end with">proj</TargetFilename>
+				<TargetFilename condition="end with">.targets</TargetFilename>
+				<TargetFilename condition="end with">.build</TargetFilename>
+				<TargetFilename condition="end with">.props</TargetFilename>
+				<TargetFilename condition="end with">.tasks</TargetFilename>
+				<TargetFilename condition="end with">.sln</TargetFilename>
+				<TargetFilename condition="end with">.cs</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file types,Risk=100" groupRelation="or">
+				<TargetFilename condition="end with">.cdxml</TargetFilename>
+				<TargetFilename condition="end with">.ps1</TargetFilename>
+				<TargetFilename condition="end with">.ps1xml</TargetFilename>
+				<TargetFilename condition="end with">.psc1</TargetFilename>
+				<TargetFilename condition="end with">.psd1</TargetFilename>
+				<TargetFilename condition="end with">.psm1</TargetFilename>
+				<TargetFilename condition="end with">.pssc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file creations,Risk=10" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+			</Rule>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=CVE-2019-1315,Risk=70" groupRelation="and">
+				<TargetFilename condition="end with">Report.wer.tmp</TargetFilename>
+				<TargetFilename condition="excludes">\WER\</TargetFilename>
+				<Image condition="image">C:\Windows\system32\wermgr.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
+				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
+				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
+				<TargetFilename condition="end with">.dll</TargetFilename>
+				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
+				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;==READ==THIS==PLEASE==;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Run Keys / Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Run Keys / Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.dotm</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<TargetFilename name="Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.aspx</TargetFilename>
+				<TargetFilename condition="excludes">\wwwroot\aspnet_client\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating PHP files,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.php</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating AAA files,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.aaa</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM Web Shells Dropped,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">\wwwroot\aspnet_client\</TargetFilename>
+				<TargetFilename condition="contains any">.aspx;.php</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\aspnet_client\;jpg</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASP Files dropped outside wwwroot directory" groupRelation="and">
+				<TargetFilename condition="end with">.asp</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASPX Files dropped outside wwwroot directory" groupRelation="and">
+				<TargetFilename condition="end with">.aspx</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
+			</Rule>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Exploitation Detected,Risk=20" groupRelation="and">
+				<TargetFilename condition="end with">.SPL</TargetFilename>
+				<Image condition="excludes any">spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Spooler Created exe file,Risk=40" groupRelation="and">
+				<Image condition="image">spoolsv.exe</Image>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="excludes">C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=InstallerFileTakeOver,Risk=80,CVE=CVE-2021-41379" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<TargetFilename condition="contains">\Microsoft\Edge\Application</TargetFilename>
+				<TargetFilename condition="end with">elevation_service.exe</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<TargetFilename name="Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
+
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
+				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Temp\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
+				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
+			</Rule>
+			<TargetFilename condition="contains" name="Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created from System Profile executable" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<Image condition="contains">\config\systemprofile\</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
+			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion/Execution" condition="end with">.chm</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution" condition="end with">proj</TargetFilename>
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution" condition="end with">.sln</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<Rule name="Attack=T1203,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,Level=4,Alert=Exchange Exploitation UM Service File Creation,Risk=80,CVE=CVE-2021-26858" groupRelation="and">
+				<Image condition="contains any">UMWorkerProcess.exe;UMService.exe</Image>
+				<TargetFilename condition="contains any">.</TargetFilename>
+				<TargetFilename condition="excludes any">.log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
+			<TargetFilename name="Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
+			<TargetFilename name="Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="is">Teamviewer.exe</Image>
+			<Image name="Level=0,Desc=File Created by rundll32" condition="is">rundll32.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="is">mstsc.exe</Image>
+			<Image name="Level=0,Desc=File Created with command shell,Risk=30" condition="is">cmd.exe</Image>
+			<Image name="Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="is">ipy.exe</Image>
+			<Image name="Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="is">WScript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="is">cscript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="is">mshta.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="is">python.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="is">wmic.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch Ransomware Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains all">RESTORE_;_FILES.txt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch2 Ransomware Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains all">DECRYPT_;_FILES.txt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Nanocore Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">\run.dat;\task.dat;\storage.dat</TargetFilename>
+				<TargetFilename condition="contains">AppData</TargetFilename>
+				<TargetFilename condition="excludes any">Symantec</TargetFilename>
+				<TargetFilename condition="excludes any">BlueJeans</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=RagnarLocker Virtualbox files: susceptible to FP,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">VBoxRT.dll;VboxC.dll</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!--UEBA Detections-->
+			<Rule name="Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
+				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
+				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
+			</Rule>
+			<Rule name="Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
+				<TargetFilename condition="excludes">\system32\</TargetFilename> 
+			</Rule>
+			<Rule name="Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
+				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
+				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
+				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
+			</Rule>
+			<Rule name="Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
+				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
+			</Rule>
+			<Rule name="Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
+				<TargetFilename condition="end with">.wll</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
+				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
+				<TargetFilename condition="end with">.xll</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Outlook Macro Execution,Risk=50" groupRelation="and">
+				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
+				<TargetFilename condition="contains any">.xla</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
+				<TargetFilename condition="end with">.vsto</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
+				<TargetFilename condition="end with">.bat</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
+				<TargetFilename condition="end with">.dll</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
+				<TargetFilename condition="end with">.sys</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
+				<TargetFilename condition="end with">.theme</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
+				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
+				<Image condition="image">VirtualboxVM.exe</Image>
+			</Rule>
+			<Image name="Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
+			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Level=0,Desc=URL">.url</TargetFilename>
+			<!--Drivers dropped-->
+			<TargetFilename name="Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
+			<TargetFilename condition="end with">.drv</TargetFilename> 
+			<!--Microsoft Office File Monitoring-->
+			<TargetFilename name="Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
+			<TargetFilename name="Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
+			<TargetFilename name="Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
+			<Rule name="Level=0,Desc=Legacy Office files" groupRelation="or">
+				<TargetFilename condition="end with">.accdb</TargetFilename>
+				<TargetFilename condition="end with">.accde</TargetFilename>
+				<TargetFilename condition="end with">.accdr</TargetFilename>
+				<TargetFilename condition="end with">.accdt</TargetFilename>
+				<TargetFilename condition="end with">.mdb</TargetFilename>
+				<TargetFilename condition="end with">.mde</TargetFilename>
+				<TargetFilename condition="end with">.msc</TargetFilename>
+				<TargetFilename condition="end with">.mst</TargetFilename>
+				<TargetFilename condition="end with">.potx</TargetFilename>
+				<TargetFilename condition="end with">.ppam</TargetFilename>
+				<TargetFilename condition="end with">.ppsm</TargetFilename>
+				<TargetFilename condition="end with">.ppsx</TargetFilename>
+				<TargetFilename condition="end with">.ppt</TargetFilename>
+				<TargetFilename condition="end with">.pptm</TargetFilename>
+				<TargetFilename condition="end with">.pptx</TargetFilename>
+				<TargetFilename condition="end with">.pub</TargetFilename>
+				<TargetFilename condition="end with">.sldm</TargetFilename>
+				<TargetFilename condition="end with">.sldx</TargetFilename>
+				<TargetFilename condition="end with">.xls</TargetFilename>
+				<TargetFilename condition="end with">.xps</TargetFilename>
+			</Rule>
 			<!--SECTION: Certificates -->
-			<TargetFilename condition="contains">.pem</TargetFilename>
-			<TargetFilename condition="contains">.crt</TargetFilename>
-			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
-			<TargetFilename condition="contains">.cer</TargetFilename>
-			<TargetFilename condition="contains">.csr</TargetFilename>
-			<TargetFilename condition="contains">.der</TargetFilename>
-			<TargetFilename condition="contains">.p7b</TargetFilename>
-			<TargetFilename condition="contains">.p7r</TargetFilename>
-			<TargetFilename condition="contains">.p7s</TargetFilename>
-			<TargetFilename condition="contains">.pfx</TargetFilename>
-			<TargetFilename condition="contains">.sto</TargetFilename>
-			<TargetFilename condition="contains">.p12</TargetFilename>
-			<TargetFilename condition="contains">.crl</TargetFilename>
-			<TargetFilename condition="contains">.sst</TargetFilename>
-			<TargetFilename condition="contains">.key</TargetFilename>
-			<!--SECTION: CIA Vault7 Leak -->
-			<TargetFilename name="Info=CIA Vault7 file created: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename> <!-- Vault7 CIA Leak: Possible malformed file will escape IE sandbox -->
-			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
-			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
-			<TargetFilename condition="contains">.manifest</TargetFilename>
-			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
-			<TargetFilename condition="contains">HammerDrillStatus.dll</TargetFilename> <!-- Vault7 CIA Leak: HammerDrill DLL -->
-			<TargetFilename condition="contains">PSReadLine\ConsoleHost_history.txt</TargetFilename> <!-- Powershell History -->
-			<!--SECTION: Mimikatz-->
-			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
-		</FileCreate>
-		<FileCreate onmatch="exclude">
-			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\</TargetFilename> <!--Microsoft:Windows: taskhostw re-creates certificate store constantly-->
-			<TargetFilename condition="end with">\Downloads</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
-			<TargetFilename condition="end with">\Start Menu</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
-			<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
-			<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
-			<!--SECTION: Microsoft-->
-			<Image condition="contains">C:\Windows\System32\svchost.exe</Image> <!-- Microsoft:Windows: Svchost creating thousands of files, creating new profiles on TS's -->
-			<Image condition="contains">C:\Windows\System32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
-			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\IE</TargetFilename> <!-- Microsoft:Windows: Creates thousands of files including new profiles -->
-			<Image condition="is">\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates</Image>
-			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
-			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
-			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
-			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
-			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
-			<TargetFilename condition="end with">.SQM</TargetFilename> <!-- Ignore Exchange files created -->
-			<TargetFilename condition="end with">.SPL</TargetFilename> <!-- Ignore Spooled Print Jobs -->
-			<TargetFilename condition="end with">.SHD</TargetFilename> <!-- Ignore Spooled Print Jobs -->
-			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
-			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
-			<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
-			<!--SECTION: Microsoft:Office-->
-			<TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
-			<!--SECTION: Microsoft:Windows:Updates-->
-			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
-			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
-			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
-			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
-			<Image condition="begin with">Firefox Setup </Image> <!-- Firefox:Installer -->
-			<TargetFilename condition="is">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive</TargetFilename> <!--Powershell spam!-->
-			<TargetFilename condition="is">C:\Windows\System32\config\netlogon.ftl</TargetFilename> <!-- Microsoft:Windows: Domain login cache-->
-			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image><!-- Microsoft:Windows: WMI Performance updates-->
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image><!-- Microsoft:Office Click2Run-->
-			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
-			<Image condition="is">C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe</Image><!-- Microsoft:SQL Server: Creating tons of files-->
-			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
-			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
-			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image><!-- VMware:vSphere: Creates .cmdline apps in appdata\*\Temp-->
-			<!--SECTION: Dell-->
-			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
-			<!--SECTION: Intel-->
-			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
-			<!--SECTION: Chrome Noise-->
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlUws.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeExtMalware.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\IpMalware.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSubresourceFilter.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new</TargetFilename>
-			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new</TargetFilename>
-			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
-			<!--SECTION: Adobe-->
-			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
-			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
-			<!--SECTION: Connectwise-->
-			<Image condition="is">C:\Program Files (x86)\ConnectWise\PSA.net\ConnectWise.exe</Image>
-			<!--SECTION: Datto-->
-			<Image condition="is">C:\Program Files\Datto\Datto Windows Agent\DattoBackupAgent.exe</Image>
-			<!--SECTION: Toshiba Print Drivers-->
-			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\TOSHIBA\</TargetFilename>
-			<TargetFilename condition="contains">TOSHIBA\eSTUDIOX\UNIDRV</TargetFilename>
-			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\bdcore.dll</TargetFilename>
-			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\scanclient.dll</TargetFilename>
-			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\Repository\nagent</TargetFilename>
-			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\</TargetFilename>
-			<Image condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</Image>
-			<Image condition="is">C:\Program Files\graylog\collector-sidecar\winlogbeat.exe</Image>
-			<Image condition="is">C:\Program Files\N-able Technologies\Endpoint Update Server\bin\EPUpdateServer.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\AVDefender\Installer.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe</Image>
-			<Image condition="is">C:\Windows\system32\printfilterpipelinesvc.exe</Image>
-			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe</Image>
-			<Image condition="end with">\Runtime\1.0\NodeRunner.exe</Image><!--Exchange NodeRunner-->
+			<Rule name="Level=0,Desc=Certificate" groupRelation="or">
+				<TargetFilename condition="end with">.pem</TargetFilename>
+				<TargetFilename condition="end with">.crt</TargetFilename>
+				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
+				<TargetFilename condition="end with">.cer</TargetFilename>
+				<TargetFilename condition="end with">.csr</TargetFilename>
+				<TargetFilename condition="end with">.der</TargetFilename>
+				<TargetFilename condition="end with">.p7b</TargetFilename>
+				<TargetFilename condition="end with">.p7r</TargetFilename>
+				<TargetFilename condition="end with">.p7s</TargetFilename>
+				<TargetFilename condition="end with">.pfx</TargetFilename>
+				<TargetFilename condition="end with">.sto</TargetFilename>
+				<TargetFilename condition="end with">.p12</TargetFilename>
+				<TargetFilename condition="end with">.crl</TargetFilename>
+				<TargetFilename condition="end with">.sst</TargetFilename>
+				<TargetFilename condition="end with">.key</TargetFilename>
+			</Rule>
+			<!-- side loading -->
+			<Rule name="Level=0,Desc=Sideload Detection" groupRelation="or">
+				<TargetFilename condition="end with">.hlp</TargetFilename>
+				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
+				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
+				<TargetFilename condition="end with">AFLogVw.exe</TargetFilename>
+				<TargetFilename condition="end with">AShld.exe</TargetFilename>
+				<TargetFilename condition="end with">AShldRes.DLL.asr</TargetFilename>
+				<TargetFilename condition="end with">AShldRes.DLL</TargetFilename>
+				<TargetFilename condition="end with">AhnI2.dll</TargetFilename>
+				<TargetFilename condition="end with">CamMute.exe</TargetFilename>
+				<TargetFilename condition="end with">CommFunc.dll</TargetFilename>
+				<TargetFilename condition="end with">CommFunc.jax</TargetFilename>
+				<TargetFilename condition="end with">DESqmWrapper.dll</TargetFilename>
+				<TargetFilename condition="end with">DESqmWrapper.wrapper</TargetFilename>
+				<TargetFilename condition="end with">FSPMAPI.dll.fsp</TargetFilename>
+				<TargetFilename condition="end with">FSPMAPI.dll</TargetFilename>
+				<TargetFilename condition="end with">Gadget.exe</TargetFilename>
+				<TargetFilename condition="end with">LoLTWLauncher.exe</TargetFilename>
+				<TargetFilename condition="end with">Mc.exe</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll.ping</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll.url</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll</TargetFilename>
+				<TargetFilename condition="end with">MpSvc.dll</TargetFilename>
+				<TargetFilename condition="end with">MsMpEng.exe</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmart.exe</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMaxapp.dll</TargetFilename>
+				<TargetFilename condition="end with">OInfo11.ISO</TargetFilename>
+				<TargetFilename condition="end with">OInfo11.ocx</TargetFilename>
+				<TargetFilename condition="end with">OInfoP11.exe</TargetFilename>
+				<TargetFilename condition="end with">OleView.exe</TargetFilename>
+				<TargetFilename condition="end with">OleView.exe</TargetFilename>
+				<TargetFilename condition="end with">POETWLauncher.exe</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll.config</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll.msc</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll</TargetFilename>
+				<TargetFilename condition="end with">RasTls.exe</TargetFilename>
+				<TargetFilename condition="end with">RunHelp.exe</TargetFilename>
+				<TargetFilename condition="end with">Sidebar.dll.doc</TargetFilename>
+				<TargetFilename condition="end with">Sidebar.dll</TargetFilename>
+				<TargetFilename condition="end with">Ushata.dll</TargetFilename>
+				<TargetFilename condition="end with">Ushata.exe</TargetFilename>
+				<TargetFilename condition="end with">Ushata.fox</TargetFilename>
+				<TargetFilename condition="end with">VeetlePlayer.exe</TargetFilename>
+				<TargetFilename condition="end with">boot.ldr</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.dll.rom</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.dll</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.exe</TargetFilename>
+				<TargetFilename condition="end with">dvcemumanager.exe</TargetFilename>
+				<TargetFilename condition="end with">fsguidll.exe</TargetFilename>
+				<TargetFilename condition="end with">fslapi.dll.gui</TargetFilename>
+				<TargetFilename condition="end with">fslapi.dll</TargetFilename>
+				<TargetFilename condition="end with">fsstm.exe</TargetFilename>
+				<TargetFilename condition="end with">hccutils.dll.res</TargetFilename>
+				<TargetFilename condition="end with">hccutils.dll</TargetFilename>
+				<TargetFilename condition="end with">hha.dll.bak</TargetFilename>
+				<TargetFilename condition="end with">hha.dll</TargetFilename>
+				<TargetFilename condition="end with">hhc.exe</TargetFilename>
+				<TargetFilename condition="end with">hkcmd.exe</TargetFilename>
+				<TargetFilename condition="end with">iviewers.dll</TargetFilename>
+				<TargetFilename condition="end with">jli.dll</TargetFilename>
+				<TargetFilename condition="end with">libvlc.dll</TargetFilename>
+				<TargetFilename condition="end with">mPclient.dll</TargetFilename>
+				<TargetFilename condition="end with">mcf.ep</TargetFilename>
+				<TargetFilename condition="end with">mcf.exe</TargetFilename>
+				<TargetFilename condition="end with">mcupdui.exe</TargetFilename>
+				<TargetFilename condition="end with">mcut.exe</TargetFilename>
+				<TargetFilename condition="end with">mcutil.dll.bbc</TargetFilename>
+				<TargetFilename condition="end with">mcvsmap.exe</TargetFilename>
+				<TargetFilename condition="end with">msi.dll.dat</TargetFilename>
+				<TargetFilename condition="end with">msi.dll</TargetFilename>
+				<TargetFilename condition="end with">msseces.asm</TargetFilename>
+				<TargetFilename condition="end with">msseces.exe</TargetFilename>
+				<TargetFilename condition="end with">mtcReport.ktc</TargetFilename>
+				<TargetFilename condition="end with">rc.dll</TargetFilename>
+				<TargetFilename condition="end with">rc.exe</TargetFilename>
+				<TargetFilename condition="end with">rc.hlp</TargetFilename>
+				<TargetFilename condition="end with">sep_NE.exe</TargetFilename>
+				<TargetFilename condition="end with">sep_NE.slf</TargetFilename>
+				<TargetFilename condition="end with">tplcdclr.exe</TargetFilename>
+				<TargetFilename condition="end with">winmm.dll</TargetFilename>
+				<TargetFilename condition="end with">wts.chm</TargetFilename>
+				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
+			</Rule>
+			<TargetFilename name="Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
+			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
+			<TargetFilename name="Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
+			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
+			<TargetFilename name="Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
+			<TargetFilename name="Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
+			<TargetFilename name="Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
+			<TargetFilename name="Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
+			<TargetFilename name="Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
+			<TargetFilename name="Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
+			<TargetFilename name="Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
+			<TargetFilename name="Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
+			<TargetFilename name="Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
+			<TargetFilename name="Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
+			<TargetFilename name="Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
+			<TargetFilename name="Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
+			<TargetFilename name="Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Set" condition="end with">.set</TargetFilename>
+			<TargetFilename name="Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
+			<!--Uncategorized-->
+			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
+			<TargetFilename condition="end with">.ade</TargetFilename>
+			<TargetFilename condition="end with">.adp</TargetFilename>
+			<TargetFilename condition="end with">.application</TargetFilename>
+			<TargetFilename condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename condition="end with">.asc</TargetFilename>
+			<TargetFilename condition="end with">.bmf</TargetFilename>
+			<TargetFilename condition="end with">.cer</TargetFilename>
+			<TargetFilename condition="end with">.dmp</TargetFilename>
+			<TargetFilename condition="end with">.gpg</TargetFilename>
+			<TargetFilename condition="end with">.htm</TargetFilename>
+			<TargetFilename condition="end with">.html</TargetFilename>
+			<TargetFilename condition="end with">.json</TargetFilename>
+			<TargetFilename condition="end with">.jsp</TargetFilename>
+			<TargetFilename condition="end with">.key</TargetFilename>
+			<TargetFilename condition="end with">.mof</TargetFilename>
+			<TargetFilename condition="end with">.ocx</TargetFilename>
+			<TargetFilename condition="end with">.p7b</TargetFilename>
+			<TargetFilename condition="end with">.p12</TargetFilename>
+			<TargetFilename condition="end with">.pem</TargetFilename>
+			<TargetFilename condition="end with">.pfx</TargetFilename>
+			<TargetFilename condition="end with">.pgp</TargetFilename>
+			<TargetFilename condition="end with">.php</TargetFilename>
+			<TargetFilename condition="end with">.ppk</TargetFilename>
+			<TargetFilename condition="end with">.war</TargetFilename>
+			<TargetFilename condition="end with">.xml</TargetFilename>
 		</FileCreate>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
-		<!--EVENT 12: "Registry object added or deleted"-->
-		<!--EVENT 13: "Registry value set-->
-		<!--EVENT 14: "Registry objected renamed"-->
-		<!--NOTE:	"contains" conditions below are formatted to reduce CPU load, so they may appear written inconsistently, but this is on purpose from tuning.-->
-		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
-		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
-		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
-		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->
+	<RuleGroup name="RG=RegistryEvent Include Group" groupRelation="or">
+		<RegistryEvent onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
 
-		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
-		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
-		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
-		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
-		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
 
-		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.-->
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<Rule name="Forensic=RDP Connection History Tracking" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
+				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<TargetObject name="Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
+			<TargetObject name="Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
+			<TargetObject name="Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Keyloggers and new Keyboards" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect USB Input Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Mice" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Composite Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Bluetooth Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Disk Drive" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New WPD Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Biometric Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			<Rule name="Level=0,Desc=Interactive Logon Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
+				<TargetObject condition="end with">LoggedOnUser</TargetObject>
+			</Rule>
+			<TargetObject name="Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
+			<TargetObject name="Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Suspicious Set Value of MSDT in Registry: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\ms-msdt\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Scripted Diagnostics Turn Off Check Enabled: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</TargetObject>
+				<TargetObject condition="excludes">\print\AuthenticationLevel</TargetObject>
+				<TargetObject condition="excludes">\AzureAttestService\CoInitializeSecurityParam</TargetObject>
+				<Image condition="excludes">C:\$WINDOWS.~BT\</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project Object Model Macro Settings,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\AccessVBOM</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
+				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
+				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Potential Office Macro Execution Detected" groupRelation="and">
+				<Image condition="contains any">EXCEL.exe;WINWORD.exe</Image>
+				<TargetObject condition="contains any">{8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B}</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
+			<Rule name="Attack=T0000,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
+				<TargetObject condition="is">HKCU\di</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Lokibot Detection" groupRelation="and">
+				<TargetObject condition="contains">HKCU\�</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
+				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
+				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
-		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
-		<RegistryEvent onmatch="include">
-			<!--Autorun or Startups-->
-				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
-				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
-				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
-			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers</TargetObject> <!-- Print Provider DLL's loaded at startup can be malicious, lets monitor those -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>  <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
-			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
-			<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject> <!--Persistence using GlobalFlags in Image File Execution Options: [ https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ ] -->
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<Rule name="Level=0,Desc=Forced password reset detected" groupRelation="and">
+				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Machine Password Change Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=User Last Password Changed" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Last Password Change</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Account Expiration" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Account Expiration</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Last Failed Logon" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Last Failed Logon</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject> <!-- http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/ -->
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\CurrentVersion\Run</TargetObject>
+				<Image condition="excludes">Add_exclusions_here</Image>
+			</Rule>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
+				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Boot" condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Desc=AutoRun Reg Keys,Risk=70" groupRelation="and">
+				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: System" condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
+				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Automatic" condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000002)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=AutoRun Reg Keys,Risk=70" groupRelation="and">
+				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Manual" condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000003)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
+				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Disabled" condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000004)</Details>
+			</Rule>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
+			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
+			<!--<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=New user created,Risk=40" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<TargetObject condition="excludes">$</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
+			</Rule>
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=Hidden New user created,Risk=40" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<TargetObject condition="contains">$</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<Rule name="Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
+				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Accessibility Features-->
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=sethc.exe Priv Escalation,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<TargetObject name="Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Outlook Addins" groupRelation="and">
+				<TargetObject condition="contains">Outlook\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Word Addins" groupRelation="and">
+				<TargetObject condition="contains">Word\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Excel Addins" groupRelation="and">
+				<TargetObject condition="contains">Excel\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Powerpoint Addins" groupRelation="and">
+				<TargetObject condition="contains">Powerpoint\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Inclusions" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\VSTO\Security\Inclusion\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Solution Metadata" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\VSTO\SolutionMetadata\</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=0,Desc=CMSTPLUA UAC Bypass" groupRelation="and">
+				<TargetObject condition="contains any">cmmgr32.exe</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
+			<TargetObject name="Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=0,Desc=IFEO,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
+				<TargetObject condition="contains any">Debugger;ReportingMode;GlobalFlag;MonitorProcess</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Desc=Wow64 IFEO,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
+				<TargetObject condition="contains any">Debugger;ReportingMode;GlobalFlag;MonitorProcess</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
+				<TargetObject condition="end with">SD</TargetObject>
+				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
+				<TargetObject condition="end with">ID</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Author</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Path</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Date</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=ConsentPromptBehaviorAdmin Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<TargetObject name="Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
+			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
+			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
+				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
+				<!--Customize: Add your configuration dir above-->
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to Per-Process Exploit Protection,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions</TargetObject>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmwp.exe\0\MitigationOptions</TargetObject>
+				<Image condition="excludes">msiexec.exe</Image>
+				<Image condition="excludes">TiWorker.exe</Image>
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Modification to WOW64 Per-Process Exploit Protection Mitigation Options,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+				<Image condition="excludes">C:\Program Files\Microsoft Office 15\root\integration\integrator.exe</Image>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
+			<Rule name="Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
+				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
+				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
+			</Rule>
+			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
+			<TargetObject name="Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level</TargetObject>
+			<TargetObject name="Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
+			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
+			<TargetObject name="Level=0,Desc=Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/" condition="end with">\HideSCAHealth</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<!--Detect if Windows Defender is Disabled-->
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
+			<TargetObject name="Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="end with">\Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="end with">\Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="excludes">\Enabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
+				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
+				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
+				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
+				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
+				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
+				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Eventlog Security Descriptor Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
+				<TargetObject condition="end with">\CustomSD</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Eventlog Size Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
+				<TargetObject condition="end with">\MaxSize</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
+			<Rule name="Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
+				<TargetObject condition="contains">globallyopenports</TargetObject>
+			</Rule>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
+			<TargetObject name="Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
+
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\LastKey</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
+				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
+				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
+				<TargetObject condition="contains">&#x202e;</TargetObject>
+			</Rule>
+			<TargetObject name="Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
+
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<Rule name="Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
+				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\Sysmon.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\certsrv.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
+				<Image condition="excludes">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+				<Image condition="excludes">C:\Windows\system32\SearchProtocolHost.exe</Image>
+				<Image condition="excludes">C:\Windows\system32\taskhost.exe</Image>
+				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
+			</Rule>
+			<TargetObject name="Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
+			<TargetObject name="Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
+			<TargetObject name="Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
+			<TargetObject name="Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
+				<TargetObject condition="contains">&#xfffd;</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
+				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials: Credentials in Registry-->
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<Rule name="Level=0,Desc=User Account Deleted" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<EventType condition="is">DeleteKey</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<Rule name="Attack=T1485,Technique=Inhibit System Recovery,Tactic=Impact,Level=0,Desc=VSS Disablement Detection,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Services\VSS\Diag\(Default)</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!-- UEBA/Uncategorized Detections-->
+			<Rule name="Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
+			</Rule>
+			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\LastKey</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
+				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
+				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
+			</Rule>
+			<Rule name="Forensic=IE history Detection" groupRelation="and">
+				<TargetObject condition="end with">\TypedURLs</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=IPv6 Changes detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Network Card Changes detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
+				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
+			</Rule>
+			<Rule name="Forensic=Adobe Recent File List History" groupRelation="and">
+				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
+				<TargetObject condition="end with">tDIText</TargetObject>
+			</Rule>
+			<Rule name="Forensic=Office History MRU" groupRelation="and">
+				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
+			</Rule>
+			<!--Common Malware Persistence locations-->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
+			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			<TargetObject name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Desc=Silent Process Exit execution" condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
+			<TargetObject name="Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject name="Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject name="Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject name="Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject name="Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
+			<TargetObject name="Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
+			<TargetObject name="Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject name="Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject name="Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
+			<TargetObject name="Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
+			<TargetObject name="Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
+			<TargetObject name="Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject name="Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject name="Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
+			<TargetObject name="Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
+			<TargetObject name="Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
+			<TargetObject name="Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
+			<TargetObject name="Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
 			<!--CLSID launch commands and file association changes-->
-			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
-			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
+			<TargetObject name="Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
+			<TargetObject name="Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject name="Level=0,Desc=Command Shell Open Key" condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject name="Level=0,Desc=DDEexec Shell Open Key" condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject name="Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
 			<!--Windows COM-->
-			<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
+			<TargetObject name="Level=0,Desc=InProcServer32 Default Key" condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
 			<!--Windows shell hijack-->
-			<TargetObject condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject condition="contains">\ShellServiceObjects</TargetObject>
-			<TargetObject condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<TargetObject name="Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject name="Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<TargetObject name="Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
+			<TargetObject name="Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
+			<TargetObject name="Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject name="Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject name="Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject name="Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
+			<TargetObject name="Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
 			<!--AppPaths hijacking-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<!--Terminal service boobytraps-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
+			<TargetObject name="Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
 			<!--Winsock and Winsock2-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
-			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
-			<TargetObject condition="begin with">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride - Threats sometimes change proxy server -->
-			<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<TargetObject name="Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject name="Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
+			<TargetObject name="Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
 			<!--Credential providers-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
+			<TargetObject name="Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject name="Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
 			<!--Networking-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089" condition="end with">EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
+			<TargetObject name="Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject name="Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
 			<!--DLLs that get injected into every process launch-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
+			<TargetObject name="Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
+			<TargetObject name="Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
 			<!--Office-->
 			<!--Microsoft Office-->
-			<TargetObject condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
-			<TargetObject condition="contains">\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
-			<TargetObject condition="contains">\Excel\Addins\</TargetObject> <!--Microsoft:Office: Excel add-ins-->
-			<TargetObject condition="contains">\Word\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
-			<TargetObject condition="contains">\Access\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
-			<TargetObject condition="contains">\Powerpoint\Addins\</TargetObject> <!--Microsoft:Office: Powerpoint add-ins-->
+			<TargetObject name="Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<!--Removed addins on 11/13/2018 due to high count-->
 			<!--IE-->
-			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<!--Magic registry keys-->
-			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<TargetObject name="Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
+			<TargetObject name="Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
 			<!--Infection artifacts-->
-			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
+			<TargetObject name="Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
+			<TargetObject name="Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
 			<!--Windows internals integrity monitoring-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			<!--Common Malware Persistence locations-->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
-			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
+			<TargetObject name="Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
+			<TargetObject name="Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
+			<TargetObject name="Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+			<TargetObject name="Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
+			<TargetObject name="Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<!--Group Policy Scripts-->
-			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
 			<!--Detect Network History-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			<TargetObject condition="end with">DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
-			<TargetObject condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
+			<TargetObject name="Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
+			<TargetObject name="Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
+			<TargetObject name="Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
+			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
+			<TargetObject name="Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Security Settings: Security Level 1 Low 2 Medium 3 High 0 disabled" condition="contains">\Security\Level</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
+			<TargetObject name="Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
+			<TargetObject name="Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
+			<TargetObject name="Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
+			<TargetObject name="Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
+			<TargetObject name="Level=0,Desc=Outlook Security Changes" condition="contains">\Outlook\Security</TargetObject>
+			<TargetObject name="Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
+			<TargetObject name="Forensic=Office History" condition="contains">\Place MRU</TargetObject>
+			<TargetObject name="Level=0,Desc=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
+			<TargetObject name="Level=0,Desc=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Level=0,Desc=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Level=0,Desc=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
+			<TargetObject name="Level=0,Desc=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
+			<TargetObject name="Level=0,Desc=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
+			<TargetObject name="Level=0,Desc=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
 			<!--Detect User Activity-->
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			<!--RDP History Tracking-->
-			<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
-			<!--Detect Threats from Webroot Antivirus-->
-			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
-			<TargetObject condition="contains">\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
-			<TargetObject condition="contains">\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
-			<!--Detect Changes to Proxy Server Setting-->
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<!--Detect Browser Hijackers-->
-			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>-->
-			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>-->
-			<!--<TargetObject condition="contains">\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>-->
-			<!--Detect Unauthorized Firewall Changes-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Check for apps added to Firewall Auth List-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering-->
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering-->
-			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
-			<TargetObject condition="contains">\Security\Level</TargetObject>
-			<TargetObject condition="contains">\Security\Level1Remove</TargetObject>
-			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject condition="end with">\HideSCAHealth</TargetObject> <!--Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<!--Detect if Windows Defender is Disabled-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject> <!-- Detect disabling of machine password change -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject> <!-- Causes the domain controller to refuse password change requests only from workstations or member servers -->
-			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
-			<!-- Lots of noise from multiple locations, need a better monitor
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
-			-->
-			<!-- Other Stuff -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject condition="contains">\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject><!--Identify Rogue Scheduled Task ID's added to Boot -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject condition="contains">\comfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\htafile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\batfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\exefile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> <!-- Detect: UAC Bypass via sdclt: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -->
-			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
-			<TargetObject condition="contains">\mscfile\shell\open\command</TargetObject> <!-- Detect: Event Viewer UAC Bypass: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ -->
-			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
-			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> <!-- Detect: Dns Server dll injection -->
+			<TargetObject name="Level=0,Desc=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			<TargetObject name="Level=0,Desc=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
+			<TargetObject name="Level=0,Desc=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			<TargetObject name="Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			<TargetObject name="Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
+			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
+			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Level=0,Desc=Detect: COMObject Hijacking" condition="contains">\InprocServer32</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\batfile\shell\open\command</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\comfile\shell\open\command</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\exefile\shell\open\command</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\htafile\shell\open\command</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\piffile\shell\open\command</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\piffile\shell\open\command</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
+			<TargetObject name="Level=0,Desc=Detect: UAC Bypass" condition="contains">\mscfile\shell\open\command</TargetObject>
+			<TargetObject name="Level=0,Desc=New Device Connected" condition="end with">\FriendlyName</TargetObject>
+			<TargetObject name="Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject name="Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<TargetObject name="Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
 			<!--Windows application compatibility shims-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
-			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
+			<TargetObject name="Level=0,Desc=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Level=0,Desc=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 			-->
-			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
+			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion/Privilege Escalation,Alert=Possible Ursniff Malware Detected,FP=1" condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
+			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
+			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
+			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
+			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
+			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Environment Value Modification" condition="end with">\Environment</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
+			<TargetObject name="Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
+			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
+			<TargetObject name="Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
+			<TargetObject name="Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
 		</RegistryEvent>
-		<RegistryEvent onmatch="exclude">
-		<!--COMMENT:	Remove low-information noise. Often these hide a process recreating an empty key and do not hide the values created subsequently.-->
-			<!--SECTION: Microsoft binaries-->
-			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
-			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
-			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
-			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
-			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
-			<Image condition="contains">\Microsoft\Exchange Server</Image>
-			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\</TargetObject> <!-- Edge Extensions Creating Reg entries on launch -->
-			<!--Misc-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\ExchangeServer\</TargetObject>
-			<TargetObject condition="begin with">HKLM\CLUSTER\ExchangeActiveManager</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->
-			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
-			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Adobe PDF Browser Toolbar-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\{724D43A0-0D85-11D4-9908-00400523E39A}</TargetObject> <!--RoboForms Browser toolbar-->
-			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Misc IE Activity-->
-			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
-			<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\App Paths" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
-			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
-			<TargetObject condition="end with">\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
-			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
-			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join-->
-			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
-			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
-			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
-			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system-->
-			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
-			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
-			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
-			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
-			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Microsoft:Windows: SvcHost Noise-->
-			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Windows: Remove noise from Windows 10 Cortana | Credit @ion-storm--> <!--Win10-->
-			<!--Bootup Control noise-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
-			<!--Services autostart noise-->
-			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
-			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
-			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
-			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
-			<TargetObject condition="end with">\services\DeviceAssociationService\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
-			<!--FileExts noise filtering-->
-			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">\UserChoice</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
-			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
-			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
-			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jxr</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac</TargetObject>
-			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf</TargetObject>
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
-			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
-			<!--Group Policy noise-->
-			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
-			<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Microsoft:Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it--> <!--OPTIONAL FILTER-->
-			<!--Autoruns noise-->
-			<!--<Details condition="is">c:\program files (x86)\microsoft office\office16\lync.exe</Details> Microsoft:Office: SkypeForBusiness autorun--> 
-			<!--<Details condition="is">"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized</Details> Cisco: AnyConnect autorun-->
-			<!--<Details condition="contains">ScanToPCActivationApp.exe" -deviceID "</Details> HP: Printer-->
-			<!--SECTION: 3rd party-->
-			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
-			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
-			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
-			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
-			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
-			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
-			<!--SECTION: Labtech-->
-			<TargetObject condition="end with">\LTSvcMon\Start</TargetObject>
-			<TargetObject condition="end with">\LTService\Start</TargetObject>
-			<!--SECTION: ShadowProtect-->
-			<TargetObject condition="contains">{F2C2787D-95AB-40D4-942D-298F5F757874}</TargetObject>
-			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
-			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\</TargetObject>
-			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates\</TargetObject>
-			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
-			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\</TargetObject>
-			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
-			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
-			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
-			<!--SECTION: Nitro Pro Spam-->
-			<TargetObject condition="contains">\Software\NITRO\PRO</TargetObject>
-			<!--SECTION: Webroot Spam-->
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\WRData\Status</TargetObject>
-			<!--MITRE Autorun Exclusions-->
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\RapportIaso</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\gzflt</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\trufos</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\wudfsvc</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EFS</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\avc3</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\NableRemoteService</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\TabletInputService</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\AdobeARMservice</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPUpdateService</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\ScreenConnect </TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPSecurityService</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPIntegrationService</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\wrUrlFlt</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\avckf</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\services\NableRemoteService</TargetObject>
-			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC</TargetObject>
-			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\BDElam</TargetObject>
-		</RegistryEvent>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
-		<!--EVENT 15: "File stream created"-->
-		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
-			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
-			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
-			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
-		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
-
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
+	<!--EVENT 15: "File stream created"-->
+	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
 		<FileCreateStreamHash onmatch="include">
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.exe</TargetFilename> <!--Executable-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.dll</TargetFilename> <!--Executable-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--Executable-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.hta</TargetFilename> <!--Scripting-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--System driver files-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.reg</TargetFilename> <!--Registry files-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlam</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.potm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sldm</TargetFilename> <!--Office Macros-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.js</TargetFilename> <!--Java-->
-			<!--SECTION: Certificates -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pem</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crt</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.ca-bundle</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cer</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.csr</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.der</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7b</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7r</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7s</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pfx</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sto</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p12</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crl</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sst</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.key</TargetFilename>
-			<!--SECTION: CIA Vault7 Leak -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.manifest</TargetFilename>
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
-			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
-			<Hash name="Alert=Ramnit Banker Trojan!" condition="contains">291ff87948e45914424cec9510c297da</Hash><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
-			<Hash name="Alert=Ramnit Banker Trojan!" condition="contains">304772c80b157a916c7041f2f15939fb</Hash><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
-			<Hash name="Alert=Docusign Phish!" condition="contains">5E022694C0DBD1FBBC263D608E577949</Hash><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
-			<Hash name="Alert=Docusign Phish!" condition="contains">88ce6c0affcdbdc82abe53957dddfa12</Hash><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
+			<Rule name="Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
+				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
+				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
+			</Rule>
+			<Rule name="Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
+				<Contents condition="contains any">blob:;about:internet</Contents>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
+				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
+				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
+			</Rule>
 		</FileCreateStreamHash>
+	</RuleGroup>
+	<RuleGroup name="RG=ADS Exclude Group" groupRelation="or">
 		<FileCreateStreamHash onmatch="exclude">
-			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
+			<Hash condition="contains">IMPHASH=00000000000000000000000000000000</Hash>
+			<TargetFilename condition="contains">AppData\Local\Microsoft\Windows\AppCache\</TargetFilename>
+			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename>
+			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> 
 			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
-			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename> <!--Exclude: IE Cache Spam-->
-			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> <!--Exclude: IE Cache Spam-->
+			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename>
+			<TargetFilename condition="end with">Microsoft\Windows\Start Menu\Programs\Startup</TargetFilename>
 		</FileCreateStreamHash>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
-		<!--EVENT 16: "Sysmon config state changed"-->
-		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
-		
-		<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
-		<!--Cannot be filtered.-->
+	<!--EVENT 16: "Sysmon config state changed"-->
+	<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
+	<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
+	<!--Cannot be filtered.-->
 
 	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
-		<!--EVENT 17: "Pipe Created"-->
-		<!--EVENT 18: "Pipe Connected"-->
-
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
+	<!--EVENT 17: "Pipe Created"-->
+	<!--EVENT 18: "Pipe Connected"-->
+	<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
+	<RuleGroup name="RG=PipeEvent Include Group" groupRelation="or">
 		<PipeEvent onmatch="include">
-	  	 	<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_dg</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_dg2</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\ahexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\lsassw</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\rpchlp_3</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\NamePipe_MoreWindows</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\pcheap_reuse</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName condition="contains">\</PipeName><!--Include Everything else to mark above rules-->
+			<Rule name="Attack=T1071,Technique=Application Layer Protocol,Tactic=Command and Control,Level=4,Alert=Cobalt Strike named pipe detected,Risk=100" groupRelation="and">
+				<PipeName condition="contains any">msagent_;\MSSE-;postex;\status_</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=NA,Level=4,Alert=Turla Advanced Persistent Threat Named Pipe Detection,Risk=100" groupRelation="and">
+				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			</Rule>
+			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Level=4,Alert=lateral movement: psexec named pipe detected" groupRelation="or">
+				<PipeName condition="contains">\PSEXESVC</PipeName>
+				<PipeName condition="end with">-stdin</PipeName>
+				<PipeName condition="end with">-stdout</PipeName>
+			</Rule>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100" condition="contains">tssmp_endpoint</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100" condition="contains">\NamePipe_MoreWindows</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=WCEServicePipe detected,Risk=100" condition="contains">\WCEServicePipe</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=ahexec Named Pipe Detection,Risk=100" condition="contains">\ahexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=cachedump detected,Risk=100" condition="contains">\cachedumppipe</PipeName><!-- Credits @9f81f59bc58452127884ce513865ed20Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=csexec Named Pipe Detection,Risk=100" condition="contains">\csexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100" condition="contains">\isapi_dg</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsadump detected,Risk=100" condition="contains">\lsadump</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10" condition="contains">\lsassw</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=paexec Named Pipe Detection,Risk=100" condition="contains">\paexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=pcheap_reuse Named Pipe Detection" condition="contains">\pcheap_reuse</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Covanant C2 Named Pipe Detection" condition="contains">\gruntsvc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=remcom Named Pipe Detection,Risk=100" condition="contains">\remcom</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100" condition="contains">\rpchlp_3</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
+			<PipeName name="Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" condition="contains any">\pipe\</PipeName>
+			<!-- Noisy
+			<PipeName name="Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
+			-->
+			<PipeName name="Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
+			<PipeName name="Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
+			<PipeName name="Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName><!--Include Everything else to mark above rules-->
 		</PipeEvent>
+	</RuleGroup>
+	<RuleGroup name="RG=PipeEvent Exclude Group" groupRelation="or">
 		<PipeEvent onmatch="exclude">
+		<EventType name="Exclude ConnectPipe for noise reduction" condition="is">ConnectPipe</EventType>
 		<!--COMMENT: Exclude known-good pipe users-->
 				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
 				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
@@ -2994,172 +5038,512 @@
 			<PipeName condition="contains">lsass</PipeName>
 			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
 			<PipeName condition="is">\spoolss</PipeName>
-			<!--SECTION: Microsoft IIS -->
-			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
-			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
-			<Image condition="is">C:\Windows\syswow64\snmp.exe</Image>
-			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
+			<Image condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Rediculous amount of spam, likely spikes cpu if logged -->
+			<Image condition="image">C:\Windows\System32\LxRun.exe</Image> <!--WSL-->
+			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="image">C:\Windows\System32\services.exe</Image>
+			<Image condition="image">C:\Windows\System32\smss.exe</Image>
+			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
+			<Image condition="image">C:\Windows\System32\wininit.exe</Image>
+			<Image condition="image">C:\Windows\system32\DFSRs.exe</Image>
+			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
+			<Rule name="ngen excludes" groupRelation="and">
+				<Image condition="begin with">C:\Windows\Microsoft.NET\Framework</Image>
+				<Image condition="end with">\ngen.exe</Image>
+			</Rule>
+			<Rule name="ShellExperienceHost excludes" groupRelation="and">
+				<Image condition="begin with">C:\Windows\SystemApps\ShellExperienceHost_</Image>
+				<Image condition="end with">\ShellExperienceHost.exe</Image>
+			</Rule>
+			<Image condition="image">C:\Windows\system32\SearchProtocolHost.exe</Image>
+			<Image condition="image">\System</Image>
+			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
 			<!--SECTION: Microsoft Exchange Server -->
 			<Image condition="contains">Exchange Server</Image>
+			<!--SECTION: Microsoft IIS -->
+			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
+			<Image condition="image">C:\Windows\syswow64\snmp.exe</Image>
+			<Image condition="image">c:\windows\system32\inetsrv\w3wp.exe</Image>
+			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
 			<!--SECTION: Microsoft DNS Server -->
-			<Image condition="is">C:\Windows\system32\dns.exe</Image>
+			<Image condition="image">C:\Windows\system32\dns.exe</Image>
 			<!--SECTION: Microsoft SQL Server -->
 			<PipeName condition="is">\sql\query</PipeName>
-			<Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
-			<!--SECTION: Microsoft Skype For Business Server -->
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe</Image>
-			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe</Image>
-			<!--SECTION: Microsoft DFS Replication -->
-			<Image condition="is">C:\Windows\system32\DFSRs.exee</Image>
-			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
-			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
-			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
-			<Image condition="is">C:\Windows\System32\LxRun.exe</Image> <!--Bash On Windows -->
+			<Image condition="image">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
+			<PipeName condition="contains">\TDLN-</PipeName>
 			<PipeName condition="contains">vmware-</PipeName>
-			<Image condition="is">\System</Image>
 			<PipeName condition="is">\InitShutdown</PipeName>
-			<Image condition="is">C:\Windows\System32\wininit.exe</Image>
-			<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="is">C:\Windows\System32\services.exe</Image>
-			<PipeName condition="is">\ntsvcs</PipeName>
-			<PipeName condition="is">\scerpc</PipeName>
-			<Image condition="is">C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe</Image>
-			<Image condition="is">C:\Windows\System32\smss.exe</Image>
-			<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
-			<PipeName condition="is">\epmapper</PipeName>
-			<PipeName condition="is">\atsvc</PipeName>
-			<PipeName condition="is">\browser</PipeName>
-			<PipeName condition="is">\srvsvc</PipeName>
-			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
-			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
+			<PipeName condition="is">\MsFteWds</PipeName>
 			<PipeName condition="is">\W32TIME_ALT</PipeName>
+			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
+			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
+			<PipeName condition="is">\browser</PipeName>
+			<PipeName condition="is">\epmapper</PipeName>
 			<PipeName condition="is">\eventlog</PipeName>
+			<PipeName condition="is">\ntsvcs</PipeName>
+			<PipeName condition="is">\scerpc</PipeName>
 			<PipeName condition="is">\wkssvc</PipeName>
-			<PipeName condition="contains">\TDLN-</PipeName>
-			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
-			<PipeName condition="is">\MsFteWds</PipeName>
-			<!--SECTION: Webroot-->
-			<PipeName condition="is">\WRSVCPipe</PipeName>
-			<PipeName condition="is">\WRSynUM2</PipeName>
-			<PipeName condition="is">\wrUrl</PipeName><!--Webroot Webfiltering Pipe-->
-			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
-			<!--SECTION: Google-->
-			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
-			<Image condition="contains">AppData\Local\Google\Chrome\User Data\SwReporter\</Image>
-			<PipeName condition="contains">mojo.</PipeName>
-			<PipeName condition="contains">crashpad_</PipeName>
-			<PipeName condition="contains">chrome.</PipeName>
-			<PipeName condition="contains">GoogleCrashServices</PipeName>
-			<!--SECTION: Other-->
-			<Image condition="end with">slack.exe</Image>
-			<!--SECTION: ConnectWise-->
-			<PipeName condition="contains">booma\</PipeName>
-			<!--SECTION: EnPass-->
-			<PipeName condition="contains">qtsingleapp-enpass-</PipeName>
-			<Image condition="contains">qtsingleapp-enpass-</Image>
-			<!--SECTION: RoyalTS-->
-			<PipeName condition="contains">eo.ipc.</PipeName>
-			<!--SECTION: Windows Firewall Control-->
-			<Image condition="is">C:\Program Files\Windows Firewall Control\wfc.exe</Image>
-			<!--SECTION: Everything Search-->
-			<PipeName condition="contains">Everything Service</PipeName>
-			<PipeName condition="contains">anchor_gui_agent</PipeName>
-			<!--SECTION: Adobe-->
-			<Image condition="end with">Adobe\ARM\1.0\AdobeARM.exe</Image>
-			<!--SECTION: Lenovo-->
-			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
-			<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
-			<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
-			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
-			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE</Image>
-			<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
-			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\TPOSD.EXE</Image>
-			<Image condition="is">C:\Program Files (x86)\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
-			<!--SECTION: Fortinet-->
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe</Image>
-			<!--SECTION: Sophos VPN Client-->
-			<Image condition="is">c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe</Image>
-			<!--SECTION: Labtech-->
-			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
-			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
-			<!--SECTION: N-Able -->
-			<Image condition="end with">N-able Technologies\Windows Agent\bin\agent.exe</Image>
-			<Image condition="end with">N-able Technologies\AVDefender\EPIntegrationService.exe</Image>
-			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
-			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
-			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>
-			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
-			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
-			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
-			<Image condition="contains">C:\Program Files\Lenovo\</Image>
-			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
-			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
-			<PipeName condition="contains">SQLAnywhereLRM</PipeName> <!-- Quickbooks -->
-			<PipeName condition="contains">pgsignal</PipeName> <!-- Postgres SQL -->
-			<Image condition="is">postgres.exe</Image>
-			<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft SQL writer-->
-			<PipeName condition="contains">TSVCPIPE-</PipeName> <!-- Terminal Services Pipe-->
-			<PipeName condition="contains">BB4BB19A178C25D1</PipeName>
-			<PipeName condition="contains">SQLAnywhereLRM</PipeName>
-			<PipeName condition="contains">SQLLocal</PipeName>
-			<PipeName condition="contains">DropboxPipe_</PipeName>
-			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe</Image>
-			<Image condition="is">C:\Pfx Engagement\WM\PFXEngagement.exe</Image>
-			<Image condition="is">C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe</Image>
-			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
-			<Image condition="is">ScreenConnect.ClientService.exe</Image>
-			<Image condition="is">QBW32.EXE</Image>
-			<Image condition="end with">EXCEL.EXE</Image>
-			<Image condition="end with">ADCUpdate.exe</Image>
-			<Image condition="end with">Hydrous.Host.exe</Image>
-			<Image condition="end with">TNSLSNR.exe</Image>
-			<Image condition="contains">ShoreWare Server</Image>
+			<PipeName condition="is">\ntapvsrq</PipeName>
+			<PipeName condition="contains">Anonymous Pipe</PipeName>
 		</PipeEvent>
-
+	</RuleGroup>
 	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
-		<!--EVENT 19: "WmiEventFilter activity detected"-->
-		<!--EVENT 20: "WmiEventConsumer activity detected"-->
-		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
-		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
-		<WmiEvent onmatch="exclude">
+	<!--EVENT 19: "WmiEventFilter activity detected"-->
+	<!--EVENT 20: "WmiEventConsumer activity detected"-->
+	<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
+	<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
+	<RuleGroup name="RG=WmiEvent Include Group" groupRelation="or">
+		<WmiEvent onmatch="include">
+			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation" condition="is">Created</Operation>
 		</WmiEvent>
-
-	<!--SYSMON EVENT ID 255 : ERROR-->
-		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
-			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
-			Sysinternals forum or over Twitter (@markrussinovich)."-->
-		<!--Cannot be filtered.-->
-
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 22 : DNS Queries-->
+	<RuleGroup name="RG=DNS Query Includes" groupRelation="or">
+		<DnsQuery onmatch="include">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Powershell TXT Record exfiltration" groupRelation="and">
+				<QueryResults condition="contains any">type: 16;type:  16</QueryResults>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Powershell,Tactic=Execution,Level=4,Alert=Powershell Connection to github" groupRelation="and">
+				<QueryName condition="contains">github</QueryName>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
+				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
+				<QueryName condition="contains">.</QueryName>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="end with">dropboxapi.com</QueryName>
+				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains">1drv</QueryName>
+				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains all">.box.com;upload</QueryName>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains any">mega.nz;mega.co.nz</QueryName>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains any">privatlab.com</QueryName>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
+				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
+			</Rule>
+			<Rule name="Level=0,Desc=Social Networking" groupRelation="or">
+				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
+			</Rule>
+			<Rule name="Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
+				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
+			</Rule>
+			<Rule name="Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
+				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
+			</Rule>
+			<!--Crypto Currency Mining pools-->
+			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
+			</Rule>
+			<QueryName name="Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
+			<QueryName name="Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
+			<QueryName name="Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
+			<QueryName name="Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
+			<QueryName name="Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
+			<QueryName name="Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
+			<!--Public Port Scan Detection-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
+			<!--Domain TLD's to log-->
+			<QueryName name="Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
+			<QueryName name="Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
+			<QueryName name="Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
+			<QueryName name="Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
+			<QueryName name="Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
+			<QueryName name="Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
+			<QueryName name="Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
+			<QueryName name="Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
+			<QueryName name="Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
+			<QueryName name="Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
+			<QueryName name="Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
+			<QueryName name="Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
+			<QueryName name="Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
+			<QueryName name="Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
+			<QueryName name="Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
+			<!--Malware Domains-->
+			<Rule name="Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
+				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
+			</Rule>
+			<QueryName name="Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
+			<!--Common Suspicious destinations-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
+			<!-- Malicious/Suspicious hosting domains-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
+			<!--Dynamic DNS Lookups-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
+			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
+			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
+			<QueryName name="Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
+			<QueryName name="Level=0,Desc=DC Lookup" condition="begin with">_ldap._tcp.dc._</QueryName>
+			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			<QueryName name="Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
+			<QueryName name="Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="is">wpad</QueryName>
+			<!--
+			<QueryResults name="Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
+			<QueryResults name="Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
+			<QueryResults name="Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
+			<QueryResults name="Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
+			<QueryResults name="Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
+			<QueryResults name="Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
+			<QueryResults name="Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
+			<QueryResults name="Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
+			-->
+			<Image name="Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+		</DnsQuery>
+	</RuleGroup>
+	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
+		<DnsQuery onmatch="exclude">
+			<!-- Image Exclusions -->
+			<Image condition="begin with">C:\Program Files (x86)\Admin Arsenal\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\CheckPoint\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Fortinet\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\OpenDNS\OpenDNS Connector</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Razer\Razer Services\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\VMware</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Veeam\</Image>
+			<Image condition="begin with">C:\Program Files\CheckPoint\</Image>
+			<Image condition="begin with">C:\Program Files\Trend Micro\</Image>
+			<Image condition="end with">Slack.exe</Image>
+			<Image condition="end with">\controls\cef\ConnectWise.exe</Image>
+			<Image condition="end with">git-remote-https.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe</Image>
+			<Image condition="image">C:\Program Files\VMware\vCenter Server\jre\bin\java.exe</Image>
+			<Image condition="image">C:\Program Files\VMware\vCenter Server\python\python.exe</Image>
+			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\dsregcmd.exe</Image>
+			<Image condition="image">C:\Windows\sysmon64.exe</Image>
+			<Image condition="image">C:\Windows\sysmon.exe</Image>
+			<QueryName condition="begin with">brave-sync.s3.dualstack.</QueryName>
+			<QueryName condition="end with">.salesforceliveagent.com</QueryName>
+			<QueryName condition="is">ads-serve.brave.com</QueryName>
+			<!--Network noise-->
+			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
+			<QueryName condition="is">..localmachine</QueryName>
+			<!--Microsoft-->
+			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
+			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
+			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
+			<!--Microsoft:Office365/AzureAD-->
+			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
+			<QueryName condition="end with">.msauth.net</QueryName>
+			<QueryName condition="end with">.msftauth.net</QueryName>
+			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
+			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
+			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<!--3rd-party applications-->
+			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
+			<QueryName condition="end with">googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">cloudsearch.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">id.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">www.googleapis.com</QueryName> <!--Google-->
+			<!--Goodlist CDN-->
+			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.netflix.com</QueryName>
+			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
+			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
+			<QueryName condition="is">ajax.googleapis.com</QueryName>
+			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
+			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
+			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
+			<!--Personal-->
+			<QueryName condition="end with">.steamcontent.com</QueryName> <!--If you seriously host malware C2 in game binaries in Steam, I give up-->
+			<!--Web resources-->
+			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.fontawesome.com</QueryName>
+			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<!--Ads-->
+			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
+			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
+			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
+			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
+			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
+			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
+			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
+			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
+			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
+			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
+			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
+			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
+			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.domdex.com</QueryName> 
+			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
+			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
+			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
+			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
+			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
+			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
+			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
+			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.quantcount.com</QueryName>
+			<QueryName condition="end with">.quantserve.com</QueryName>
+			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
+			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
+			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
+			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
+			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.simpli.fi</QueryName>
+			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.tapad.com</QueryName>
+			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
+			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
+			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
+			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
+			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">ads.yahoo.com</QueryName> <!--Ads: Yahoo-->
+			<QueryName condition="is">1rx.io</QueryName>
+			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
+			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
+			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
+			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">www.googletagservices.com</QueryName>
+			<!--SocialNet-->
+			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
+			<!--OSCP/CRL Common-->
+			<QueryName condition="contains">adsniper.ru</QueryName>
+			<QueryName condition="contains">cdnvideo.ru</QueryName>
+			<QueryName condition="contains">chat.minergate.com</QueryName>
+			<QueryName condition="contains">cwsa.minergate.com</QueryName>
+			<QueryName condition="contains">forum.minergate.com</QueryName>
+			<QueryName condition="contains">leadlab.click</QueryName>
+			<QueryName condition="contains">mc.yandex.ru</QueryName>
+			<QueryName condition="contains">pool.ntp.org</QueryName>
+			<QueryName condition="contains">vmg.host</QueryName>
+			<QueryName condition="contains">yandex.ru</QueryName>
+			<QueryName condition="end with">.adobe.com</QueryName>
+			<QueryName condition="end with">.autodesk.com</QueryName>
+			<QueryName condition="end with">.avast.com</QueryName>
+			<QueryName condition="end with">.avcdn.net</QueryName>
+			<QueryName condition="end with">.cdn.bitdefender.net</QueryName>
+			<QueryName condition="end with">.digicert.com</QueryName>
+			<QueryName condition="end with">.eset.com</QueryName>
+			<QueryName condition="end with">.globalsign.com</QueryName>
+			<QueryName condition="end with">.globalsign.net</QueryName>
+			<QueryName condition="end with">.intuit.com</QueryName>
+			<QueryName condition="end with">.java.com</QueryName>
+			<QueryName condition="end with">.macromedia.com</QueryName>
+			<QueryName condition="end with">.oracle.com</QueryName>
+			<QueryName condition="end with">.quickbooks.com</QueryName>
+			<QueryName condition="end with">.usertrust.com</QueryName>
+			<QueryName condition="end with">amazontrust.com</QueryName>
+			<QueryName condition="end with">ocsp.identrust.com</QueryName>
+			<QueryName condition="end with">pki.goog</QueryName>
+			<QueryName condition="is">ads.playground.xyz</QueryName>
+			<QueryName condition="is">citrixupdates.cloud.com</QueryName>
+			<QueryName condition="is">forticlient.fortinet.net</QueryName>
+			<QueryName condition="is">mft10.onbaseonline.com</QueryName>
+			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
+			<QueryName condition="is">ocsp.comodoca.com</QueryName>
+			<QueryName condition="is">ocsp.cybertrust.ne.jp</QueryName>
+			<QueryName condition="is">ocsp.entrust.net</QueryName>
+			<QueryName condition="is">ocsp.entrust.net</QueryName>
+			<QueryName condition="is">ocsp.godaddy.com</QueryName>
+			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
+			<QueryName condition="is">ocsp.intel.com</QueryName>
+			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
+			<QueryName condition="is">ocsp.quovadisglobal.com</QueryName>
+			<QueryName condition="is">ocsp.quovadisoffshore.com</QueryName>
+			<QueryName condition="is">ocsp.sectigo.com</QueryName>
+			<QueryName condition="is">ocsp.starfieldtech.com</QueryName>
+			<QueryName condition="is">ocsp.thawte.com</QueryName>
+			<QueryName condition="is">ocsp.trustwave.com</QueryName>
+			<QueryName condition="is">ocsp.verisign.com</QueryName>
+			<QueryName condition="is">pki-goog.l.google.com</QueryName>
+			<QueryName condition="is">pki.intel.com</QueryName>
+			<QueryName condition="is">scrootca1.ocsp.secomtrust.net</QueryName>
+			<QueryName condition="is">scrootca2.ocsp.secomtrust.net</QueryName>
+			<QueryName condition="is">stats.anchor.host</QueryName>
+			<QueryName condition="is">status.rapidssl.com</QueryName>
+			<QueryName condition="is">status.thawte.com</QueryName>
+			<QueryName condition="is">ts-ocsp.ws.symantec.com</QueryName>
+			<QueryName condition="is">upgrade.bitdefender.com</QueryName>
+		</DnsQuery>
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 23 : File Delete and overwrite events which saves a copy to the archivedir: Includes -->
+	<!-- Default set to disabled due to disk space implications, enable with care!-->
+	<RuleGroup groupRelation="or">
+	  <FileDelete onmatch="include" />
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 24 : Clipboard change events, only captures text, not files: Includes -->
+	<!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
+	<RuleGroup groupRelation="or">
+	  <ClipboardChange onmatch="include" />
+	</RuleGroup>
+	<!--SYSMON EVENT ID 25 : Process tampering events-->
+	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
+		<ProcessTampering onmatch="include">
+			<Rule name="Level=0,Desc=Process Tampering Detected" groupRelation="and">
+				<Image condition="contains any">.;>;unknown;anonymous</Image>
+				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
+				<Image condition="excludes">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
+				<Image condition="excludes">C:\Program Files\Symantec\</Image>
+			</Rule>
+		</ProcessTampering>
+	</RuleGroup>
+	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
+		<ProcessTampering onmatch="exclude">
+			<Rule name="Level=0,Desc=exclude common noise" groupRelation="and">
+				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
+			</Rule>
+		</ProcessTampering>
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 26 : File Delete and overwrite events, does NOT save the file: Includes -->
+	<RuleGroup groupRelation="or">
+		<FileDeleteDetected onmatch="include">
+		</FileDeleteDetected>
+	</RuleGroup>
+	<RuleGroup groupRelation="or">
+		<FileDeleteDetected onmatch="exclude">
+			<Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
+		</FileDeleteDetected>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
+	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
+		<FileBlockExecutable onmatch="include">
+			<Rule name="Level=0,Desc=Block Office from Creating Executables" groupRelation="and">
+				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
+				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Block Web Servers from creating binary files" groupRelation="and">
+				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
+				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
+				<Image condition="contains any">powershell.exel;powershell_ise.exe</Image>
+				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Block double extensions" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="contains any">.pdf;.doc;.xls;.doc;.ppt;.txt;.rtf;.htm;.iso;.zip;.rar;.7z</TargetFilename>
+			</Rule>
+			<Rule name="Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
+				<Image condition="contains any">psexesvc</Image>
+				<Image condition="contains any">psexec</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
+				<Image condition="is">wmiprvse.exe</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
+				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
+				<Image condition="excludes any">intuit</Image>
+			</Rule>
+			<Rule name="Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
+				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
+			</Rule>
+		</FileBlockExecutable>
+	</RuleGroup>
 	</EventFiltering>
-</Sysmon>
+</Sysmon>
\ No newline at end of file

From 0cae025b4e618204e7c6a9266c0a3001d072310b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 1 Sep 2022 17:31:56 -0400
Subject: [PATCH 340/471] Add Description, Forensic, CVE & False Positive Tag
 Descriptions

---
 sysmonconfig-export.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 79fd3ea8..9a8f2677 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -12,7 +12,7 @@
 				 Detect Exploitation events with wide CVE Coverage.
 				 Risk Scoring of CVE, UEBA, Forensic, MITRE ATT&CK Events.
 				 
-				 Tags Added:
+				 Primary Tags:
 				 Attack: Mitre ATT&CK Identifier
 				 Technique: Mitre ATT&CK Technique
 				 Tactic: Mitre ATT&CK Tactic
@@ -21,7 +21,12 @@
 				 Level: The level field contains one of five string values. It describes the criticality of a triggered rule. 
 				 While low and medium level events have an informative character, events with high and critical level should 
 				 lead to immediate reviews by security analysts.
-				 
+				 Desc: Description of non-alerting UEBA/Behavioral Based Rules
+				 Forensic: Forensic Artifacts
+				 CVE: CVE Vulnerability Identification
+				 FP: False Positive Rate
+
+				 Additional Tag Details:
 				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
 				 kp=y 	Kill process with child processes
 				 kpp=y 	Kill Parent Processes & all Child Processes

From bb507c2e6c2d42a00f18a2d888970e002d87f82f Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 1 Sep 2022 17:33:41 -0400
Subject: [PATCH 341/471] Update Readme

---
 README.md | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 49da7d39..e28c6dfd 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,4 @@
-# Sysmon Threat Intelligence Configuration #
-See the develop Branch for more bleeding edge updates: https://github.com/ion-storm/sysmon-config/tree/develop
-
-This config is based off of the OR logic in sysmon 8.00 and 8.04, sysmon 8.02 breaks this functionality.  Also 8.00 introduced a memory leak that will consume all available memory on your system if you frequently reload the config file.  Upgrading to 8.04 is mandatory.
-
-This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
-
+# Sysmon ATT&CK Configuration #
 The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.
 
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)**

From eb931cf94d85d6871cef14f0c953544f0329146b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 1 Sep 2022 17:40:01 -0400
Subject: [PATCH 342/471] Update Sysmon installer. TODO: Create Powershell
 installer/updater script.

---
 Install Sysmon.bat | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
index 5c0a7572..d14c506b 100644
--- a/Install Sysmon.bat	
+++ b/Install Sysmon.bat	
@@ -15,12 +15,12 @@ set tasktime=%hour%:%minute%
 mkdir C:\ProgramData\sysmon
 pushd "C:\ProgramData\sysmon\"
 echo [+] Downloading Sysmon...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe','C:\ProgramData\sysmon\sysmon64.exe')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe','C:\ProgramData\sysmon\sysmon.exe')"
 echo [+] Downloading Sysmon config...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
-sysmon64.exe -accepteula -i sysmonconfig-export.xml
-sc failure Sysmon64 actions= restart/10000/restart/10000// reset= 120
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
+sysmon.exe -accepteula -i sysmonconfig-export.xml
+sc failure Sysmon actions= restart/10000/restart/10000// reset= 120
 echo [+] Sysmon Successfully Installed!
 echo [+] Creating Auto Update Task set to Hourly..
 SchTasks /Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR C:\ProgramData\sysmon\Auto_Update.bat /F /ST %tasktime%

From 6adec6b4b79c3e6a0a2669a4c388baf334e13348 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 1 Sep 2022 18:04:45 -0400
Subject: [PATCH 343/471] fixed old updater, will convert to powershell in
 future updates.

---
 Auto_Update.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Auto_Update.bat b/Auto_Update.bat
index 39d3b0cc..25685148 100644
--- a/Auto_Update.bat
+++ b/Auto_Update.bat
@@ -1,5 +1,5 @@
 @echo on
 cd C:\ProgramData\sysmon\
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/develop/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
+@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
 sysmon64 -c sysmonconfig-export.xml
 exit

From 173af9bd74ddc456a32be593473a655297453d5c Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 6 Sep 2022 17:55:22 -0400
Subject: [PATCH 344/471] Add some missing Tactics, a few new detections.

---
 sysmonconfig-export.xml | 153 ++++++++++++++++++++++------------------
 1 file changed, 84 insertions(+), 69 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9a8f2677..456f6d97 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -180,11 +180,11 @@
 				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
 				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
 			</Rule>
-			<Rule name="T1204,Technique=User Execution,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
 				<Image condition="image">regedit.exe</Image>
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
-			<Rule name="T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
 			<Rule name="UEBA=Unusual Child Process,Risk=30" groupRelation="and">
@@ -510,9 +510,9 @@
 			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
 			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
 			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
-			<OriginalFileName name="Technique=T1548.002,Technique=Bypass User Account Control" condition="is">computerdefaults.exe</OriginalFileName>
-			<OriginalFileName name="Technique=T1548.002,Technique=Bypass User Account Control" condition="is">dism.exe</OriginalFileName>
-			<ParentImage name="Technique=T1548.002,Technique=Bypass User Account Control" condition="is">fodhelper.exe</ParentImage>
+			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">computerdefaults.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">dism.exe</OriginalFileName>
+			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">fodhelper.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<Rule name="Attack=T1088,Technique=Access Token Manipulation,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
@@ -664,8 +664,8 @@
 
 			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
 			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
 			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
 			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
 			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">.com</Image>
@@ -764,7 +764,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
+			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
 			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
@@ -1243,8 +1243,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
 			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
 				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
@@ -1470,8 +1470,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
 			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
-			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image><!-- Tor-->
+			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
+			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image><!-- Tor-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
 			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
 			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
@@ -1691,12 +1691,12 @@
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
 			<Image name="Level=0,Desc=Auditpol System Audit Policy Change - Should be set via group policy instead" condition="image">auditpol.exe</Image><!-- Auditpol-->
 			<ParentCommandLine name="Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
-			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
+			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
 			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
@@ -1709,8 +1709,8 @@
 			<Rule  name="Level=0,Desc=SVCHost Processes" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 			</Rule>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
 			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
 			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Pipe">\pipe\</CommandLine>
 			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
@@ -1755,12 +1755,12 @@
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
 	<RuleGroup name="RG=FileCreateTime Include Group" groupRelation="or">
 		<FileCreateTime onmatch="include">
-			<Image name="Attack=T1070.006,Technique=Timestomp" condition="begin with">C:\Users</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp" condition="begin with">C:\ProgramData</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp" condition="contains">\Temp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp" condition="contains">\tmp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp" condition="contains">\drivers\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp" condition="contains">\Download</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\Users</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\ProgramData</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Temp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\tmp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\drivers\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Download</Image>
 		</FileCreateTime>
 	</RuleGroup>
 	<RuleGroup name="RG=FileCreateTime Exclude Group" groupRelation="or">
@@ -2080,6 +2080,16 @@
 				<Image condition="excludes">thor64.exe</Image>
 				<Image condition="excludes">thor.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Localhost RDP Tunneling Detection,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
+			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<DestinationIp condition="begin with">fe80:0</DestinationIp>
+			</Rule>
 			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
 				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
 			</Rule>
@@ -2590,12 +2600,17 @@
 			<Rule name="Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
 				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
 			</Rule>
-			<Rule name="T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains any">\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\</ImageLoaded>
 				<Image condition="contains any">spoolsv.exe;printisolationhost.exe</Image>
 				<SignatureStatus condition="excludes">Valid</SignatureStatus>
 				<Company condition="excludes any">Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard</Company>
 			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=DLL Image Load by System in Suspicious Locations" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
+				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
+			</Rule>
 			<Rule name="Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
 				<Image condition="image">EQNEDT32.EXE</Image>
 				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
@@ -2889,24 +2904,24 @@
 	<RuleGroup name="RG=ProcessAccess Include Group" groupRelation="or">
 		<ProcessAccess onmatch="include">
 			<!--Custom Rules-->
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\System32\SHELL32.dll+9b5bd</CallTrace>
 				<TargetImage condition="excludes">\LocalBridge.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
 				<CallTrace condition="contains any">C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2cb3e</CallTrace>
 				<TargetImage condition="excludes any">C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2b496</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\SYSTEM32\dbgcore.DLL+6cfb</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
 			</Rule>
 			<Rule name="Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
@@ -2927,7 +2942,7 @@
 				<CallTrace condition="contains all">"UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF</GrantedAccess>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
 				<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
 				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
 				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
@@ -3040,11 +3055,11 @@
 				<CallTrace condition="contains any">|UNKNOWN(</CallTrace>
 				<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
 			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
 				<SourceImage condition="contains">C:\Program Files\Microsoft Office\Root\Office</SourceImage>
 				<CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
 				<CallTrace condition="contains" >C:\Windows\System32\SHELL32.dll+ae3b9</CallTrace>
 				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
 				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
@@ -3170,22 +3185,22 @@
 			
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
 			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
 			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
@@ -3212,12 +3227,12 @@
 			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
 			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
@@ -3268,8 +3283,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Run Keys / Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Run Keys / Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
@@ -3412,15 +3427,15 @@
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
-			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion/Execution" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion" condition="end with">.chm</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
 			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution" condition="end with">proj</TargetFilename>
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution" condition="end with">.sln</TargetFilename>
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">proj</TargetFilename>
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">.sln</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -4142,12 +4157,12 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
 			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
 			<!--<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
@@ -4902,8 +4917,8 @@
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 			-->
-			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
-			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion/Privilege Escalation,Alert=Possible Ursniff Malware Detected,FP=1" condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
+			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
+			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
 			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
 			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
 			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
@@ -5099,7 +5114,7 @@
 	<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
 	<RuleGroup name="RG=WmiEvent Include Group" groupRelation="or">
 		<WmiEvent onmatch="include">
-			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation" condition="is">Created</Operation>
+			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="is">Created</Operation>
 		</WmiEvent>
 	</RuleGroup>
 	<!-- SYSMON EVENT ID 22 : DNS Queries-->

From 7f2d1ae9a07d9ec219a2aea0a35d18839d272a30 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 7 Sep 2022 19:59:25 -0400
Subject: [PATCH 345/471] Misc Updates

---
 sysmonconfig-export.xml | 376 +++++++++++++++++++++++++++++++---------
 1 file changed, 295 insertions(+), 81 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 456f6d97..bc589ddb 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -62,6 +62,13 @@
 				 (1) Some False Positives rate
 				 (2) Medium False Positive rate
 				 (3) High False Positive rate
+				 
+				 Properly Escape in XML:
+				 < &lt;
+				 > &gt;
+				 " &quot;
+				 ' &apos;
+				 & &amp;
 -->
 <Sysmon schemaversion="4.82">
 	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
@@ -97,6 +104,10 @@
 			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
 
 			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<Rule name="Attack=T1587,Technique=Develop Capabilities,Tactic=Resource Development,Alert=PurpleSharp Indicator,Risk=40" groupRelation="or">
+				<CommandLine condition="contains any">PurpleSharp;xyz123456</CommandLine> 
+				<OriginalFileName condition="contains any">PurpleSharp</OriginalFileName> 
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
@@ -111,9 +122,76 @@
 			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
 
 			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">Content.Outlook</Image>
+			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Arbitrary Shell Command Execution Via Settingcontent-Ms,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
+				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
+				<Image condition="end with">.doc.exe</Image>
+				<Image condition="end with">.docx.exe</Image>
+				<Image condition="end with">.docx.exe</Image>
+				<Image condition="end with">.xls.exe</Image>
+				<Image condition="end with">.xlsx.exe</Image>
+				<Image condition="end with">.ppt.exe</Image>
+				<Image condition="end with">.pptx.exe</Image>
+				<Image condition="end with">.rtf.exe</Image>
+				<Image condition="end with">.pdf.exe</Image>
+				<Image condition="end with">.txt.exe</Image>
+				<Image condition="end with">      .exe</Image>
+				<Image condition="end with">______.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
+				<ParentImage condition="image">Hwp.exe</ParentImage>
+				<Image condition="image">gbb.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
+				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+				<ParentImage condition="image">dns.exe</ParentImage>
+				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2019-0708,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
+				<CommandLine condition="excludes any">perfenabled</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2021-26857,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
+				<CommandLine condition="excludes any">perfenabled</CommandLine>
+				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<Image condition="contains any">\wwwroot\</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
+				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
+				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
+				<ParentImage condition="image">\jre\bin\java.exe</ParentImage>
+				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
+				<!--Allow Confluence Rule to fire-->
+				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
+				<ParentImage condition="image">keytool.exe</ParentImage>
+				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Apache Spark Exploit,CVE=CVE-2022-33891,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">bash.exe;cmd.exe;powershell.exe;pwsh.exe</ParentImage>
+				<CommandLine condition="contains any">id -Gn `;id /Gn `;id -Gn ';id /Gn '</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<Rule name="Attack=T1133,Technique=External Remote Services,Tactic=Initial Access,Level=2,Alert=Screenconnect Remote Access,Risk=50" groupRelation="and">
+				<CommandLine condition="contains all">e=Access&amp;;y=Guest&amp;;&amp;p=;&amp;c=;&amp;k=</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
@@ -131,10 +209,12 @@
 				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<!-- Disabled for now
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
 				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
+			-->
 			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
 				<ParentImage condition="image">cmd.exe</ParentImage>
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
@@ -184,11 +264,13 @@
 				<Image condition="image">regedit.exe</Image>
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
+			<!-- Disabled for now
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
+			-->
 			<Rule name="UEBA=Unusual Child Process,Risk=30" groupRelation="and">
-				<Image condition="is any">svchost.exe;spoolsv.exe;taskhostw.exe;userinit.exe;smss.exe;csrss.exe;wininit.exe;winlogon.exe;lsass.exe;logonui.exe;services.exe</Image>
+				<Image condition="is any">svchost.exe;taskhostw.exe;userinit.exe;smss.exe;csrss.exe;wininit.exe;winlogon.exe;lsass.exe;logonui.exe;services.exe</Image>
 				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
 				<ParentImage condition="excludes any">wininit.exe;winlogon.exe;services.exe;dwm.exe;System;smss.exe;svchost.exe</ParentImage>
 			</Rule>
@@ -273,7 +355,7 @@
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">sqlservr</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe</Image>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
@@ -359,6 +441,10 @@
 				<CommandLine condition="contains">create</CommandLine>
 				<CurrentDirectory condition="excludes any">\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\</CurrentDirectory>
 			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains all">config;binpath</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
 				<Image condition="contains any">cmd.exe;powershell.exe</Image>
 				<ParentImage condition="image">services.exe</ParentImage>
@@ -371,10 +457,19 @@
 				<Description condition="contains">PsExec Service</Description> 
 				<Description condition="contains">PsExec Launched</Description> 
 			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=Sysinternals Initial Tool Execution,Risk=100" groupRelation="or">
+				<CommandLine condition="contains">accepteula</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec SYSTEM Execution,Risk=100" groupRelation="and">
+				<Description condition="contains">Execute processes remotely</Description>
+				<CommandLine condition="contains any">-s;/s</CommandLine>
+			</Rule>
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
 			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
-
+			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
 				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
@@ -467,7 +562,7 @@
 			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
 			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>
-				<CommandLine condition="contains all">echo;\pipe\;></CommandLine>
+				<CommandLine condition="contains all">echo;\pipe\;&gt;</CommandLine>
 			</Rule>
 			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>
@@ -685,6 +780,22 @@
 				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
 				<CommandLine condition="contains">:</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=REG Registry Deletions" groupRelation="and">
+				<Image condition="image">reg.exe</Image>
+				<CommandLine condition="contains">delete </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Regedit Registry Deletions" groupRelation="and">
+				<Image condition="image">regedit.exe</Image>
+				<CommandLine condition="contains any">/d;-d</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Deletions" groupRelation="and">
+				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
+				<CommandLine condition="contains">remove-item</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Modifications" groupRelation="and">
+				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
+				<CommandLine condition="contains">set-item;new-item</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
@@ -1034,6 +1145,36 @@
 				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
+				<Image condition="image">vssadmin.exe</Image>
+				<CommandLine condition="contains any">create;shadow</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">shadowcopy;call;create</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">call;create;esentutl;vss</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">win32_shadowcopy;create;clientaccessible</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">mklink;GLOBALROOT;Shadow</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">copy;NTDS\ntds.dit</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
+				<Image condition="image">ntdsutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">copy;System32\config\SYSTEM</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">reg;save;HKLM</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
 			</Rule>
@@ -1145,6 +1286,54 @@
 			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Sysmon Detection with driver altitude " groupRelation="or">
+				<CommandLine condition="contains all">find;385201</CommandLine>
+				<CommandLine condition="contains all">select-string;385201</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Antivirus/edr/siem Discovery" groupRelation="or">
+				<CommandLine condition="contains all">find;virus</CommandLine>
+				<CommandLine condition="contains all">select-string;virus</CommandLine>
+				<CommandLine condition="contains all">process;Description;virus</CommandLine>
+				<CommandLine condition="contains all">find;cb</CommandLine>
+				<CommandLine condition="contains all">select-string;cb</CommandLine>
+				<CommandLine condition="contains all">process;Description;cb</CommandLine>
+				<CommandLine condition="contains all">find;defender</CommandLine>
+				<CommandLine condition="contains all">select-string;defender</CommandLine>
+				<CommandLine condition="contains all">process;Description;defender</CommandLine>
+				<CommandLine condition="contains all">find;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">select-string;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">process;Description;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">find;sentinel</CommandLine>
+				<CommandLine condition="contains all">select-string;sentinel</CommandLine>
+				<CommandLine condition="contains all">process;Description;sentinel</CommandLine>
+				<CommandLine condition="contains all">find;nessusd</CommandLine>
+				<CommandLine condition="contains all">select-string;nessusd</CommandLine>
+				<CommandLine condition="contains all">process;Description;nessusd</CommandLine>
+				<CommandLine condition="contains all">find;td-agent</CommandLine>
+				<CommandLine condition="contains all">select-string;td-agent</CommandLine>
+				<CommandLine condition="contains all">process;Description;td-agent</CommandLine>
+				<CommandLine condition="contains all">find;cbagentd</CommandLine>
+				<CommandLine condition="contains all">select-string;cbagentd</CommandLine>
+				<CommandLine condition="contains all">process;Description;cbagentd</CommandLine>
+				<CommandLine condition="contains all">find;sysmon</CommandLine>
+				<CommandLine condition="contains all">select-string;sysmon</CommandLine>
+				<CommandLine condition="contains all">process;Description;sysmon</CommandLine>
+				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">find;csfalcon</CommandLine>
+				<CommandLine condition="contains all">select-string;csfalcon</CommandLine>
+				<CommandLine condition="contains all">process;Description;csfalcon</CommandLine>
+				<CommandLine condition="contains all">find;splunk</CommandLine>
+				<CommandLine condition="contains all">select-string;splunk</CommandLine>
+				<CommandLine condition="contains all">process;Description;splunk</CommandLine>
+				<CommandLine condition="contains all">find;sidecar</CommandLine>
+				<CommandLine condition="contains all">select-string;sidecar</CommandLine>
+				<CommandLine condition="contains all">process;Description;sidecar</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" groupRelation="or">
 				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="is">fltMC.exe</OriginalFileName>
 				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="contains">misc::mflt</CommandLine>
@@ -1174,6 +1363,10 @@
 			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
 				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=WMIC Account Discovery,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">get;useraccount</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
 				<Image condition="image">netsh.exe</Image>
 				<CommandLine condition="contains any">add;del;set</CommandLine>
@@ -1209,36 +1402,6 @@
 				<ParentCommandLine condition="excludes any">WebClientGroup</ParentCommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
-				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
-				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
-				<ParentImage condition="image">dns.exe</ParentImage>
-				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1210,Tactic=Lateral Movement,Technique=Exploitation of Remote Services,CVE=CVE-2019-0708,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
-				<CommandLine condition="excludes any">perfenabled</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1210,Tactic=Lateral Movement,Technique=Exploitation of Remote Services,CVE=CVE-2021-26857,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
-				<CommandLine condition="excludes any">perfenabled</CommandLine>
-				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Execution,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<Image condition="contains any">\wwwroot\</Image>
-			</Rule>
-			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Execution,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
-				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
-				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1210,Technique=Exploitation of Remote Services,Tactic=Execution,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
-				<ParentImage condition="end with">\jre\bin\java.exe</ParentImage>
-				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
-				<!--Allow Confluence Rule to fire-->
-				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
-			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
@@ -1302,13 +1465,30 @@
 				<Image condition="excludes">g2mupdate.exe</Image>
 				<Image condition="excludes">slack.exe</Image>
 			</Rule>
-			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
-			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
-			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
-			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
-			<Image name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
-			<ParentImage name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="end with">winrshost.exe</ParentImage>
-			<ParentImage name="Attack=T1028,Technique=Windows Remote Management,Tactic=Execution,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,AlertSuspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
+				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
+				<Image condition="image">cmd.exe</Image>
+				<Image condition="image">sh.exe</Image>
+				<Image condition="image">bash.exe</Image>
+				<Image condition="image">wsl.exe</Image>
+				<Image condition="image">powershell.exe</Image>
+				<Image condition="image">powershell_ise.exe</Image>
+				<Image condition="image">schtasks.exe</Image>
+				<Image condition="image">at.exe</Image>
+				<Image condition="image">certutil.exe</Image>
+				<Image condition="image">mshta.exe</Image>
+				<Image condition="image">whoami.exe</Image>
+				<Image condition="image">ping.exe</Image>
+				<Image condition="image">ping.exe</Image>
+				<Image condition="image">bitsadmin.exe</Image>
+			</Rule>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="end with">winrshost.exe</ParentImage>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
 			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
 				<ParentImage condition="image">wmiprvse.exe</ParentImage>
 				<Image condition="image">mshta.exe</Image>
@@ -1486,7 +1666,7 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
 			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv >>;rsync -r</CommandLine>
+				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv &gt;&gt;;rsync -r</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await</CommandLine>
@@ -1654,10 +1834,6 @@
 				<Image condition="contains">C:\Users\</Image>
 				<Image condition="contains">\Downloads\</Image>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">Content.Outlook</Image>
-			</Rule>
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
 				<Image condition="contains">C:\Users\</Image>
 				<Image condition="contains">\Desktop\</Image>
@@ -1702,9 +1878,11 @@
 			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
 			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
 			<!--Detect Output Redirection-->
+			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
 			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
 			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
 			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
+			-->
 			<!--Detect Multiple Commands-->
 			<Rule  name="Level=0,Desc=SVCHost Processes" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
@@ -1712,7 +1890,10 @@
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
 			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Pipe">\pipe\</CommandLine>
+			<Rule  name="Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
+				<CommandLine condition="contains">\pipe\</CommandLine>
+				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
+			</Rule>
 			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
 			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
 			<CommandLine name="Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
@@ -1729,19 +1910,7 @@
 			<Image name="Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
 			<ParentImage name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
-			<Rule name="Information=Uncategorized Events" groupRelation="and">
-				<ParentCommandLine condition="contains any">/;\;-;unknown</ParentCommandLine>
-				<ParentImage condition="excludes any">explorer.exe;rundll32.exe</ParentImage>
-				<ParentCommandLine condition="excludes">Appinfo</ParentCommandLine>
-				<ParentCommandLine condition="excludes">DcomLaunch</ParentCommandLine>
-				<ParentCommandLine condition="excludes">JABzA</ParentCommandLine>
-				<ParentCommandLine condition="excludes">RemoteRegistry</ParentCommandLine>
-				<ParentCommandLine condition="excludes">comspec</ParentCommandLine>
-				<ParentCommandLine condition="excludes">iissvcs</ParentCommandLine>
-				<ParentCommandLine condition="excludes">mshta</ParentCommandLine>
-				<ParentCommandLine condition="excludes">nessus</ParentCommandLine>
-				<Image condition="excludes any">rundll32.exe</Image>
-			</Rule>
+			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
 		</ProcessCreate>
 	</RuleGroup>
 	<RuleGroup name="RG=Process Create Exclude Group" groupRelation="or">
@@ -2762,7 +2931,27 @@
 			</Rule>
 			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
 			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" condition="is">C:\Windows\System32\wlanapi.dll</ImageLoaded>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
+				<ImageLoaded condition="end with">C:\Windows\System32\wlanapi.dll</ImageLoaded>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience</Image>
+				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\AppHostRegistrationVerifier.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\CompatTelRunner.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\DeviceCensus.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</Image>
+				<Image condition="excludes">C:\Windows\System32\LogonUI.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\MoNotificationUx.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\SystemSettingsBroker.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\dxgiadaptercache.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\netsh.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\wlanext.exe</Image>
+				<Image condition="excludes">C:\Windows\UUS\amd64\MoUsoCoreWorker.exe</Image>
+				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
+				<Image condition="excludes">C:\Windows\explorer.exe</Image>
+			</Rule>
 			<ImageLoaded name="Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 		</ImageLoad>
 	</RuleGroup>
@@ -3674,7 +3863,7 @@
 				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.xll</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Outlook Macro Execution,Risk=50" groupRelation="and">
+			<Rule name="Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
 				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
 			</Rule>
 			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
@@ -4063,7 +4252,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: System Services-->
 			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
 				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</TargetObject>
-				<TargetObject condition="excludes">\print\AuthenticationLevel</TargetObject>
+				<TargetObject condition="excludes">\print\</TargetObject>
 				<TargetObject condition="excludes">\AzureAttestService\CoInitializeSecurityParam</TargetObject>
 				<Image condition="excludes">C:\$WINDOWS.~BT\</Image>
 			</Rule>
@@ -4134,24 +4323,24 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Boot" condition="end with">\Start</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Boot" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Desc=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: System" condition="end with">\Start</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: System" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Automatic" condition="end with">\Start</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Automatic" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000002)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Manual" condition="end with">\Start</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Manual" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000003)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Disabled" condition="end with">\Start</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Disabled" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
@@ -4373,7 +4562,29 @@
 				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
 			</Rule>
 			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
-			<TargetObject name="Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level</TargetObject>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=1,Desc=Notifications for all macros,Risk=50" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000002)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Notifications for digitally signed macros - all other macros disabled,Risk=0" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000003)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=All Office Macros Disabled without notification,Risk=0" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000004)</Details>
+			</Rule>
+			<Rule name="Level=0,Desc=Outlook Security Changes" groupRelation="and">
+				<TargetObject condition="contains">\Outlook\Security</TargetObject>
+				<!--Allow Outlook Details rules to fire-->
+				<TargetObject condition="excludes">\Security\Level</TargetObject>
+			</Rule>
+			<TargetObject name="Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
+			<TargetObject name="Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
 			<TargetObject name="Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
 			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
 			<TargetObject name="Level=0,Desc=Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/" condition="end with">\HideSCAHealth</TargetObject>
@@ -4385,7 +4596,8 @@
 			<TargetObject name="Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
 			<TargetObject name="Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
 			<!--Detect if Windows Defender is Disabled-->
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
 			<TargetObject name="Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
 			<TargetObject name="Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
@@ -4467,14 +4679,20 @@
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
 			<Rule name="Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
 				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
+				<EventType condition="is not">CreateKey</EventType>
 				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\Sysmon.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\system32\certsrv.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\CompatTelRunner.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
 				<Image condition="excludes">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
 				<Image condition="excludes">C:\Windows\system32\SearchProtocolHost.exe</Image>
 				<Image condition="excludes">C:\Windows\system32\taskhost.exe</Image>
 				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\System32\DriverStore\FileRepository\asus</Image>
+				<Image condition="excludes">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
+				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
 			</Rule>
 			<TargetObject name="Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
 			<TargetObject name="Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
@@ -4644,7 +4862,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
 			<!--MITRE ATT&CK TACTIC: Impact-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<Rule name="Level=0,Desc=User Account Deleted" groupRelation="and">
+			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,Level=1,Desc=User Account Deleted" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
 				<EventType condition="is">DeleteKey</EventType>
 			</Rule>
@@ -4854,7 +5072,6 @@
 			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
 			<TargetObject name="Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
 			<TargetObject name="Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Security Settings: Security Level 1 Low 2 Medium 3 High 0 disabled" condition="contains">\Security\Level</TargetObject>
 			<TargetObject name="Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
 			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
 			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
@@ -4862,9 +5079,6 @@
 			<TargetObject name="Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
 			<TargetObject name="Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
 			<TargetObject name="Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
-			<TargetObject name="Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Level=0,Desc=Outlook Security Changes" condition="contains">\Outlook\Security</TargetObject>
-			<TargetObject name="Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
@@ -5502,7 +5716,7 @@
 	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
 		<ProcessTampering onmatch="include">
 			<Rule name="Level=0,Desc=Process Tampering Detected" groupRelation="and">
-				<Image condition="contains any">.;>;unknown;anonymous</Image>
+				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
 				<Image condition="excludes">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>

From 04a0f1e8c0b8281196135554bd51e2a105e2e5d1 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 8 Sep 2022 11:11:16 -0400
Subject: [PATCH 346/471] Improved COM Object Hijack Detection

---
 sysmonconfig-export.xml | 64 ++++++++++++++++++++++++++++++++---------
 1 file changed, 50 insertions(+), 14 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bc589ddb..ce526fa4 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -816,6 +816,11 @@
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Execution Policy Bypass,Risk=75" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-ex;/ex</CommandLine>
+				<CommandLine condition="contains">bypass</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">-noni;/noni</CommandLine>
@@ -828,7 +833,7 @@
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
+				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
 				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
@@ -1007,6 +1012,10 @@
 				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
 				<CurrentDirectory condition="excludes">\AppData\Local\WebEx\WebEx\</CurrentDirectory>
 			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=3,Alert=Rundll32 Single Threaded Apartment Switch - check for com hijacks,Risk=75" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains any">-sta;/sta</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
@@ -4382,6 +4391,31 @@
 				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint Protocol Handlers" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\</TargetObject>
+				<TargetObject condition="end with">(Default)</TargetObject>
+				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
+				<Details condition="begin with">URL:</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Protocol Handlers" groupRelation="and">
+				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
+				<TargetObject condition="end with">(Default)</TargetObject>
+				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
+				<Details condition="begin with">URL:</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint File Associations" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\</TargetObject>
+				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
+				<Details condition="contains">%1</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Default File Associations" groupRelation="and">
+				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
+				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
+				<Details condition="contains">%1</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor COM Hijacking" groupRelation="and">
+				<TargetObject condition="end with">\shell\open\command\DelegateExecute</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Accessibility Features-->
 			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe</TargetObject>
@@ -4455,6 +4489,17 @@
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
+				<Details condition="contains any">C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\</Details>
+			</Rule>
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
 			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=0,Desc=IFEO,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
@@ -4962,11 +5007,7 @@
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject name="Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
 			<TargetObject name="Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject name="Level=0,Desc=Command Shell Open Key" condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject name="Level=0,Desc=DDEexec Shell Open Key" condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject name="Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
-			<!--Windows COM-->
-			<TargetObject name="Level=0,Desc=InProcServer32 Default Key" condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
 			<!--Windows shell hijack-->
 			<TargetObject name="Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
 			<TargetObject name="Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
@@ -5109,16 +5150,8 @@
 			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
 			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
 			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Detect: COMObject Hijacking" condition="contains">\InprocServer32</TargetObject>
 			<TargetObject name="Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\batfile\shell\open\command</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\comfile\shell\open\command</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\exefile\shell\open\command</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\htafile\shell\open\command</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\piffile\shell\open\command</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect: Open Command Hijacks" condition="contains">\piffile\shell\open\command</TargetObject>
 			<TargetObject name="Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Level=0,Desc=Detect: UAC Bypass" condition="contains">\mscfile\shell\open\command</TargetObject>
 			<TargetObject name="Level=0,Desc=New Device Connected" condition="end with">\FriendlyName</TargetObject>
 			<TargetObject name="Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
 			<TargetObject name="Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
@@ -5259,7 +5292,10 @@
 			-->
 			<PipeName name="Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
 			<PipeName name="Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
-			<PipeName name="Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName><!--Include Everything else to mark above rules-->
+			<!--Include Everything else to mark above rules-->
+			<!-- Disabled for now
+			<PipeName name="Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
+			-->
 		</PipeEvent>
 	</RuleGroup>
 	<RuleGroup name="RG=PipeEvent Exclude Group" groupRelation="or">

From c886b2382f4529935ad7caf96a954d5ee141e125 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 8 Sep 2022 17:30:54 -0400
Subject: [PATCH 347/471] add a few new detections

---
 sysmonconfig-export.xml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ce526fa4..a46317d1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -688,6 +688,10 @@
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<Rule name="Attack=T1484.001,Technique=Group Policy Modification,Tactic=Defense Evasion,Level=3,Alert=Auditpol System Audit Policy Change - Should be set via group policy instead" groupRelation="and">
+				<OriginalFileName condition="contains">auditpol</OriginalFileName>
+				<CommandLine condition="contains any">/set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
@@ -1276,6 +1280,12 @@
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
 			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
+				<OriginalFileName condition="contains">auditpol</OriginalFileName>
+				<CommandLine condition="contains any">/get;-get;/list;-list;/backup;-backup</CommandLine>
+			</Rule>
+			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
+			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
@@ -1879,7 +1889,6 @@
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<Image name="Level=0,Desc=Auditpol System Audit Policy Change - Should be set via group policy instead" condition="image">auditpol.exe</Image><!-- Auditpol-->
 			<ParentCommandLine name="Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
 			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>

From 852190da82667712e058d4ebd65f7557fa76f0c1 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 9 Sep 2022 10:57:49 -0400
Subject: [PATCH 348/471] Add more advanced SilentProcessExit Detection
 targetting DRWORD's and -s flag from WerFault parent command line.

---
 sysmonconfig-export.xml | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a46317d1..1704fda6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -548,6 +548,10 @@
 			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
+				<ParentImage condition="image">WerFault.exe</ParentImage>
+				<ParentCommandLine condition="contains any">-s;/s</ParentCommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
 			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
@@ -4510,13 +4514,27 @@
 				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=0,Desc=IFEO,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
-				<TargetObject condition="contains any">Debugger;ReportingMode;GlobalFlag;MonitorProcess</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Desc=Wow64 IFEO,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
-				<TargetObject condition="contains any">Debugger;ReportingMode;GlobalFlag;MonitorProcess</TargetObject>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=1,Alert=Image File Execution Options,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
+				<TargetObject condition="contains any">Debugger;ReportingMode;MonitorProcess</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=0,Alert=SilentProcessExit Globalflag Set,Risk=75" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
+				<TargetObject condition="contains">GlobalFlag</TargetObject>
+				<Details condition="contains">DWORD (0x00000200)</Details> <!--SilentProcessExit Dword Value-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Execution entry,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
+				<TargetObject condition="contains">MonitorProcess</TargetObject> <!--SilentProcessExit Monitor Process from werfault-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Reporting Mode Enabled - Check for Child processes of werfault.exe,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
+				<TargetObject condition="contains">ReportingMode</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details> <!--SilentProcessExit Reporting Mode Enabled-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Added,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
@@ -4991,7 +5009,6 @@
 			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Desc=Silent Process Exit execution" condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
 			<TargetObject name="Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
 			<TargetObject name="Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
 			<TargetObject name="Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>

From e29bdb2f938ef0a9ffdc77f29041c62205295b2b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 9 Sep 2022 12:09:34 -0400
Subject: [PATCH 349/471] add RuntimeExceptionHelperModules detection

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1704fda6..5a7d7f1f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4536,6 +4536,9 @@
 				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
+			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exeption Handler execution on crash,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->

From 347778fbe91f3df4314d6ae412a52020e9213715 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 9 Sep 2022 15:00:36 -0400
Subject: [PATCH 350/471] Add suspicious conhost parent process detection

---
 sysmonconfig-export.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5a7d7f1f..89ccb499 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -209,6 +209,10 @@
 				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
+				<Image condition="image">conhost.exe</Image>
+			</Rule>
 			<!-- Disabled for now
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
 				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
@@ -2688,7 +2692,7 @@
 		<ProcessTerminate onmatch="include">
 			<Rule name="Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
 				<Image condition="begin with">C:\Windows\</Image>
-				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe;C:\Windows\System32\conhost.exe</Image>
+				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
 			</Rule>
 			<Rule name="Level=0,Desc=Process Termination Events in System32" groupRelation="and">
 				<Image condition="begin with">C:\Windows\system32\</Image>

From 7a266eb6ef9ae3fa62fb86bfe2aabcc31f5e369e Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 9 Sep 2022 18:16:25 -0400
Subject: [PATCH 351/471] Detection Improvements, with added Parent/Child
 Relationship Monitoring & Alerting

---
 sysmonconfig-export.xml | 114 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 108 insertions(+), 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 89ccb499..f9d11762 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -213,6 +213,10 @@
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
 				<Image condition="image">conhost.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
+				<ParentImage condition="image">conhost.exe</ParentImage>
+				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
+			</Rule>
 			<!-- Disabled for now
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
 				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
@@ -892,6 +896,95 @@
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of Autochk,Risk=30" groupRelation="and">
+				<Image condition="image">autochk.exe</Image>
+				<ParentImage condition="excludes any">\smss.exe;\fontdrvhost.exe;\dwm.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
+				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
+				<ParentImage condition="excludes">\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
+				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
+				<ParentImage condition="excludes any">svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
+				<Image condition="image">SearchProtocolHost.exe</Image>
+				<ParentImage condition="excludes any">\SearchIndexer.exe;\dllhost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
+				<Image condition="image">dllhost.exe</Image>
+				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
+				<Image condition="image">smss.exe</Image>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+				<ParentImage condition="is not">System</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
+				<Image condition="image">csrss.exe</Image>
+				<ParentImage condition="excludes any">\smss.exe;svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
+				<Image condition="image">wininit.exe</Image>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
+				<Image condition="image">winlogon.exe</Image>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of lsass/LsaIso,Risk=30" groupRelation="and">
+				<Image condition="contains any">\lsass.exe;LsaIso.exe</Image>
+				<ParentImage condition="excludes">\wininit.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of LogonUI,Risk=30" groupRelation="and">
+				<Image condition="image">LogonUI.exe</Image>
+				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of services,Risk=30" groupRelation="and">
+				<Image condition="image">services.exe</Image>
+				<ParentImage condition="excludes">\wininit.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
+				<Image condition="image">svchost.exe</Image>
+				<ParentImage condition="excludes any">\MsMpEng.exe;\services.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
+				<Image condition="image">spoolsv.exe</Image>
+				<ParentImage condition="excludes">\services.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of taskhost,Risk=30" groupRelation="and">
+				<Image condition="image">taskhost.exe</Image>
+				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of userinit,Risk=30" groupRelation="and">
+				<Image condition="image">userinit.exe</Image>
+				<ParentImage condition="excludes any">\dwm.exe;\winlogon.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
+				<Image condition="contains any">\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe</Image>
+				<ParentImage condition="excludes any">\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe</ParentImage>
+				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
+				<ParentImage condition="image">autochk.exe</ParentImage>
+				<Image condition="excludes any">\chkdsk.exe;\doskey.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of smss,Risk=30" groupRelation="and">
+				<ParentImage condition="image">smss.exe</ParentImage>
+				<Image condition="excludes any">\autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of wermgr,Risk=30" groupRelation="and">
+				<ParentImage condition="image">wermgr.exe</ParentImage>
+				<Image condition="excludes any">\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
+				<ParentImage condition="image">conhost.exe</ParentImage>
+				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
+			</Rule>
 			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
 			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
@@ -926,9 +1019,9 @@
 				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
 				<CommandLine condition="contains all">-ns;-s</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="or">
-				<CommandLine condition="contains all">control;name</CommandLine>
-				<CommandLine condition="contains all">rundll32.exe;shell32.dll;Control_RunDLL</CommandLine>
+			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
+				<CommandLine condition="contains all">rundll32.exe;shell32.dll;_RunDLL</CommandLine>
+				<Image condition="is not">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
 				<Image condition="image">odbcconf.exe</Image>
@@ -3286,6 +3379,7 @@
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
+				<Image condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\</Image>
 			</Rule>
 			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
@@ -4343,7 +4437,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
 			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject> <!-- http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/ -->
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\CurrentVersion\Run</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
 				<Image condition="excludes">Add_exclusions_here</Image>
 			</Rule>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
@@ -4577,6 +4672,10 @@
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
 			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<Rule name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Environment Value Modification" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
 			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
@@ -4984,6 +5083,7 @@
 			</Rule>
 			<Rule name="Level=0,Desc=IPv6 Changes detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
+				<Details condition="excludes">Binary Data</Details>
 			</Rule>
 			<Rule name="Level=0,Desc=Network Card Changes detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
@@ -5198,7 +5298,10 @@
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 			-->
 			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
-			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
+				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
+				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
+			</Rule>
 			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
 			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
 			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
@@ -5218,7 +5321,6 @@
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
 			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
 			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Environment Value Modification" condition="end with">\Environment</TargetObject>
 			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
 			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
 			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>

From 32694c0dbd912760a65ba6c7005c7d9a0b2c837d Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 13 Sep 2022 14:07:25 -0400
Subject: [PATCH 352/471] Add new detections, merge in some of Florian's work,
 added Author tag for attribution additions.

---
 sysmonconfig-export.xml | 212 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 199 insertions(+), 13 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f9d11762..475e245a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -25,7 +25,8 @@
 				 Forensic: Forensic Artifacts
 				 CVE: CVE Vulnerability Identification
 				 FP: False Positive Rate
-
+				 Author: Author of rule
+				 
 				 Additional Tag Details:
 				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
 				 kp=y 	Kill process with child processes
@@ -69,6 +70,10 @@
 				 " &quot;
 				 ' &apos;
 				 & &amp;
+				 
+				 Other Notes:
+				 The Rulename field has a hard limit of 255 characters, make the best of the size available, shorten tags and descriptions as needed.
+				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
 -->
 <Sysmon schemaversion="4.82">
 	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
@@ -412,8 +417,10 @@
 				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
 				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
 			</Rule>
-			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=Child process from schtasks" condition="image">schtasks.exe</ParentImage>
-			<Image name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=Child process from schtasks" groupRelation="and">
+				<ParentImage condition="image">schtasks.exe</ParentImage>
+			</Rule>
+			<Image name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
 			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
 			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
 				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
@@ -727,6 +734,16 @@
 				<Image condition="image">MpCmdRun.exe</Image>
 				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
 			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools:  Disable Windows Event Logging-->
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
 			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Level=4,Alert=PSTools PSKill,Risk=8">PsKill.exe</Image>
 			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Risk=100,Level=4,Alert=Disabling of Windows Defender Features" groupRelation="and">
@@ -903,30 +920,37 @@
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
 				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
 				<ParentImage condition="excludes">\svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
 				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
 				<ParentImage condition="excludes any">svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
 				<Image condition="image">SearchProtocolHost.exe</Image>
 				<ParentImage condition="excludes any">\SearchIndexer.exe;\dllhost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
 				<Image condition="image">dllhost.exe</Image>
 				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
 				<Image condition="image">smss.exe</Image>
 				<ParentImage condition="excludes">\smss.exe</ParentImage>
 				<ParentImage condition="is not">System</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
 				<Image condition="image">csrss.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
 				<ParentImage condition="excludes any">\smss.exe;svchost.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
 				<Image condition="image">wininit.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
 				<ParentImage condition="excludes">\smss.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
@@ -947,6 +971,7 @@
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
 				<Image condition="image">svchost.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
 				<ParentImage condition="excludes any">\MsMpEng.exe;\services.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
@@ -963,6 +988,7 @@
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
 				<Image condition="contains any">\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
 				<ParentImage condition="excludes any">\svchost.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
@@ -1707,7 +1733,8 @@
 			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
 				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
 				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
-				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:</CommandLine>
+				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI</CommandLine>
+				<OriginalFileName condition="excludes any">msedgeupdate.dll</OriginalFileName>
 			</Rule>
 			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
 				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
@@ -2903,9 +2930,13 @@
 				<Image condition="image">EQNEDT32.EXE</Image>
 				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=0,Desc=Windows Active Directory Service Interfaces API in User Directories,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll</ImageLoaded>
-				<Image condition="contains any">C:\Users;\Temp\;ProgramData</Image>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
+				<Image condition="contains any">C:\Users;\Temp\;\ProgramData\</Image>
+			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
+				<Image condition="contains any">wscript.exe;cscript.exe;powershell.exe;rundll32.exe;msbuild.exe;msiexec.exe;csc.exe</Image>
 			</Rule>
 			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
@@ -3072,6 +3103,9 @@
 				<Image condition="excludes">C:\Windows\explorer.exe</Image>
 			</Rule>
 			<ImageLoaded name="Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+			<Rule name="Alert=TEST" groupRelation="and">
+				<ImageLoaded condition="contains all">cmd.exe;cmd.exe.mui</ImageLoaded>
+			</Rule>
 		</ImageLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
@@ -3171,6 +3205,7 @@
 				<SourceImage condition="excludes">C:\Windows\System32\igfxEM.exe</SourceImage>
 				<SourceImage condition="excludes">C:\Windows\System32\igfxHK.exe</SourceImage>
 				<SourceImage condition="excludes">Enterprise\Common7\IDE\devenv.exe</SourceImage>
+				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
 				<StartFunction condition="contains any">CreateFileMapping;MapViewOfFile</StartFunction>
@@ -3379,17 +3414,20 @@
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
-				<Image condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\</Image>
+				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\</SourceImage>
 			</Rule>
 			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
-				<CallTrace condition="contains">:\Windows\Microsoft.NET\Framework64\v2.</CallTrace>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
+				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
 			</Rule>
 			<Rule name="Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains">0x147a</GrantedAccess>
 			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
+				<GrantedAccess condition="contains">0x1400</GrantedAccess>
+			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
 			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME -->
@@ -3710,6 +3748,7 @@
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
+				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
 			</Rule>
 			<TargetFilename condition="contains" name="Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
 			<Image condition="contains" name="Level=0,Desc=Files Created from">$Recycle.Bin</Image>
@@ -4408,6 +4447,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<Rule name="Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
+				<TargetObject condition="end with">update_url</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<Rule name="Level=0,Desc=Forced password reset detected" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
@@ -4605,9 +4649,11 @@
 			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
 				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
 				<Details condition="contains any">C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\</Details>
+				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
 			</Rule>
 			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
 				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
+				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
 			</Rule>
 			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
 				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
@@ -4637,6 +4683,7 @@
 			</Rule>
 			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exeption Handler execution on crash,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules</TargetObject>
+				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
@@ -4706,6 +4753,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
 			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
+				<TargetObject condition="end with">$</TargetObject>
+ 				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
 			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
@@ -4739,6 +4791,11 @@
 				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
 				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\</TargetObject>
+				<TargetObject condition="contains all">\Instances\;Altitude</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
 			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">\Security\Level</TargetObject>
@@ -5359,6 +5416,15 @@
 			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
 				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hash>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hash>
+			</Rule>
 		</FileCreateStreamHash>
 	</RuleGroup>
 	<RuleGroup name="RG=ADS Exclude Group" groupRelation="or">
@@ -5421,7 +5487,10 @@
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" condition="contains any">\pipe\</PipeName>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
+				<PipeName condition="contains any">\pipe\</PipeName>
+				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
+			</Rule>
 			<!-- Noisy
 			<PipeName name="Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
 			-->
@@ -5600,10 +5669,16 @@
 			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
 			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
 			<QueryName name="Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=DC Lookup" condition="begin with">_ldap._tcp.dc._</QueryName>
 			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
 			<QueryName name="Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="is">wpad</QueryName>
+			<QueryName name="Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
+			<Rule name="Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+				<QueryName condition="begin with">_ldap.</QueryName>
+				<Image condition="excludes">C:\Windows\</Image>
+				<Image condition="excludes">unknown process</Image>
+				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</Image>
+			</Rule>
 			<!--
 			<QueryResults name="Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
 			<QueryResults name="Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
@@ -5948,6 +6023,117 @@
 			<Rule name="Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
 				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth" groupRelation="or">
+				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
+				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
+				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
+				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
+				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=03866661686829D806989E2FC5A72606</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=E57401FBDADCD4571FF385AB82BD5D6D</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
+				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
+				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
+				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
+				<Image condition="image">certutil.exe</Image>
+				<Image condition="image">certoc.exe</Image>
+				<Image condition="image">CertReq.exe</Image>
+				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
+				<Image condition="image">Desktopimgdownldr.exe</Image>
+				<Image condition="image">esentutl.exe</Image>
+				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
+				<Image condition="image">finger.exe</Image>
+				<Image condition="image">presentationhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
+				<Image condition="image">bitsadmin.exe</Image>
+				<TargetFilename condition="excludes any">C:\Windows;$WINDOWS.;\SoftwareDistribution\</TargetFilename>
+				<User condition="is not">System</User>
+				<User condition="excludes any">TrustedInstaller;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</User>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
+				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
+			</Rule>
 		</FileBlockExecutable>
 	</RuleGroup>
 	</EventFiltering>

From e8f951649e7dc2d5386ab7f041dae9091b96707b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 13 Sep 2022 14:08:54 -0400
Subject: [PATCH 353/471] remove testing rule

---
 sysmonconfig-export.xml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 475e245a..720ca294 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -3103,9 +3103,6 @@
 				<Image condition="excludes">C:\Windows\explorer.exe</Image>
 			</Rule>
 			<ImageLoaded name="Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
-			<Rule name="Alert=TEST" groupRelation="and">
-				<ImageLoaded condition="contains all">cmd.exe;cmd.exe.mui</ImageLoaded>
-			</Rule>
 		</ImageLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">

From eff3c87e8079b68e7ee9837b27787690aafabe08 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 14 Sep 2022 09:48:50 -0400
Subject: [PATCH 354/471] Push noise reduction and additional detection rules.

---
 sysmonconfig-export.xml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 720ca294..0dd2b07f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -214,6 +214,11 @@
 				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Execution Locations,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
+				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
+				<Image condition="image">conhost.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
 				<Image condition="image">conhost.exe</Image>
@@ -1915,7 +1920,7 @@
 			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-p -nw</CommandLine><!-- vshadow -->
 			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
 			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=File Deletion,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all"> del ; /f </CommandLine>
 				<CommandLine condition="contains all"> del ; -f </CommandLine>
 				<CommandLine condition="contains all"> rmdir ; /s ; /q </CommandLine>
@@ -3202,6 +3207,7 @@
 				<SourceImage condition="excludes">C:\Windows\System32\igfxEM.exe</SourceImage>
 				<SourceImage condition="excludes">C:\Windows\System32\igfxHK.exe</SourceImage>
 				<SourceImage condition="excludes">Enterprise\Common7\IDE\devenv.exe</SourceImage>
+				<TargetImage condition="excludes">C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe</TargetImage>
 				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
@@ -3423,6 +3429,9 @@
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
 				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
+				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
+				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
 				<GrantedAccess condition="contains">0x1400</GrantedAccess>
 			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
@@ -3513,6 +3522,7 @@
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
+				<TargetFilename name="Defender AntiMalware Delta Patch" condition="excludes all">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_;.exe</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
@@ -4791,6 +4801,7 @@
 			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\</TargetObject>
 				<TargetObject condition="contains all">\Instances\;Altitude</TargetObject>
+				<TargetObject condition="is not">HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
 			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->

From 8e3aac5411a8573a7861f74197213adc74b601cb Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 14 Sep 2022 17:17:05 -0400
Subject: [PATCH 355/471] Add more Forensic monitoring rules, add rpc execution
 named pipes and misc fixes/tagging.

---
 sysmonconfig-export.xml | 72 ++++++++++++++++++++++++++++-------------
 1 file changed, 50 insertions(+), 22 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0dd2b07f..6cc483be 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5322,25 +5322,48 @@
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
 			<TargetObject name="Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Level=0,Desc=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Level=0,Desc=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Level=0,Desc=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Level=0,Desc=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Level=0,Desc=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Level=0,Desc=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Level=0,Desc=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary\</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
+			<Rule name="Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
+				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
+			</Rule>			
+			<Rule name="Level=0,Forensic=AmCache Application File Info" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
+				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
+			</Rule>
+			<Rule name="Level=0,Forensic=AmCache Office Information" groupRelation="and">
+				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
+			</Rule>
 			<TargetObject name="Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,Level=1,Desc=Service Set for Deletion" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DeleteFlag</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
 			<!--Detect User Activity-->
-			<TargetObject name="Level=0,Desc=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Level=0,Desc=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Level=0,Desc=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			<TargetObject name="Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
+			<TargetObject name="Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
 			<TargetObject name="Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			<TargetObject name="Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
@@ -5350,14 +5373,14 @@
 			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
 			<TargetObject name="Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
 			<TargetObject name="Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Level=0,Desc=New Device Connected" condition="end with">\FriendlyName</TargetObject>
+			<TargetObject name="Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
 			<TargetObject name="Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
 			<TargetObject name="Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
 			<TargetObject name="Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
 			<TargetObject name="Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
 			<!--Windows application compatibility shims-->
-			<TargetObject name="Level=0,Desc=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Level=0,Desc=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
 			<TargetObject name="Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
@@ -5469,6 +5492,12 @@
 				<PipeName condition="end with">-stdin</PipeName>
 				<PipeName condition="end with">-stdout</PipeName>
 			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
+				<PipeName condition="contains">\svcctl</PipeName>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=NTSVCS Execution" groupRelation="or">
+				<PipeName condition="contains">\ntsvcs</PipeName>
+			</Rule>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100" condition="contains">tssmp_endpoint</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
@@ -5492,7 +5521,7 @@
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
 			<PipeName name="Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
@@ -5562,7 +5591,6 @@
 			<PipeName condition="is">\browser</PipeName>
 			<PipeName condition="is">\epmapper</PipeName>
 			<PipeName condition="is">\eventlog</PipeName>
-			<PipeName condition="is">\ntsvcs</PipeName>
 			<PipeName condition="is">\scerpc</PipeName>
 			<PipeName condition="is">\wkssvc</PipeName>
 			<PipeName condition="is">\ntapvsrq</PipeName>

From 0ab288007ec18b3d81b3e84efbb1b304779d51e8 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 14 Sep 2022 17:18:45 -0400
Subject: [PATCH 356/471] removing services from named pipe exclusion list as
 this can spawn pipes that execute via rpc.

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6cc483be..0c437378 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5552,7 +5552,6 @@
 			<Image condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Rediculous amount of spam, likely spikes cpu if logged -->
 			<Image condition="image">C:\Windows\System32\LxRun.exe</Image> <!--WSL-->
 			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="image">C:\Windows\System32\services.exe</Image>
 			<Image condition="image">C:\Windows\System32\smss.exe</Image>
 			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
 			<Image condition="image">C:\Windows\System32\wininit.exe</Image>

From 75a929340c93a7f017b68c55219d34834bf173c5 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 14 Sep 2022 17:33:05 -0400
Subject: [PATCH 357/471] Improve PoisonTap rule to detect rndis drivers loaded
 via Details.

---
 sysmonconfig-export.xml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0c437378..b4fa7006 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5382,9 +5382,11 @@
 			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
 			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
 			<TargetObject name="Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
-			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now
-			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
-			-->
+			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
+			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<Details condition="contains any">ndis;rndis</Details>
+			</Rule>
 			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
 			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
 				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
@@ -5552,6 +5554,7 @@
 			<Image condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Rediculous amount of spam, likely spikes cpu if logged -->
 			<Image condition="image">C:\Windows\System32\LxRun.exe</Image> <!--WSL-->
 			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="image">C:\Windows\System32\services.exe</Image>
 			<Image condition="image">C:\Windows\System32\smss.exe</Image>
 			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
 			<Image condition="image">C:\Windows\System32\wininit.exe</Image>

From 9fa170df84b8a58560d2186aa2089fd41cfe021d Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 14 Sep 2022 17:34:29 -0400
Subject: [PATCH 358/471] remove services whitelist

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b4fa7006..8e9c3cef 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5554,7 +5554,6 @@
 			<Image condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Rediculous amount of spam, likely spikes cpu if logged -->
 			<Image condition="image">C:\Windows\System32\LxRun.exe</Image> <!--WSL-->
 			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="image">C:\Windows\System32\services.exe</Image>
 			<Image condition="image">C:\Windows\System32\smss.exe</Image>
 			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
 			<Image condition="image">C:\Windows\System32\wininit.exe</Image>

From 234662c09842988b982c04226f14d6cf3e05123d Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 15 Sep 2022 18:07:38 -0400
Subject: [PATCH 359/471] Add UsageLog/ETW Log tampering rules

---
 sysmonconfig-export.xml | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8e9c3cef..4bbab408 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -781,6 +781,18 @@
 				<CommandLine condition="contains all">DontLog;True</CommandLine>
 				<Image condition="excludes">iisetup.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="or">
+				<CommandLine condition="contains all">set;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">New-ItemProperty;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">reg;add;dword;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">$env;NGenAssemblyUsageLog</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="or">
+				<CommandLine condition="contains all">set;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">New-ItemProperty;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">reg;add;dword;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">$env;COMPlus_ETWEnabled</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
 			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
@@ -3227,6 +3239,10 @@
 			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
 			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
 			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
+			<Rule name="Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
+				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
+				<StartFunction condition="contains">EtwEventWrite</StartFunction>
+			</Rule>
 		</CreateRemoteThread>
 	</RuleGroup>
 	<RuleGroup name="RG=CreateRemoteThread Exclude Group" groupRelation="or">
@@ -3273,7 +3289,7 @@
 			<Rule name="Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
 				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
 			</Rule>
-			<Rule name="Level=0,Desc=DInvoke detected,Risk=100" groupRelation="and">
+			<Rule name="Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
 			</Rule>
 			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
@@ -3417,7 +3433,7 @@
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
-				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\</SourceImage>
+				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
 			</Rule>
 			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
@@ -3431,7 +3447,7 @@
 				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
 				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
 				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
-				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
+				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
 				<GrantedAccess condition="contains">0x1400</GrantedAccess>
 			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
@@ -4689,7 +4705,7 @@
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
 			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exeption Handler execution on crash,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules</TargetObject>
+				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\</TargetObject>
 				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
@@ -4899,6 +4915,21 @@
 			<TargetObject name="Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\.NETFramework\ETWEnabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Tampering,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\.NETFramework\NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\COMPlus_ETWEnabled</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->

From 3ca57014e49bcd040e3aeca3b13726c69a2348f9 Mon Sep 17 00:00:00 2001
From: cyberkryption <cyberkryption@gmail.com>
Date: Sun, 18 Sep 2022 12:52:59 +0100
Subject: [PATCH 360/471] Updated Level 0 background events

All common background forensic events have same name field structure
---
 sysmonconfig-cyberkryption.xml | 6208 ++++++++++++++++++++++++++++++++
 1 file changed, 6208 insertions(+)
 create mode 100644 sysmonconfig-cyberkryption.xml

diff --git a/sysmonconfig-cyberkryption.xml b/sysmonconfig-cyberkryption.xml
new file mode 100644
index 00000000..540c518d
--- /dev/null
+++ b/sysmonconfig-cyberkryption.xml
@@ -0,0 +1,6208 @@
+<!--
+	   ____                           ___ ________________    _______ __
+	  / __/_ _____ __ _  ___  ___    / _ /_  __/_  __/ __/___/ ___/ //_/
+	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
+	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
+		/___/                                                           
+	author:	ionstorm
+	project:	https://github.com/ion-storm/sysmon-config
+	license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+	Methodology: Detect the Most Techniques per Data source in MITRE ATT&CK.
+				 Provide Visibility into Forensic Artifact Events for UEBA.
+				 Detect Exploitation events with wide CVE Coverage.
+				 Risk Scoring of CVE, UEBA, Forensic, MITRE ATT&CK Events.
+				 
+				 Primary Tags:
+				 Attack: Mitre ATT&CK Identifier
+				 Technique: Mitre ATT&CK Technique
+				 Tactic: Mitre ATT&CK Tactic
+				 Alert: Alert Text for SIEM/XDR
+				 Info: Informational Alert Text
+				 Level: The level field contains one of five string values. It describes the criticality of a triggered rule. 
+				 While low and medium level events have an informative character, events with high and critical level should 
+				 lead to immediate reviews by security analysts.
+				 Desc: Description of non-alerting UEBA/Behavioral Based Rules
+				 Forensic: Forensic Artifacts
+				 CVE: CVE Vulnerability Identification
+				 FP: False Positive Rate
+				 Author: Author of rule
+				 
+				 Additional Tag Details:
+				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
+				 kp=y 	Kill process with child processes
+				 kpp=y 	Kill Parent Processes & all Child Processes
+				 kc=y    Kill network connections
+				 ki=y    Kill Injected Thread
+				 sd=y 	Shutdown System
+				 fw=y	Add Windows Firewall Rule to block inbound/outbound network connectivity from process
+				 yara=y  Yara Scan file
+				 ydel=y  Delete on Yara Detection
+				 rf=y    Restore Deleted File
+				 nr=y 	Null route ip
+				 iso=y Isolate Host
+				 SD=y Service Desk Ticket
+				 SOC=y SOC Ticket Creation
+				 
+				 Risk Score ratings: (Risk=??)
+				 Low Risk: 1-39
+				 Medium Risk: 40-69
+				 High Risk: 70-89
+				 Critical Risk: 90-100
+				 
+				 Levels: (from Sigma)
+				 (0) informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered 
+				 by such rules because it is expected that a huge amount of events will match these rules.
+				 (1) low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. 
+				 Immediate reaction shouldn't be necessary, but a regular review is recommended.
+				 (2) medium: Relevant event that should be reviewed manually on a more frequent basis.
+				 (3) high: Relevant event that should trigger an internal alert and requires a prompt review.
+				 (4) critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
+				 
+				 False Positive Rates: (FP=?)
+				 (0) Zero False Positives rate
+				 (1) Some False Positives rate
+				 (2) Medium False Positive rate
+				 (3) High False Positive rate
+				 
+				 Properly Escape in XML:
+				 < &lt;
+				 > &gt;
+				 " &quot;
+				 ' &apos;
+				 & &amp;
+				 
+				 Other Notes:
+				 The Rulename field has a hard limit of 255 characters, make the best of the size available, shorten tags and descriptions as needed.
+				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
+-->
+<Sysmon schemaversion="4.82">
+	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
+	<CheckRevocation/>
+	<EventFiltering>
+	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
+	<RuleGroup name="RG=ProcessCreate Include Group" groupRelation="or">
+		<ProcessCreate onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=3,Alert=Nessus Scan Detected,Risk=100" groupRelation="or">
+				<ParentCommandLine condition="contains any">TEMP\nessus_;nessus_task_list</ParentCommandLine>
+				<CommandLine condition="contains any">TEMP\nessus_;nessus_task_list</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe</CommandLine>
+				<OriginalFileName condition="is any">advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</OriginalFileName>
+				<Product condition="contains any">Network Scanner;Advanced IP Scanner</Product>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=ADFind.exe Discovery,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains">adfind</OriginalFileName>
+				<Product condition="contains">adfind</Product>
+				<CommandLine condition="contains any">-gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<Rule name="Attack=T1587,Technique=Develop Capabilities,Tactic=Resource Development,Alert=PurpleSharp Indicator,Risk=40" groupRelation="or">
+				<CommandLine condition="contains any">PurpleSharp;xyz123456</CommandLine> 
+				<OriginalFileName condition="contains any">PurpleSharp</OriginalFileName> 
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
+				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
+			</Rule>
+			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">Content.Outlook</Image>
+			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Arbitrary Shell Command Execution Via Settingcontent-Ms,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
+				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
+				<Image condition="end with">.doc.exe</Image>
+				<Image condition="end with">.docx.exe</Image>
+				<Image condition="end with">.docx.exe</Image>
+				<Image condition="end with">.xls.exe</Image>
+				<Image condition="end with">.xlsx.exe</Image>
+				<Image condition="end with">.ppt.exe</Image>
+				<Image condition="end with">.pptx.exe</Image>
+				<Image condition="end with">.rtf.exe</Image>
+				<Image condition="end with">.pdf.exe</Image>
+				<Image condition="end with">.txt.exe</Image>
+				<Image condition="end with">      .exe</Image>
+				<Image condition="end with">______.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
+				<ParentImage condition="image">Hwp.exe</ParentImage>
+				<Image condition="image">gbb.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
+				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+				<ParentImage condition="image">dns.exe</ParentImage>
+				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2019-0708,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
+				<CommandLine condition="excludes any">perfenabled</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2021-26857,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
+				<CommandLine condition="excludes any">perfenabled</CommandLine>
+				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<Image condition="contains any">\wwwroot\</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
+				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
+				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
+				<ParentImage condition="image">\jre\bin\java.exe</ParentImage>
+				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
+				<!--Allow Confluence Rule to fire-->
+				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
+				<ParentImage condition="image">keytool.exe</ParentImage>
+				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Apache Spark Exploit,CVE=CVE-2022-33891,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">bash.exe;cmd.exe;powershell.exe;pwsh.exe</ParentImage>
+				<CommandLine condition="contains any">id -Gn `;id /Gn `;id -Gn ';id /Gn '</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<Rule name="Attack=T1133,Technique=External Remote Services,Tactic=Initial Access,Level=2,Alert=Screenconnect Remote Access,Risk=50" groupRelation="and">
+				<CommandLine condition="contains all">e=Access&amp;;y=Guest&amp;;&amp;p=;&amp;c=;&amp;k=</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=WMI Execution Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">process;call;create</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=Suspicious WMIC Commands,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Execution Locations,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
+				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
+				<Image condition="image">conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
+				<Image condition="image">conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
+				<ParentImage condition="image">conhost.exe</ParentImage>
+				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
+			</Rule>
+			<!-- Disabled for now
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
+				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
+			-->
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
+				<ParentImage condition="image">cmd.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<CommandLine condition="excludes">Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\</CommandLine>
+				<CommandLine condition="excludes">mysql server</CommandLine>
+				<CommandLine condition="excludes">select-object displayversion,displayname</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from Scripting Utilities,Risk=50" groupRelation="and">
+				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from cscript or wscript,Risk=50" groupRelation="and">
+				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Powershell Launched from mshta,Risk=100" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<ParentImage condition="image">mshta.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,UEBA=Suspicious WSCRIPT Command Line,Risk=50" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<CommandLine condition="excludes any">IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
+				<Image condition="image">wscript.exe</Image>
+				<CommandLine condition="contains">.jse</CommandLine>
+				<CommandLine condition="contains">.js</CommandLine>
+				<CommandLine condition="contains">.vba</CommandLine>
+				<CommandLine condition="contains">.vbe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
+				<Image condition="image">cscript.exe</Image>
+				<CommandLine condition="contains">.js</CommandLine>
+				<CommandLine condition="contains">.jse</CommandLine>
+				<CommandLine condition="contains">.vba</CommandLine>
+				<CommandLine condition="contains">.vbe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine>
+				<CommandLine condition="contains any">.jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.003,Technique=Scripting,Tactic=Execution,Level=4,Alert=Possible WinNTI Malware,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
+				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
+				<Image condition="image">regedit.exe</Image>
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
+			<!-- Disabled for now
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
+			-->
+			<Rule name="UEBA=Unusual Child Process,Risk=30" groupRelation="and">
+				<Image condition="is any">svchost.exe;taskhostw.exe;userinit.exe;smss.exe;csrss.exe;wininit.exe;winlogon.exe;lsass.exe;logonui.exe;services.exe</Image>
+				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
+				<ParentImage condition="excludes any">wininit.exe;winlogon.exe;services.exe;dwm.exe;System;smss.exe;svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>
+				<Image condition="excludes any">C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe</Image>
+				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
+				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
+			</Rule>
+			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ScriptFile</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
+			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<ParentImage condition="begin with">C:\users\</ParentImage>
+				<ParentImage condition="excludes">Microsoft VS Code\Code.exe</ParentImage>
+				<ParentImage condition="excludes">\Deployment tool extract\setupodt.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
+			<Image name="Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">python.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
+			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
+			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Browser Exploitation Detected,Risk=90" groupRelation="and">
+				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+				<CommandLine condition="excludes all">.cmd;-</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
+				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
+				<Image condition="begin with">C:\Users\</Image>
+				<Image condition="end with">.exe</Image>
+				<Product condition="excludes">Zoom Video</Product>
+				<Product condition="excludes">Firefox</Product>
+				<Product condition="excludes">Microsoft Edge</Product>
+				<Product condition="excludes">Microsoft Teams</Product>
+				<Image condition="excludes">GrammarlyAddInSetupe</Image>
+				<Image condition="excludes">Teams.exe</Image>
+				<Image condition="excludes">Zoom.exe</Image>
+				<Image condition="excludes">browser_broker.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">edge.exe</Image>
+				<Image condition="excludes">firefox.exe</Image>
+				<Image condition="excludes">iexplore.exe</Image>
+				<Image condition="excludes">vivaldi.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Info=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</ParentImage>
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<Product condition="excludes">Firefox</Product>
+				<Product condition="excludes">Microsoft Edge</Product>
+				<Product condition="excludes">Microsoft Teams</Product>
+				<Product condition="excludes">Zoom Video</Product>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
+				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">apache;w3wp.exe;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>				
+				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
+				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">sqlservr</ParentImage>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
+				<Image condition="is">control.exe</Image>
+				<CommandLine condition="excludes any">input.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="is">msdt.exe</Image>
+				<OriginalFileName condition="is">msdt.exe</OriginalFileName>
+				<CommandLine condition="contains all">BrowseForFile=;PCWDiagnostic</CommandLine>
+				<CommandLine condition="contains any">/af;-af</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="is">msdt.exe</Image>
+				<ParentImage condition="is not">pcwrun.exe</ParentImage>
+				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
+				<CommandLine condition="contains any">/af;-af</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="is">msdt.exe</Image>
+				<CommandLine condition="contains any">/cab;-cab</CommandLine>
+				<CommandLine condition="contains">.diagcab</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
+				<Image condition="is">msdt.exe</Image>
+			</Rule>
+			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
+				<Image condition="is">FLTLDR.EXE</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution" condition="contains any">/dde;-dde</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
+				<Image condition="image">schtasks.exe</Image>
+				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
+			</Rule>
+			<OriginalFileName name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
+				<Image condition="image">schtasks.exe</Image>
+				<CommandLine condition="contains any">/Run;-run</CommandLine>
+				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=Child process from schtasks" groupRelation="and">
+				<ParentImage condition="image">schtasks.exe</ParentImage>
+			</Rule>
+			<Image name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
+			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
+				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
+				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
+				<CommandLine condition="excludes all">netsvcs;-p;-s;Schedule</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=Service Stop detected,Risk=0" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains">stop</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=NET.EXE Service Start detected,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains">start</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 1,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
+				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;/Q /c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 2,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
+				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;-Q -c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PowerSploit/Empire Persistence,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">schtasks;Create;ONLOGON;TN;Updater;TR;powershell</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service added via SC,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains">create</CommandLine>
+				<CurrentDirectory condition="excludes any">\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains all">config;binpath</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
+				<Image condition="contains any">cmd.exe;powershell.exe</Image>
+				<ParentImage condition="image">services.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
+				<Description condition="contains">Execute processes remotely</Description>
+				<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
+				<Description condition="contains">PsExec Service</Description> 
+				<Description condition="contains">PsExec Launched</Description> 
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=Sysinternals Initial Tool Execution,Risk=100" groupRelation="or">
+				<CommandLine condition="contains">accepteula</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec SYSTEM Execution,Risk=100" groupRelation="and">
+				<Description condition="contains">Execute processes remotely</Description>
+				<CommandLine condition="contains any">-s;/s</CommandLine>
+			</Rule>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
+			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
+			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
+				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
+				<CommandLine condition="contains">&gt;</CommandLine>
+				<CommandLine condition="contains">cmd.exe" /c cd</CommandLine>
+			</Rule>
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
+				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s</CommandLine>
+			</Rule>
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
+				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
+				<ParentCommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</ParentCommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
+			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
+			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
+			<!--Suspicious/Malicious Hash Detection-->
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
+				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
+			</Rule>
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
+				<CommandLine condition="contains any">e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 2" groupRelation="and">
+				<CommandLine condition="contains all">FromBase64String</CommandLine>
+				<CommandLine condition="contains any">JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 3" groupRelation="and">
+				<CommandLine condition="contains any">/v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 4" groupRelation="and">
+				<CommandLine condition="contains any">JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Emotet Command Line detection" groupRelation="and">
+				<CommandLine condition="contains any">e^;^en^;^nc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Obfuscation Character" groupRelation="and">
+				<CommandLine condition="contains">^</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
+				<CommandLine condition="contains any">..\;\..</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Formbook detections" groupRelation="and">
+				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
+
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
+				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
+				<CommandLine condition="contains any">user;group;localgroup</CommandLine>
+				<CommandLine condition="contains any">remove;delete;active;del</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<Rule name="Attack=T1098,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Created,Risk=80" groupRelation="and">
+				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
+				<CommandLine condition="contains">user</CommandLine>
+				<CommandLine condition="contains any">add</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" condition="image">dsmod.exe</Image>
+			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
+				<ParentImage condition="image">WerFault.exe</ParentImage>
+				<ParentCommandLine condition="contains any">-s;/s</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<CommandLine condition="contains all">echo;\pipe\;&gt;</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<CommandLine condition="contains all">/c;copy;dll;\\;admin$</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Exec DLL Detected" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;StartW</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 1" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;update;appdata;temp;/i:</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 2" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;update;appdata;temp;-i:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass Child Processes" groupRelation="and">
+				<ParentImage condition="image">dllhost.exe</ParentImage>
+				<ParentCommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass" groupRelation="and">
+				<Image condition="image">dllhost.exe</Image>
+				<CommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<Rule name="Attack=T1548,Technique=Abuse Elevation Control Mechanism,Tactic=Privilege Escalation,Level=3,Alert=Abused Debug priviledge by Arbitrary Parent Process,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;pwsh.exe;cmd.exe</Image>
+				<User condition="contains any">AUTHORI;AUTORI</User>
+				<CommandLine condition="excludes any">route ; ADD </CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
+			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Risk=20" groupRelation="and">
+				<ParentImage condition="image">eventvwr.exe</ParentImage>
+				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
+			</Rule>
+			<ParentImage name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
+			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
+			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
+			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
+			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">computerdefaults.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">dism.exe</OriginalFileName>
+			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">fodhelper.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<Rule name="Attack=T1088,Technique=Access Token Manipulation,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
+				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
+				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
+			</Rule>
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
+			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=Utilman Lock Screen Bypass,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
+				<ParentImage condition="image">winlogon.exe</ParentImage>
+				<Image condition="image">utilman.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=sethc.exe Lock Screen Bypass,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
+				<ParentImage condition="image">winlogon.exe</ParentImage>
+				<Image condition="image">sethc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=4,Alert=Utilman Priv Escalation" groupRelation="and">
+				<ParentImage condition="image">utilman.exe</ParentImage>
+				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
+			</Rule>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
+			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
+				<Image condition="excludes">C:\Windows\Setup</Image>
+				<Image condition="excludes">C:\Windows\SysWOW64</Image>
+				<Image condition="excludes">C:\Windows\System32</Image>
+				<Image condition="excludes">C:\Windows\WinSxS</Image>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
+				<ParentImage condition="image">consent.exe</ParentImage>
+				<CommandLine condition="contains">http</CommandLine>
+				<Image condition="image">iexplore.exe</Image>
+				<User condition="contains">SYSTEM</User>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
+				<ParentImage condition="image">dwm.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=7zip Priv Escalation Detection,CVE=CVE-2022-29072" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">7zFM.exe</ParentImage>
+				<CommandLine condition="excludes any">;/c;-c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=Possible InstallerFileTakeOver LPE,CVE=CVE-2021-41379" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">elevation_service.exe</ParentImage>
+				<IntegrityLevel condition="contains">System</IntegrityLevel>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<Image condition="contains">unknown process</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<Rule name="Attack=T1484.001,Technique=Group Policy Modification,Tactic=Defense Evasion,Level=3,Alert=Auditpol System Audit Policy Change - Should be set via group policy instead" groupRelation="and">
+				<OriginalFileName condition="contains">auditpol</OriginalFileName>
+				<CommandLine condition="contains any">/set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Hidden/SuperHidden File or Folder created" groupRelation="and">
+				<CommandLine condition="contains any">+s;+h</CommandLine>
+				<Image condition="image">attrib.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Powershell Hidden File or Folder created" groupRelation="and">
+				<CommandLine condition="contains all">Hidden;Attributes</CommandLine>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+				<Product condition="is">Sysinternals Sysmon</Product>
+				<CommandLine condition="contains any">/u;/c;-u;-c</CommandLine>
+				<CurrentDirectory condition="excludes">C:\ProgramdData\sysmon\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
+				<Image condition="image">MpCmdRun.exe</Image>
+				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools:  Disable Windows Event Logging-->
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
+			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Level=4,Alert=PSTools PSKill,Risk=8">PsKill.exe</Image>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Risk=100,Level=4,Alert=Disabling of Windows Defender Features" groupRelation="and">
+				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
+				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
+			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
+			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
+				<Image condition="image">wevtutil.exe</Image>
+				<CommandLine condition="contains"> cl </CommandLine>
+				<CommandLine condition="excludes">wevtutil im</CommandLine>
+				<CommandLine condition="excludes">wevtutil.exe im</CommandLine>
+				<CurrentDirectory condition="excludes">ClickToRun</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,Risk=50" groupRelation="and">
+				<OriginalFileName condition="is">fltMC.exe</OriginalFileName>
+				<CommandLine condition="contains any">detach;unload</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Level=4,Alert=IIS Log disablement,Risk=80" groupRelation="and">
+				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
+				<CommandLine condition="contains all">DontLog;True</CommandLine>
+				<Image condition="excludes">iisetup.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="or">
+				<CommandLine condition="contains all">set;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">New-ItemProperty;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">reg;add;dword;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">$env;NGenAssemblyUsageLog</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="or">
+				<CommandLine condition="contains all">set;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">New-ItemProperty;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">reg;add;dword;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">$env;COMPlus_ETWEnabled</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
+				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp</CommandLine>
+			</Rule>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
+
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
+			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">.com</Image>
+			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
+
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
+				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
+			</Rule>		
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
+			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
+				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
+				<CommandLine condition="contains">:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=REG Registry Deletions" groupRelation="and">
+				<Image condition="image">reg.exe</Image>
+				<CommandLine condition="contains">delete </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Regedit Registry Deletions" groupRelation="and">
+				<Image condition="image">regedit.exe</Image>
+				<CommandLine condition="contains any">/d;-d</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Deletions" groupRelation="and">
+				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
+				<CommandLine condition="contains">remove-item</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Modifications" groupRelation="and">
+				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
+				<CommandLine condition="contains">set-item;new-item</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Code Page Switch,Risk=50" groupRelation="and">
+				<Image condition="image">chcp.exe</Image>
+				<CommandLine condition="contains">936</CommandLine>
+				<CommandLine condition="contains">1256</CommandLine>
+				<CommandLine condition="contains">864</CommandLine>
+				<CommandLine condition="contains">1258</CommandLine>
+				<CommandLine condition="contains">855</CommandLine>
+				<CommandLine condition="contains">866</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Command Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Hidden Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Execution Policy Bypass,Risk=75" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-ex;/ex</CommandLine>
+				<CommandLine condition="contains">bypass</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-noni;/noni</CommandLine>
+				<CommandLine condition="excludes">Import-Module FileServerResourceManager</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\LogicMonitor</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1027,Tactic=Defense Evasion,Technique=Obfuscated Files or Information,Level=4,Alert=Powershell Obfuscation Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
+			<CommandLine name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Common Obfuscated Commands,Risk=100" condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
+			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains any">decode;encode</CommandLine>
+			</Rule>
+			<!--FIX MITRE Mapping-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
+				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
+				<CommandLine condition="contains">0x</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
+			<Rule name="Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+				<Image condition="image">csc.exe</Image>
+				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=Suspicious Parent of Csc.exe,Risk=80" groupRelation="and">
+				<Image condition="image">csc.exe</Image>
+				<ParentImage condition="image">wscript.exe</ParentImage>
+				<ParentImage condition="image">cscript.exe</ParentImage>
+				<ParentImage condition="image">mshta.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=MOFComp compilation of .Mof File,Risk=80" groupRelation="and">
+				<Image condition="image">mofcomp.exe</Image>
+				<CommandLine condition="contains">.mof</CommandLine>
+				<CurrentDirectory condition="excludes">C:\WINDOWS\Installer\MSI</CurrentDirectory>
+				<ParentImage condition="excludes">MsMpEng.exe</ParentImage>
+				<ParentImage condition="excludes">aspnet_regiis.exe</ParentImage>
+				<ParentImage condition="excludes">msiexec.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
+				<ParentImage condition="is">csc.exe</ParentImage>
+				<CommandLine condition="contains any">out:;target:library</CommandLine>
+			</Rule>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of Autochk,Risk=30" groupRelation="and">
+				<Image condition="image">autochk.exe</Image>
+				<ParentImage condition="excludes any">\smss.exe;\fontdrvhost.exe;\dwm.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
+				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
+				<ParentImage condition="excludes">\svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
+				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
+				<ParentImage condition="excludes any">svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
+				<Image condition="image">SearchProtocolHost.exe</Image>
+				<ParentImage condition="excludes any">\SearchIndexer.exe;\dllhost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
+				<Image condition="image">dllhost.exe</Image>
+				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
+				<Image condition="image">smss.exe</Image>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+				<ParentImage condition="is not">System</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
+				<Image condition="image">csrss.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
+				<ParentImage condition="excludes any">\smss.exe;svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
+				<Image condition="image">wininit.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
+				<Image condition="image">winlogon.exe</Image>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of lsass/LsaIso,Risk=30" groupRelation="and">
+				<Image condition="contains any">\lsass.exe;LsaIso.exe</Image>
+				<ParentImage condition="excludes">\wininit.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of LogonUI,Risk=30" groupRelation="and">
+				<Image condition="image">LogonUI.exe</Image>
+				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of services,Risk=30" groupRelation="and">
+				<Image condition="image">services.exe</Image>
+				<ParentImage condition="excludes">\wininit.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
+				<Image condition="image">svchost.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
+				<ParentImage condition="excludes any">\MsMpEng.exe;\services.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
+				<Image condition="image">spoolsv.exe</Image>
+				<ParentImage condition="excludes">\services.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of taskhost,Risk=30" groupRelation="and">
+				<Image condition="image">taskhost.exe</Image>
+				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of userinit,Risk=30" groupRelation="and">
+				<Image condition="image">userinit.exe</Image>
+				<ParentImage condition="excludes any">\dwm.exe;\winlogon.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
+				<Image condition="contains any">\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
+				<ParentImage condition="excludes any">\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe</ParentImage>
+				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
+				<ParentImage condition="image">autochk.exe</ParentImage>
+				<Image condition="excludes any">\chkdsk.exe;\doskey.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of smss,Risk=30" groupRelation="and">
+				<ParentImage condition="image">smss.exe</ParentImage>
+				<Image condition="excludes any">\autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of wermgr,Risk=30" groupRelation="and">
+				<ParentImage condition="image">wermgr.exe</ParentImage>
+				<Image condition="excludes any">\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
+				<ParentImage condition="image">conhost.exe</ParentImage>
+				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
+			</Rule>
+			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
+				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
+				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName>
+				<CommandLine condition="contains">INJECTRUNNING</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 1,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">/ni;/s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 2,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">/ns;/s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 3,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">-ni;-s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 4,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">-ns;-s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
+				<CommandLine condition="contains all">rundll32.exe;shell32.dll;_RunDLL</CommandLine>
+				<Image condition="is not">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
+				<Image condition="image">odbcconf.exe</Image>
+				<CommandLine condition="contains any">/S /A {REGSVR;-S -A {REGSVR</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">bginfo</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">cbd</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
+			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
+			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">SyncAppvPublishingServer.exe</Image>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ATBroker.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">Appvlp.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">InfDefaultInstall.EXE</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">PresentationHost.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider2.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ScriptRunner.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">csi.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">extexport.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">msconfig.EXE</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">rasdlui.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">tttracer.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">verclsid.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">csi.exe</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">bginfo</ParentCommandLine>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">devtoolslauncher.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wsreset.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
+			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
+			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
+			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
+			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains">DllRegisterServer</CommandLine>
+				<CommandLine condition="excludes any">xapauthenticodesip.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Suspicious Regsvr32 loading in Appdata temp" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine> 
+			</Rule>
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Defense Evasion/Execution,Level=4,Alert=Suspicious Regsvr32 loading in Public User folder" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
+			</Rule>
+			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution" condition="contains">Microsoft(C) Register Server</Description>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
+			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<CommandLine condition="contains any">/y;-y</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\DartSock.dll</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\ImageViewer2.OCX</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\SysTray.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg6.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\todg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\todgub7.dll</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\xarraydb.ocx</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=MSIExec Signed Binary Proxy Execution,Risk=70" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<CommandLine condition="contains any">/i;-i</CommandLine>
+				<CommandLine condition="contains any">http</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Rundll32-->
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Rundll32 Suspicious call by Ordinal,Risk=80" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">,;#</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\resources\themes\Aero\AeroLite.msstyles</CommandLine>
+				<CommandLine condition="excludes">uxtheme.dll</CommandLine>
+				<CommandLine condition="excludes">ImageView_Fullscreen</CommandLine>
+				<CommandLine condition="excludes">EDGEHTML.dll</CommandLine>
+				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
+				<CurrentDirectory condition="excludes">\AppData\Local\WebEx\WebEx\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=3,Alert=Rundll32 Single Threaded Apartment Switch - check for com hijacks,Risk=75" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains any">-sta;/sta</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Executing Powershell,Risk=70" groupRelation="and">
+				<ParentImage condition="image">RUNDLL32.EXE</ParentImage>
+				<OriginalFileName condition="contains">powershell</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenURL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">url.dll;OpenURL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious FileProtocolHandler Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RouteTheCall Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">zipfldr.dll;RouteTheCall</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious Control_RunDLL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">Shell32.dll;Control_RunDLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious javascript Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains">javascript:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RegisterXLL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains">RegisterXLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Public User folder" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Public</CommandLine>
+				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine> 
+				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage> 
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Appdata Temp" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine>
+				<CommandLine condition="excludes any">ImageView_</CommandLine>
+				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine>
+				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
+			<CommandLine condition="contains">InstallHinfSection</CommandLine>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">infDefaultInstall.exe</Image>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MSHTA-->
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
+				<ParentImage condition="image">mshta.exe</ParentImage>
+				<Image condition="contains any">cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin</Image>
+			</Rule>
+			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Odbcconf-->
+			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
+
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=Powershell Calling MSBuild" groupRelation="and">
+				<ParentImage condition="contains any">powershell.exe;powershell_ise.exe</ParentImage>
+				<Image condition="image">msbuild.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<Image condition="contains">regasm</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<Image condition="image">userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Building from xml - Silent Trinity" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<ParentCommandLine condition="contains">.xml</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=RegAsm Parent process" groupRelation="and">
+				<ParentImage condition="image">regasm.exe</ParentImage>
+				<Image condition="excludes">\conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild building from lnk file" groupRelation="and">
+				<Image condition="image">msbuild.exe</Image>
+				<CommandLine condition="contains">.lnk</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.csproj</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
+			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=Network Sniffing tool Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">sniff</CommandLine>
+				<CommandLine condition="excludes">C:\Program Files\Adobe\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=PCAP Sniffing tool Detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="is any">tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe</OriginalFileName>
+				<CommandLine condition="contains any">windump;tshark;tcpdump;windump;wireshark</CommandLine>
+				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
+				<Image condition="image">vssadmin.exe</Image>
+				<CommandLine condition="contains any">create;shadow</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">shadowcopy;call;create</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">call;create;esentutl;vss</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">win32_shadowcopy;create;clientaccessible</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">mklink;GLOBALROOT;Shadow</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">copy;NTDS\ntds.dit</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
+				<Image condition="image">ntdsutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">copy;System32\config\SYSTEM</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">reg;save;HKLM</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
+			</Rule>
+			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
+				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
+			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
+			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
+			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
+			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
+			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump.exe</Image>
+			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
+			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
+			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
+				<CommandLine condition="contains all">list;text;password</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
+				<CommandLine condition="excludes">/domain</CommandLine>
+				<CommandLine condition="excludes">SUService</CommandLine>
+				<CommandLine condition="excludes">\users</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=Domain User or Group Discovery,Risk=50" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
+				<CommandLine condition="contains any">/domain</CommandLine>
+				<CommandLine condition="excludes">SUService</CommandLine>
+				<CommandLine condition="excludes">\users</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=Sharphound Discovery,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus</CommandLine>
+				<Company condition="contains any">sharphound;bloodhound</Company>
+				<Description condition="contains any">sharphound;bloodhound</Description>
+				<Image condition="contains any">sharphound;bloodhound</Image>
+				<OriginalFileName condition="contains any">sharphound;bloodhound</OriginalFileName>
+				<ParentImage condition="contains any">sharphound;bloodhound</ParentImage>
+				<Product condition="contains any">sharphound;bloodhound</Product>
+			</Rule>
+			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
+			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
+				<OriginalFileName condition="contains">auditpol</OriginalFileName>
+				<CommandLine condition="contains any">/get;-get;/list;-list;/backup;-backup</CommandLine>
+			</Rule>
+			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
+			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
+			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
+			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
+			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Sysmon Detection with driver altitude " groupRelation="or">
+				<CommandLine condition="contains all">find;385201</CommandLine>
+				<CommandLine condition="contains all">select-string;385201</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Antivirus/edr/siem Discovery" groupRelation="or">
+				<CommandLine condition="contains all">find;virus</CommandLine>
+				<CommandLine condition="contains all">select-string;virus</CommandLine>
+				<CommandLine condition="contains all">process;Description;virus</CommandLine>
+				<CommandLine condition="contains all">find;cb</CommandLine>
+				<CommandLine condition="contains all">select-string;cb</CommandLine>
+				<CommandLine condition="contains all">process;Description;cb</CommandLine>
+				<CommandLine condition="contains all">find;defender</CommandLine>
+				<CommandLine condition="contains all">select-string;defender</CommandLine>
+				<CommandLine condition="contains all">process;Description;defender</CommandLine>
+				<CommandLine condition="contains all">find;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">select-string;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">process;Description;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">find;sentinel</CommandLine>
+				<CommandLine condition="contains all">select-string;sentinel</CommandLine>
+				<CommandLine condition="contains all">process;Description;sentinel</CommandLine>
+				<CommandLine condition="contains all">find;nessusd</CommandLine>
+				<CommandLine condition="contains all">select-string;nessusd</CommandLine>
+				<CommandLine condition="contains all">process;Description;nessusd</CommandLine>
+				<CommandLine condition="contains all">find;td-agent</CommandLine>
+				<CommandLine condition="contains all">select-string;td-agent</CommandLine>
+				<CommandLine condition="contains all">process;Description;td-agent</CommandLine>
+				<CommandLine condition="contains all">find;cbagentd</CommandLine>
+				<CommandLine condition="contains all">select-string;cbagentd</CommandLine>
+				<CommandLine condition="contains all">process;Description;cbagentd</CommandLine>
+				<CommandLine condition="contains all">find;sysmon</CommandLine>
+				<CommandLine condition="contains all">select-string;sysmon</CommandLine>
+				<CommandLine condition="contains all">process;Description;sysmon</CommandLine>
+				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">find;csfalcon</CommandLine>
+				<CommandLine condition="contains all">select-string;csfalcon</CommandLine>
+				<CommandLine condition="contains all">process;Description;csfalcon</CommandLine>
+				<CommandLine condition="contains all">find;splunk</CommandLine>
+				<CommandLine condition="contains all">select-string;splunk</CommandLine>
+				<CommandLine condition="contains all">process;Description;splunk</CommandLine>
+				<CommandLine condition="contains all">find;sidecar</CommandLine>
+				<CommandLine condition="contains all">select-string;sidecar</CommandLine>
+				<CommandLine condition="contains all">process;Description;sidecar</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" groupRelation="or">
+				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="is">fltMC.exe</OriginalFileName>
+				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="contains">misc::mflt</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
+			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
+			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="contains any">get;list;show</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Changes with netsh,Risk=60" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="excludes any">get;list;show</CommandLine>
+			</Rule>
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
+				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=WMIC Account Discovery,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">get;useraccount</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="contains any">add;del;set</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=NBTStat DNS Lookup,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">nbtstat</CommandLine> 
+				<CommandLine condition="excludes">nessus</CommandLine> 
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=route.exe discovery,Risk=60" groupRelation="and">
+				<Image condition="image">route.exe</Image>
+				<CommandLine condition="contains">print</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Route Modification,Risk=40" groupRelation="and">
+				<Image condition="image">route.exe</Image>
+				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
+			</Rule>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">rwinsta.exe</Image>
+			
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
+				<Image condition="excludes">Microsoft Office\root\Office</Image>
+				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Tactic=Lateral Movement,Technique=SMB/Windows Admin Shares,Level=3,Alert=Command Ran over Admin Share" groupRelation="and">
+				<CommandLine condition="contains">admin$</CommandLine>
+				<CommandLine condition="excludes any">davclnt.dll</CommandLine>
+				<ParentCommandLine condition="excludes any">WebClientGroup</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
+				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
+				<CommandLine condition="contains">dest:rdp-tcp:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Emotet Executed via WMI,Risk=100" groupRelation="and">
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+				<Image condition="contains">\Users\</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Network Detective System Scan Detected,Risk=100" groupRelation="and">
+				<Image condition="contains">NetworkDetective</Image>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Remote Tenable Malware Scan Detected,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains">tenable</CommandLine>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD.exe Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+				<CommandLine condition="excludes any">do_vbsUpload;Spiceworks</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=regsvr32.exe Executed via WMI,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">regsvr32.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD Executed via WMI,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">cmd.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=RSAT Tool Launch,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">dsa.msc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=HyperV Remote Management Tool Launch,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">virtmgmt.msc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Potential Malicious Remote WMI Execution Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="image">wmiprvse.exe</ParentImage>
+				<Image condition="excludes">CompMgmtLauncher.exe</Image>
+				<Image condition="excludes">DismHost.exe</Image>
+				<Image condition="excludes">Microsoft.NET\Framework</Image>
+				<Image condition="excludes">NetEvtFwdr.exe</Image>
+				<Image condition="excludes">ServerManager.exe</Image>
+				<Image condition="excludes">WerFault.exe</Image>
+				<Image condition="excludes">chcp.com</Image>
+				<Image condition="excludes">g2mupdate.exe</Image>
+				<Image condition="excludes">slack.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,AlertSuspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
+				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
+				<Image condition="image">cmd.exe</Image>
+				<Image condition="image">sh.exe</Image>
+				<Image condition="image">bash.exe</Image>
+				<Image condition="image">wsl.exe</Image>
+				<Image condition="image">powershell.exe</Image>
+				<Image condition="image">powershell_ise.exe</Image>
+				<Image condition="image">schtasks.exe</Image>
+				<Image condition="image">at.exe</Image>
+				<Image condition="image">certutil.exe</Image>
+				<Image condition="image">mshta.exe</Image>
+				<Image condition="image">whoami.exe</Image>
+				<Image condition="image">ping.exe</Image>
+				<Image condition="image">ping.exe</Image>
+				<Image condition="image">bitsadmin.exe</Image>
+			</Rule>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="end with">winrshost.exe</ParentImage>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
+			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
+				<ParentImage condition="image">wmiprvse.exe</ParentImage>
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
+				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
+			</Rule>
+			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
+				<Image condition="contains any">sftp;psftp</Image><!-- SSH -->
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
+				<CommandLine condition="is">rundll32.exe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">..\;,</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot 2,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,StartW</CommandLine>
+			</Rule>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">mstsc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
+			<Image name="Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
+				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
+				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
+			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,Level=4,Alert=Dark Halo Protected zip file creation,Risk=100" groupRelation="and">
+				<Image condition="image">7z.exe</Image>
+				<CommandLine condition="contains any">a -mx9 -r0 -p;a -v500m -mx9 -r0 -p</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
+			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data injected into clipboard,Risk=30" condition="is">clip.exe</Image>
+			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">New-MailboxExportRequest</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
+				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
+				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
+				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI</CommandLine>
+				<OriginalFileName condition="excludes any">msedgeupdate.dll</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
+				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded powershell" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<CommandLine condition="contains any">AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Attack=T1105,Technique=Remote File Copy,Tactic=Command and Control,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
+				<Image condition="image">certutil.exe</Image>
+				<CommandLine condition="contains all">urlcache;split;f</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Command Line file transfer,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest</CommandLine>
+				<Image condition="contains any">powershell.exe;cmd.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
+				<OriginalFileName condition="is">bitsadmin.exe</OriginalFileName>
+				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
+				<CommandLine condition="excludes all">util;setieproxy;localsystem;AUTODETECT</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
+				<Description condition="contains">BITS administration utility</Description><!-- to detect renamed ones -->
+				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 1,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains all">split;f</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 2,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains any">verifyctl;URL</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
+			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image><!-- Tor-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">psexec</OriginalFileName>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Exfiltration,Level=0,Desc=SCP Data exfiltration detected,Risk=100" groupRelation="and">
+				<Image condition="contains any">winscp.exe;winscp.com;scp.exe;pscp</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv &gt;&gt;;rsync -r</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=merlin CnC exfiltration detected 4,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">.exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=DNS Exfil detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">-q=txt;/q=txt</CommandLine>
+				<Image condition="image">nslookup.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration to Cloud Storage,Tactic=Exfiltration,Level=4,Alert=Rclone detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains any">rclone</OriginalFileName>
+				<Description condition="contains any">Rsync for cloud storage</Description>
+				<Product condition="contains any">rclone</Product>
+				<Company condition="contains any">rclone</Company>
+				<Image condition="contains any">\rclone</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=S3browser detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains any">s3browser</OriginalFileName>
+				<Description condition="contains any">s3browser</Description>
+				<Product condition="contains any">s3browser</Product>
+				<Image condition="contains any">s3browser</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=FTP exfiltration detected,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">add-ftp;.UploadFile(</CommandLine>
+				<Image condition="contains any">ftp.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Tactic=Exfiltration,Technique=Exfiltration to Cloud Storage,Level=0,Desc=Webdav Share Mounted" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">davclnt.dll;DavSetCookie</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
+				<Image condition="image">bcdedit.exe</Image>
+				<CommandLine condition="contains">safeboot</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
+				<Image condition="image">bootcfg.exe</Image>
+				<CommandLine condition="contains">safeboot</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Virtual Machine,Risk=60" groupRelation="and">
+				<CommandLine condition="contains any">-startvm;vrun.exe -vm</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with vssadmin Detected,Risk=100" groupRelation="and">
+				<Image condition="image">vssadmin.exe</Image>
+				<CommandLine condition="contains any">delete;resize</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowcopy delete Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">shadowcopy;delete</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wbadmin.exe</OriginalFileName>
+				<CommandLine condition="contains all">SYSTEMSTATEBACKUP;delete</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowstorage Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains">wmic shadowstorage SET MaxSpace=</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Destructive WMIC Commands Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains any">cleareventlog;call disable;nteventlog where filename</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with diskpart" groupRelation="and">
+				<OriginalFileName condition="contains">diskpart.exe</OriginalFileName>
+				<CommandLine condition="contains any">format;clean;delete;remove</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.exe" groupRelation="and">
+				<OriginalFileName condition="contains">manage-bde.exe</OriginalFileName>
+				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.wsf" groupRelation="and">
+				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
+				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-p -nw</CommandLine><!-- vshadow -->
+			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
+			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all"> del ; /f </CommandLine>
+				<CommandLine condition="contains all"> del ; -f </CommandLine>
+				<CommandLine condition="contains all"> rmdir ; /s ; /q </CommandLine>
+				<CommandLine condition="contains all"> rmdir ; -s ; -q </CommandLine>
+				<CommandLine condition="contains all"> rd ; /s ; /q </CommandLine>
+				<CommandLine condition="contains all"> rd ; -s ; -q </CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
+				<Image condition="image">fsutil.exe</Image>
+				<CommandLine condition="contains">deletejournal</CommandLine>
+				<CommandLine condition="contains">usn</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
+			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+			<!--Crypto Currency Miner Detections-->
+			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
+				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
+			</Rule>
+			<!--Malware Hashes-->
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
+			</Rule>
+			<Hashes condition="end with" name="Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
+			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
+			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
+			<!--UEBA Activities-->
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="excludes">pwd=</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Video and Audio Session Start" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="contains">zc=0</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Screen Share,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="contains">zc=1</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Microsoft Teams URL clicked" groupRelation="and">
+				<CommandLine condition="contains">msteams:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Webex URL clicked" groupRelation="and">
+				<CommandLine condition="contains">wbx:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files within Downloads,Risk=30" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">\Downloads\</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">\Desktop\</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\awk.exe;\sed.exe</Image>
+			</Rule>
+			<CommandLine condition="contains">listena</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
+			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
+			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
+			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
+			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HTML Application host</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Manager Profile Installer</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Application Virtualization Injector</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Application Compatibility Database Installer</Description>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
+			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
+			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
+			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">java.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">javaw.exe</ParentImage>
+			<!--Detect Output Redirection-->
+			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">2></CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&gt;</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&lt;</CommandLine>
+			-->
+			<!--Detect Multiple Commands-->
+			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+			</Rule>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<Rule  name="Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
+				<CommandLine condition="contains">\pipe\</CommandLine>
+				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
+			</Rule>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">sysnative</CommandLine>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">AutoIt</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Filter Loader</Description> 
+			<Image name="Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">acrord32.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">gpupdate.exe</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
+			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
+		</ProcessCreate>
+	</RuleGroup>
+	<RuleGroup name="RG=Process Create Exclude Group" groupRelation="or">
+		<ProcessCreate onmatch="exclude">
+			<Rule name="exclude werfault from wmi" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
+				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
+			</Rule>
+		</ProcessCreate>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
+	<RuleGroup name="RG=FileCreateTime Include Group" groupRelation="or">
+		<FileCreateTime onmatch="include">
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\Users</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\ProgramData</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Temp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\tmp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\drivers\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Download</Image>
+		</FileCreateTime>
+	</RuleGroup>
+	<RuleGroup name="RG=FileCreateTime Exclude Group" groupRelation="or">
+		<FileCreateTime onmatch="exclude">
+			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
+			<Image condition="image">TrustedInstaller.exe</Image>
+			<Image condition="image">OneDrive.exe</Image>
+			<Image condition="image">vivaldi.exe</Image>
+			<Image condition="image">chrome.exe</Image>
+			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image>
+			<Image condition="contains">setup</Image>
+			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
+			<Image condition="end with">\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe</Image>
+		</FileCreateTime>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
+	<RuleGroup name="RG=NetworkConnect Include Group" groupRelation="or">
+		<NetworkConnect onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,Level=4,Alert=WSCRIPT Network connection,Risk=80" groupRelation="and">
+				<Image condition="image">wscript.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
+				<Image condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
+				<DestinationIp condition="excludes any">127.0.0.1</DestinationIp>		
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
+				<Image condition="contains">\wwwroot\</Image>
+			</Rule>
+			<Image name="Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Recycle Bin,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Windows\IME\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\ProgramData</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Attack=T1027.004,Tactic=Defense Evasion,Technique=Compile After Delivery,Level=4,Alert=CSC Network Conections" groupRelation="and">
+				<Image condition="image">CSC.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
+			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Installutil-->
+			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Msiexec-->
+			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvcs/regasm-->
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
+				<Image condition="contains any">regasm.exe;regsvcs.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
+			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<Rule name="Attack=T1127,Tactic=Defense Evasion,Technique=Signed Binary Proxy Execution,Level=4,Alert=MSBuild Network Conections" groupRelation="and">
+				<Image condition="image">msbuild.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=4,Alert=NBTSTAT Query,Risk=30" condition="contains">nbtstat</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
+			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3389,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
+				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
+				<Image condition="excludes">FSAssessment.exe</Image>
+				<Image condition="excludes">FSDiscovery.exe</Image>
+				<Image condition="excludes">MobaRTE.exe</Image>
+				<Image condition="excludes">RDCMan.exe</Image>
+				<Image condition="excludes">RSSensor.exe</Image>
+				<Image condition="excludes">RTS2App.exe</Image>
+				<Image condition="excludes">RTSApp.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager.exe</Image>
+				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
+				<Image condition="excludes">Terminals.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">mRemote.exe</Image>
+				<Image condition="excludes">mRemoteNG.exe</Image>
+				<Image condition="excludes">mstsc.exe</Image>
+				<Image condition="excludes">spiceworks-finder.exe</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<Image condition="excludes">thor64.exe</Image>
+				<Image condition="excludes">thor.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3391</DestinationPort>
+				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
+				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
+				<Image condition="excludes">FSAssessment.exe</Image>
+				<Image condition="excludes">FSDiscovery.exe</Image>
+				<Image condition="excludes">MobaRTE.exe</Image>
+				<Image condition="excludes">RDCMan.exe</Image>
+				<Image condition="excludes">RSSensor.exe</Image>
+				<Image condition="excludes">RTS2App.exe</Image>
+				<Image condition="excludes">RTSApp.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager.exe</Image>
+				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
+				<Image condition="excludes">Terminals.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">mRemote.exe</Image>
+				<Image condition="excludes">mRemoteNG.exe</Image>
+				<Image condition="excludes">mstsc.exe</Image>
+				<Image condition="excludes">spiceworks-finder.exe</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<Image condition="excludes">thor64.exe</Image>
+				<Image condition="excludes">thor.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Localhost RDP Tunneling Detection,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
+			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<DestinationIp condition="begin with">fe80:0</DestinationIp>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
+				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
+			</Rule>
+			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
+				<Image condition="image">wsmprovhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
+				<Image condition="image">psftp.exe</Image><!-- SFTP -->
+			</Rule>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">omniinet.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">hpsmhd.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<DestinationPort condition="is">50050</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<DestinationPort condition="is">25</DestinationPort>
+				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
+				<Initiated>true</Initiated>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Powershell Network Connection,Risk=30" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<DestinationIp condition="excludes any">0:0:0:0:0:0:0:;127.0.0.1</DestinationIp>
+			</Rule>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
+			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
+			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<!-- DNS Over HTTPS-->
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<DestinationHostname name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!--UEBA Rules-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+				<DestinationPort condition="is not">3389</DestinationPort>
+				<DestinationPort condition="is not">22</DestinationPort>
+				<DestinationPort condition="is not">21</DestinationPort>
+				<DestinationPort condition="is not">5985</DestinationPort>
+				<Initiated>false</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+				<Initiated>true</Initiated>
+				<SourcePort condition="is not">135</SourcePort>
+				<SourcePort condition="is not">445</SourcePort>
+				<DestinationPort condition="is not">5985</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="is not">System</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<DestinationPort condition="is">445</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="is not">System</Image>
+				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
+				<DestinationPort condition="is">389</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
+				<DestinationPort condition="is">389</DestinationPort>
+				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
+				<SourceHostname condition="excludes any">EXCH</SourceHostname>
+				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
+				<Initiated>false</Initiated>
+			</Rule>
+			<Rule name="Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
+				<Image condition="image">notepad.exe</Image>
+				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is not">80</DestinationPort>
+				<DestinationPort condition="is not">443</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">github</DestinationHostname> 
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">githubusercontent.com</DestinationHostname>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is">80</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is">443</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">apache.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">java.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains">setup</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains">tomcat</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains">unins</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains">unknown process</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains">explorer.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">inetinfo.exe</Image>
+			</Rule>
+			<!--3rd Party tools-->
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">procdump</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">psexe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">vnc;vncs;vncv</Image>
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
+				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
+			</Rule>
+			<!--Destination Ports to Monitor-->
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</DestinationPort>
+			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
+			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1293</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1701</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1194</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3540</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3389</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">22</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3128</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">8080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1723</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">23</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">4500</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9001</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9030</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5800</DestinationPort>
+			<!--Source Ports to Monitor-->
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</SourcePort>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is">443</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPort condition="is">80</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">80</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">636</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
+			<!--Suspicious network connections-->
+			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
+		</NetworkConnect>
+	</RuleGroup>
+	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
+		<NetworkConnect onmatch="exclude">
+			<Protocol condition="contains">udp</Protocol>
+			<!--Exclude Inter-process coms over localhost, may be dangerous at expense for noise reduction -->
+			<Rule name="exclude interprocess communications with localhost" groupRelation="and">
+				<Image condition="contains any">System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe</Image>
+				<SourceIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
+				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
+			</Rule>
+			<!--SECTION: Custom -->
+			<Rule name="exclude dest ldap port 88" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
+				<DestinationPort condition="is">88</DestinationPort>
+			</Rule>
+			<!--Disable Monitoring of Protocols-->
+			<DestinationPortName condition="is">epmap</DestinationPortName>
+			<DestinationPortName condition="is">llmnr</DestinationPortName>
+			<DestinationPortName condition="is">microsoft-ds</DestinationPortName>
+			<DestinationPortName condition="is">netbios-dgm</DestinationPortName>
+			<DestinationPortName condition="is">ntp</DestinationPortName>
+			<DestinationPortName condition="is">ssdp</DestinationPortName>
+			<SourcePortName condition="is">epmap</SourcePortName>
+			<SourcePortName condition="is">llmnr</SourcePortName>
+			<SourcePortName condition="is">microsoft-ds</SourcePortName>
+			<SourcePortName condition="is">netbios-dgm</SourcePortName>
+			<SourcePortName condition="is">ntp</SourcePortName>
+			<SourcePortName condition="is">ssdp</SourcePortName>
+			<!--Disable Monitoring on Ports-->
+			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
+			<DestinationPort condition="is">67</DestinationPort>  <!--Bootp Lookups-->
+			<DestinationPort condition="is">68</DestinationPort>  <!--Bootp Lookups-->
+			<DestinationPort condition="is">1434</DestinationPort>  <!--SQL spam.-->
+			<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
+			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
+			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
+			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
+			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
+			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
+			<DestinationPort condition="is">5989</DestinationPort>  <!--Vcenter Secure server for CIM.-->
+			<DestinationPort condition="is">6007</DestinationPort>  <!--Exchange WMI Spam-->
+			<DestinationPort condition="is">49154</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">49209</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">52176</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort condition="is">59241</DestinationPort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">53</SourcePort>  <!--DNS Lookups-->
+			<SourcePort condition="is">67</SourcePort>  <!--Bootp Lookups-->
+			<SourcePort condition="is">68</SourcePort>  <!--Bootp Lookups-->
+			<SourcePort condition="is">1812</SourcePort> <!--Radius-->
+			<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
+			<SourcePort condition="is">6007</SourcePort>  <!--Exchange WMI Spam-->
+			<SourcePort condition="is">49154</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">49209</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
+			<SourcePort condition="is">52176</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<SourcePort condition="is">59241</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<!--SECTION: Microsoft -->
+			<DestinationHostname condition="end with">.bing.com</DestinationHostname>
+			<DestinationHostname condition="end with">.cloudapp.net</DestinationHostname>
+			<DestinationHostname condition="end with">.lync.com</DestinationHostname>
+			<DestinationHostname condition="end with">.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">.outlook.com</DestinationHostname>
+			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname>
+			<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
+			<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
+			<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
+			<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
+			<DestinationHostname condition="end with">ctldl.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">cy2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">fe3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">fe3.delivery.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">g.akamaiedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">g.live.com</DestinationHostname>
+			<DestinationHostname condition="end with">g.msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">geo-prod.do.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">geo-prod.dodsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">ile-service.weather.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
+			<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
+			<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
+			<DestinationHostname condition="end with">odern.watson.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
+			<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
+			<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">sls.update.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">storecatalogrevocation.storequality.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">storeedgefd.dsx.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">telecommand.telemetry.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">tile-service.weather.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">tlu.dl.delivery.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
+			<DestinationHostname condition="end with">windows.net</DestinationHostname>
+			<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
+			<Image condition="image">EdgeTransport.exe</Image>
+			<Image condition="image">MSExchangeDelivery.exe</Image>
+			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
+			<Image condition="image">MSExchangeHMWorker.exe</Image>
+			<Image condition="image">MSExchangeSubmission.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\</Image>
+		</NetworkConnect>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
+
+		<!--DATA: UtcTime, State, Version, SchemaVersion-->
+		<!--Cannot be filtered.-->
+
+	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
+		<!--COMMENT:	Useful data in building infection timelines.-->
+		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
+		<ProcessTerminate onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="begin with">C:\Windows\system32\</Image>
+				<Image condition="excludes">config\systemprofile\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
+				<Image condition="excludes">:\PROGRA~</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\ProgramData\</Image>
+				<Image condition="excludes">:\Users\</Image>
+				<Image condition="excludes">:\Windows\</Image>
+				<Image condition="excludes">:\inetpub\</Image>
+				<Image condition="excludes">:\$SysReset</Image>
+				<Image condition="excludes">:\$WinREAgent</Image>
+				<Image condition="excludes">:\inetpub\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="begin with">\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="begin with">C:\Users\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="begin with">C:\inetpub\</Image>
+			</Rule>
+		<!-- Useful data in building infection timelines.-->
+			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
+			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
+			<Image condition="contains">\Temp\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">C:\Users\</Image>
+		</ProcessTerminate>
+	</RuleGroup>
+	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
+			<ProcessTerminate onmatch="exclude">
+			<Image condition="end with">Microsoft\Teams\current\Teams.exe</Image>
+			<Image condition="end with">\git.exe</Image>
+			<Image condition="end with">Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe</Image>
+			<Image condition="begin with">C:\ProgramData\Lenovo\ImController\</Image>
+		</ProcessTerminate>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
+	<RuleGroup name="RG=DriverLoad Include Group" groupRelation="or">
+		<DriverLoad onmatch="include">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst driver hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Temp</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Users</ImageLoaded>
+			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
+			<SignatureStatus condition="contains">?</SignatureStatus>
+			<SignatureStatus condition="contains">Revoked</SignatureStatus>
+			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
+			<SignatureStatus condition="contains">Valid</SignatureStatus>
+			<Signed name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">false</Signed>
+		</DriverLoad>
+	</RuleGroup>
+	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
+		<DriverLoad onmatch="exclude">
+		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
+				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
+		</DriverLoad>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+	<RuleGroup name="RG=Image Load Includes" groupRelation="or">
+		<ImageLoad onmatch="include">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="is">msdt.exe</Image>
+				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
+				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\</ImageLoaded>
+				<Image condition="contains any">spoolsv.exe;printisolationhost.exe</Image>
+				<SignatureStatus condition="excludes">Valid</SignatureStatus>
+				<Company condition="excludes any">Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard</Company>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=DLL Image Load by System in Suspicious Locations" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
+				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">EQNEDT32.EXE</Image>
+				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
+				<Image condition="contains any">C:\Users;\Temp\;\ProgramData\</Image>
+			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
+				<Image condition="contains any">wscript.exe;cscript.exe;powershell.exe;rundll32.exe;msbuild.exe;msiexec.exe;csc.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
+				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">wmiprvse.exe</Image>
+				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<ImageLoaded condition="is">msi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains">powershell</Image>
+				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="excludes">powershell</Image>
+				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="is">clr.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">installutil.exe</Image>
+				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
+				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
+				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="begin with">\\</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
+				<ImageLoaded condition="end with">.wll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
+				<ImageLoaded condition="end with">.xll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
+				<ImageLoaded condition="contains any">.xla</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains">tor-lib.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
+				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<ImageLoaded condition="contains all">vaultcli.dll;wlanapi.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">combase.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">cryptdll.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">imm32.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">logoncli.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">netapi32.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">ntasn1.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">ntdsapi.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">samlib.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">C:\Windows\Explorer.EXE</Image>
+				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
+				<ImageLoaded condition="end with">.exe</ImageLoaded>
+				<Company condition="excludes">Adobe</Company>
+				<Image condition="excludes">C:\ProgramData\Lenovo\</Image>
+				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
+				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
+				<ImageLoaded condition="end with">.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
+				<Signed condition="is">false</Signed>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<SignatureStatus condition="is">Revoked</SignatureStatus>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<SignatureStatus condition="is">Expired</SignatureStatus>
+			</Rule>
+			<Rule name="Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
+			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
+				<ImageLoaded condition="end with">C:\Windows\System32\wlanapi.dll</ImageLoaded>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience</Image>
+				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\AppHostRegistrationVerifier.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\CompatTelRunner.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\DeviceCensus.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</Image>
+				<Image condition="excludes">C:\Windows\System32\LogonUI.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\MoNotificationUx.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\SystemSettingsBroker.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\dxgiadaptercache.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\netsh.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\wlanext.exe</Image>
+				<Image condition="excludes">C:\Windows\UUS\amd64\MoUsoCoreWorker.exe</Image>
+				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
+				<Image condition="excludes">C:\Windows\explorer.exe</Image>
+			</Rule>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+		</ImageLoad>
+	</RuleGroup>
+	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
+		<ImageLoad onmatch="exclude">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains">\Microsoft Office\</Image>
+				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains">\Microsoft Office\</Image>
+				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
+				<Signed condition="is">true</Signed>
+			</Rule>
+			<!--Universal Exclusions: Be Careful-->
+			<Company condition="contains">Fortinet</Company>
+			<Company condition="contains">Lenovo</Company>
+			<Company condition="contains">Sophos</Company>
+			<Image condition="end with">mscorsvw.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\InstallAgentUserBroker.exe</Image>
+			<Image condition="image">C:\Windows\System32\RuntimeBroker.exe</Image>
+			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="image">C:\Windows\System32\SettingSyncHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\sppsvc.exe</Image>
+			<Image condition="image">C:\Windows\System32\taskhost.exe</Image>
+			<Image condition="image">C:\Windows\System32\taskhostw.exe</Image>
+			<Image condition="image">C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe</Image>
+			<Image condition="image">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
+			<Image condition="image">HxTsr.exe</Image>
+			<Image condition="image">SearchUI.exe</Image>
+			<ImageLoaded condition="contains">C:\Program Files (x86)\Common Files\BIExcelFunctions1.1\32bit\Sage.</ImageLoaded>
+			<ImageLoaded condition="contains">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Pfx.</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Adist64.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\SysWOW64\sppc.dll</ImageLoaded>
+			<ImageLoaded condition="is">Microsoft.Office.Interop.VisOcx.dll</ImageLoaded>
+			<ImageLoaded condition="is">Microsoft.Office.Interop.Word.dll</ImageLoaded>
+			<ImageLoaded condition="is">Microsoft.Vbe.Interop.dll</ImageLoaded>
+			<ImageLoaded condition="is">OFFICE.DLL</ImageLoaded>
+		</ImageLoad>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
+	<RuleGroup name="RG=CreateRemoteThread Include Group" groupRelation="or">
+		<CreateRemoteThread onmatch="include">
+			<!--Custom Rules-->
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
+				<StartAddress condition="is">0x001A0000</StartAddress>
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privledge Escalation,Level=4,Alert=CreateRemoteThread with msiexec,Risk=100" groupRelation="and">
+				<SourceImage condition="contains any">msiexec.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
+				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
+				<StartAddress condition="is">0x001A0000</StartAddress>
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=Rundll32 LSASS Credential dumping,Risk=70" groupRelation="and">
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="image">c:\windows\system32\rundll32.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=4,Alert=Remote Thread Process debugging detected,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">DbgUiRemoteBreakin</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=0,Desc=Remote Query Debug info,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">QueryProcessDebugInformationRemote</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Tactic=Defense Evasion,Level=0,Desc=Query Debug info 2,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">isdebuggerpresent</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Process Debugging Detected,Tactic=Defense Evasion,Level=3,Alert=Process Debug of active Process,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">DebugActiveProcess</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1055.001,Technique=Process Injection: Dynamic-link Library Injection,Tactic=Defense Evasion,Level=3,Alert=LoadLibrary DLL Injection,Risk=70" groupRelation="and">
+				<StartFunction condition="contains">LoadLibrary</StartFunction>
+				<SourceImage condition="excludes">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\igfxEM.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\igfxHK.exe</SourceImage>
+				<SourceImage condition="excludes">Enterprise\Common7\IDE\devenv.exe</SourceImage>
+				<TargetImage condition="excludes">C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe</TargetImage>
+				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
+				<StartFunction condition="contains any">CreateFileMapping;MapViewOfFile</StartFunction>
+			</Rule>			
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=LdrLoadDll DLL Injection,Risk=70" groupRelation="and">
+				<StartFunction condition="contains any">LdrLoadDll</StartFunction>
+			</Rule>
+			<Rule name="Attack=T1106,Technique=Native API,Tactic=Execution,Level=0,Desc=Crypt API Usage" groupRelation="and">
+				<StartFunction condition="contains any">CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey</StartFunction>
+			</Rule>
+			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=0,Desc=Clipboard Usage Detected" groupRelation="and">
+				<SourceImage condition="image">c:\windows\system32\csrss.exe</SourceImage>
+				<StartFunction condition="contains">CrtlRoutine</StartFunction>
+			</Rule>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
+			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
+			<Rule name="Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
+				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
+				<StartFunction condition="contains">EtwEventWrite</StartFunction>
+			</Rule>
+		</CreateRemoteThread>
+	</RuleGroup>
+	<RuleGroup name="RG=CreateRemoteThread Exclude Group" groupRelation="or">
+		<CreateRemoteThread onmatch="exclude">
+			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
+			<SourceImage condition="image">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\audiodg.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\services.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\svchost.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\wininit.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\winlogon.exe</SourceImage>
+		</CreateRemoteThread>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
+	<RuleGroup name="RG=RawAccessRead Include Group" groupRelation="or">
+		<RawAccessRead onmatch="include">
+		</RawAccessRead>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
+	<RuleGroup name="RG=ProcessAccess Include Group" groupRelation="or">
+		<ProcessAccess onmatch="include">
+			<!--Custom Rules-->
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\System32\SHELL32.dll+9b5bd</CallTrace>
+				<TargetImage condition="excludes">\LocalBridge.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
+				<CallTrace condition="contains any">C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2cb3e</CallTrace>
+				<TargetImage condition="excludes any">C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2b496</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\dbgcore.DLL+6cfb</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 2,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">"UNKNOWN(;)|UNKNOWN(</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 3,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">"UNKNOWN</CallTrace>
+				<GrantedAccess condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
+				<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
+				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
+				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1FFFFF</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+				<CallTrace condition="excludes">WmiPerfClass.dll</CallTrace>
+				<SourceImage condition="excludes any">C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="image">C:\Windows\system32\wsmprovhost.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1FFFFF</GrantedAccess>
+				<CallTrace condition="contains all">python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="begin with">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+				<CallTrace condition="contains all">|C:\WINDOWS\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
+				<CallTrace condition="excludes any">wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange</CallTrace>
+				<SourceImage condition="excludes any">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
+				<GrantedAccess>0x1F3FFF</GrantedAccess>
+				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<SourceImage condition="end with">.exe</SourceImage>
+				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
+				<GrantedAccess>0x1C00</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1F1FFF</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1010</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x143A</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1fffff</GrantedAccess>
+				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
+				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
+				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<SourceImage condition="image">powershell.exe</SourceImage>
+				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<CallTrace condition="contains">getasynckeystate</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
+				<CallTrace condition="contains">cmlua.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
+				<CallTrace condition="contains">System.Management.Automation</CallTrace>
+				<CallTrace condition="excludes">C:\ProgramData\Microsoft\Windows Defender\platform\</CallTrace>
+				<CallTrace condition="excludes">ctiuser.dll</CallTrace>
+				<SourceImage condition="is not">C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V16\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\SysWOW64\sdiagnhost.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\Temp\ExchangeSetup\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe</SourceImage>
+				<TargetImage condition="is not">C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\HOSTNAME.EXE</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\ROUTE.exe</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\query.exe</TargetImage>
+				<TargetImage condition="is not">MsMpEng.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="contains">comsvcs.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE7,Risk=80" groupRelation="and">
+				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE6,Risk=80" groupRelation="and">
+				<CallTrace condition="contains any">VBE6.dll;VBEUI.DLL;VBE6INTL.DLL</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=verclsid Office Execution,Risk=80" groupRelation="and">
+				<SourceImage condition="contains">Office</SourceImage>
+				<TargetImage condition="contains">verclsid.exe</TargetImage>
+				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
+				<CallTrace condition="contains any">|UNKNOWN(</CallTrace>
+				<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
+				<SourceImage condition="contains">C:\Program Files\Microsoft Office\Root\Office</SourceImage>
+				<CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
+				<CallTrace condition="contains" >C:\Windows\System32\SHELL32.dll+ae3b9</CallTrace>
+				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
+				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
+			</Rule>
+			<CallTrace name="Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
+				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
+				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
+				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
+			</Rule>
+			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
+				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
+				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+				<GrantedAccess condition="contains">0x147a</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
+				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
+				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
+				<GrantedAccess condition="contains">0x1400</GrantedAccess>
+			</Rule>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
+			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME -->
+			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
+			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME -->
+			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
+			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">cscript.exe</SourceImage>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">wscript.exe</SourceImage>
+			<SourceImage condition="end with">jjs.exe</SourceImage>
+			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
+			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CorperfmontExt.dll</CallTrace>
+		</ProcessAccess>
+	</RuleGroup>
+	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
+		<ProcessAccess onmatch="exclude">
+			<Rule name="wmi accessing lsass" groupRelation="and">
+				<SourceImage condition="image">wmiprvse.exe</SourceImage>
+				<TargetImage condition="image">lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="lsass accessing winlogon" groupRelation="and">
+				<SourceImage condition="image">lsass.exe</SourceImage>
+				<TargetImage condition="image">winlogon.exe</TargetImage>
+			</Rule>
+			<!-- These binaries appear to access lsass legitimately -->
+			<Rule name="legitimate lsass access" groupRelation="and">
+				<TargetImage condition="contains">lsass.exe</TargetImage>
+				<SourceImage condition="excludes any">C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; <!-- Exchange Process -->\EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe</SourceImage>
+			</Rule>
+			<!-- These binaries get or access processes running .NET -->
+			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
+			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
+			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
+			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
+			</Rule>
+		</ProcessAccess>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
+	<RuleGroup name="RG=FileCreate Include Group" groupRelation="or">
+		<FileCreate onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst suspicious file writes,Risk=100" groupRelation="and">
+				<Image condition="contains any">solarwinds.businesslayerhost</Image>
+				<TargetFilename condition="contains any">.exe;.dll;.ps1;.mz;.jpg;.png</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst malware dll,Risk=100" groupRelation="and">
+				<TargetFilename condition="is">C:\WINDOWS\SysWOW64\netsetupsvc.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
+				<TargetFilename name="Defender AntiMalware Delta Patch" condition="excludes all">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_;.exe</TargetFilename>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
+				<TargetFilename condition="end with">proj</TargetFilename>
+				<TargetFilename condition="end with">.targets</TargetFilename>
+				<TargetFilename condition="end with">.build</TargetFilename>
+				<TargetFilename condition="end with">.props</TargetFilename>
+				<TargetFilename condition="end with">.tasks</TargetFilename>
+				<TargetFilename condition="end with">.sln</TargetFilename>
+				<TargetFilename condition="end with">.cs</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file types,Risk=100" groupRelation="or">
+				<TargetFilename condition="end with">.cdxml</TargetFilename>
+				<TargetFilename condition="end with">.ps1</TargetFilename>
+				<TargetFilename condition="end with">.ps1xml</TargetFilename>
+				<TargetFilename condition="end with">.psc1</TargetFilename>
+				<TargetFilename condition="end with">.psd1</TargetFilename>
+				<TargetFilename condition="end with">.psm1</TargetFilename>
+				<TargetFilename condition="end with">.pssc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file creations,Risk=10" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+			</Rule>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=CVE-2019-1315,Risk=70" groupRelation="and">
+				<TargetFilename condition="end with">Report.wer.tmp</TargetFilename>
+				<TargetFilename condition="excludes">\WER\</TargetFilename>
+				<Image condition="image">C:\Windows\system32\wermgr.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
+				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
+				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
+				<TargetFilename condition="end with">.dll</TargetFilename>
+				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
+				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;==READ==THIS==PLEASE==;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.dotm</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.aspx</TargetFilename>
+				<TargetFilename condition="excludes">\wwwroot\aspnet_client\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating PHP files,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.php</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating AAA files,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.aaa</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM Web Shells Dropped,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">\wwwroot\aspnet_client\</TargetFilename>
+				<TargetFilename condition="contains any">.aspx;.php</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\aspnet_client\;jpg</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASP Files dropped outside wwwroot directory" groupRelation="and">
+				<TargetFilename condition="end with">.asp</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASPX Files dropped outside wwwroot directory" groupRelation="and">
+				<TargetFilename condition="end with">.aspx</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ecp\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\oab\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\owa\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">httpproxy\rpc\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\ecp\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\htdocs\</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Exploitation Detected,Risk=20" groupRelation="and">
+				<TargetFilename condition="end with">.SPL</TargetFilename>
+				<Image condition="excludes any">spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Spooler Created exe file,Risk=40" groupRelation="and">
+				<Image condition="image">spoolsv.exe</Image>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="excludes">C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=InstallerFileTakeOver,Risk=80,CVE=CVE-2021-41379" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<TargetFilename condition="contains">\Microsoft\Edge\Application</TargetFilename>
+				<TargetFilename condition="end with">elevation_service.exe</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</TargetFilename>
+
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
+				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Temp\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
+				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
+				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
+			</Rule>
+			<TargetFilename condition="contains" name="Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created from System Profile executable" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<Image condition="contains">\config\systemprofile\</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
+			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion" condition="end with">.chm</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">proj</TargetFilename>
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">.sln</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<Rule name="Attack=T1203,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,Level=4,Alert=Exchange Exploitation UM Service File Creation,Risk=80,CVE=CVE-2021-26858" groupRelation="and">
+				<Image condition="contains any">UMWorkerProcess.exe;UMService.exe</Image>
+				<TargetFilename condition="contains any">.</TargetFilename>
+				<TargetFilename condition="excludes any">.log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Rar$</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">RarSFX</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="is">Teamviewer.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">rundll32.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="is">mstsc.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">cmd.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">WScript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="is">cscript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="is">mshta.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="is">python.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="is">wmic.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch Ransomware Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains all">RESTORE_;_FILES.txt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch2 Ransomware Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains all">DECRYPT_;_FILES.txt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Nanocore Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">\run.dat;\task.dat;\storage.dat</TargetFilename>
+				<TargetFilename condition="contains">AppData</TargetFilename>
+				<TargetFilename condition="excludes any">Symantec</TargetFilename>
+				<TargetFilename condition="excludes any">BlueJeans</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=RagnarLocker Virtualbox files: susceptible to FP,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">VBoxRT.dll;VboxC.dll</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!--UEBA Detections-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
+				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
+				<TargetFilename condition="excludes">\system32\</TargetFilename> 
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
+				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
+				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
+				<TargetFilename condition="end with">.wll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
+				<TargetFilename condition="end with">.xll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
+				<TargetFilename condition="contains any">.xla</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.vsto</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.bat</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.dll</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.sys</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.theme</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="image">VirtualboxVM.exe</Image>
+			</Rule>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">notepad++.exe</Image>
+			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Level=0,Desc=URL">.url</TargetFilename>
+			<!--Drivers dropped-->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sys</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.inf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Drivers\</TargetFilename>
+			<TargetFilename condition="end with">.drv</TargetFilename> 
+			<!--Microsoft Office File Monitoring-->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlam</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xla</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xls</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlt</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xltm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlw</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.potm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sldm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Office\Recent</TargetFilename>
+			<TargetFilename name="Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Downloads\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Content.Outlook\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.wbk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ped</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dot</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dotx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.doc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docx</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+				<TargetFilename condition="end with">.accdb</TargetFilename>
+				<TargetFilename condition="end with">.accde</TargetFilename>
+				<TargetFilename condition="end with">.accdr</TargetFilename>
+				<TargetFilename condition="end with">.accdt</TargetFilename>
+				<TargetFilename condition="end with">.mdb</TargetFilename>
+				<TargetFilename condition="end with">.mde</TargetFilename>
+				<TargetFilename condition="end with">.msc</TargetFilename>
+				<TargetFilename condition="end with">.mst</TargetFilename>
+				<TargetFilename condition="end with">.potx</TargetFilename>
+				<TargetFilename condition="end with">.ppam</TargetFilename>
+				<TargetFilename condition="end with">.ppsm</TargetFilename>
+				<TargetFilename condition="end with">.ppsx</TargetFilename>
+				<TargetFilename condition="end with">.ppt</TargetFilename>
+				<TargetFilename condition="end with">.pptm</TargetFilename>
+				<TargetFilename condition="end with">.pptx</TargetFilename>
+				<TargetFilename condition="end with">.pub</TargetFilename>
+				<TargetFilename condition="end with">.sldm</TargetFilename>
+				<TargetFilename condition="end with">.sldx</TargetFilename>
+				<TargetFilename condition="end with">.xls</TargetFilename>
+				<TargetFilename condition="end with">.xps</TargetFilename>
+			</Rule>
+			<!--SECTION: Certificates -->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+				<TargetFilename condition="end with">.pem</TargetFilename>
+				<TargetFilename condition="end with">.crt</TargetFilename>
+				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
+				<TargetFilename condition="end with">.cer</TargetFilename>
+				<TargetFilename condition="end with">.csr</TargetFilename>
+				<TargetFilename condition="end with">.der</TargetFilename>
+				<TargetFilename condition="end with">.p7b</TargetFilename>
+				<TargetFilename condition="end with">.p7r</TargetFilename>
+				<TargetFilename condition="end with">.p7s</TargetFilename>
+				<TargetFilename condition="end with">.pfx</TargetFilename>
+				<TargetFilename condition="end with">.sto</TargetFilename>
+				<TargetFilename condition="end with">.p12</TargetFilename>
+				<TargetFilename condition="end with">.crl</TargetFilename>
+				<TargetFilename condition="end with">.sst</TargetFilename>
+				<TargetFilename condition="end with">.key</TargetFilename>
+			</Rule>
+			<!-- side loading -->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+				<TargetFilename condition="end with">.hlp</TargetFilename>
+				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
+				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
+				<TargetFilename condition="end with">AFLogVw.exe</TargetFilename>
+				<TargetFilename condition="end with">AShld.exe</TargetFilename>
+				<TargetFilename condition="end with">AShldRes.DLL.asr</TargetFilename>
+				<TargetFilename condition="end with">AShldRes.DLL</TargetFilename>
+				<TargetFilename condition="end with">AhnI2.dll</TargetFilename>
+				<TargetFilename condition="end with">CamMute.exe</TargetFilename>
+				<TargetFilename condition="end with">CommFunc.dll</TargetFilename>
+				<TargetFilename condition="end with">CommFunc.jax</TargetFilename>
+				<TargetFilename condition="end with">DESqmWrapper.dll</TargetFilename>
+				<TargetFilename condition="end with">DESqmWrapper.wrapper</TargetFilename>
+				<TargetFilename condition="end with">FSPMAPI.dll.fsp</TargetFilename>
+				<TargetFilename condition="end with">FSPMAPI.dll</TargetFilename>
+				<TargetFilename condition="end with">Gadget.exe</TargetFilename>
+				<TargetFilename condition="end with">LoLTWLauncher.exe</TargetFilename>
+				<TargetFilename condition="end with">Mc.exe</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll.ping</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll.url</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll</TargetFilename>
+				<TargetFilename condition="end with">MpSvc.dll</TargetFilename>
+				<TargetFilename condition="end with">MsMpEng.exe</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmart.exe</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMaxapp.dll</TargetFilename>
+				<TargetFilename condition="end with">OInfo11.ISO</TargetFilename>
+				<TargetFilename condition="end with">OInfo11.ocx</TargetFilename>
+				<TargetFilename condition="end with">OInfoP11.exe</TargetFilename>
+				<TargetFilename condition="end with">OleView.exe</TargetFilename>
+				<TargetFilename condition="end with">OleView.exe</TargetFilename>
+				<TargetFilename condition="end with">POETWLauncher.exe</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll.config</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll.msc</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll</TargetFilename>
+				<TargetFilename condition="end with">RasTls.exe</TargetFilename>
+				<TargetFilename condition="end with">RunHelp.exe</TargetFilename>
+				<TargetFilename condition="end with">Sidebar.dll.doc</TargetFilename>
+				<TargetFilename condition="end with">Sidebar.dll</TargetFilename>
+				<TargetFilename condition="end with">Ushata.dll</TargetFilename>
+				<TargetFilename condition="end with">Ushata.exe</TargetFilename>
+				<TargetFilename condition="end with">Ushata.fox</TargetFilename>
+				<TargetFilename condition="end with">VeetlePlayer.exe</TargetFilename>
+				<TargetFilename condition="end with">boot.ldr</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.dll.rom</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.dll</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.exe</TargetFilename>
+				<TargetFilename condition="end with">dvcemumanager.exe</TargetFilename>
+				<TargetFilename condition="end with">fsguidll.exe</TargetFilename>
+				<TargetFilename condition="end with">fslapi.dll.gui</TargetFilename>
+				<TargetFilename condition="end with">fslapi.dll</TargetFilename>
+				<TargetFilename condition="end with">fsstm.exe</TargetFilename>
+				<TargetFilename condition="end with">hccutils.dll.res</TargetFilename>
+				<TargetFilename condition="end with">hccutils.dll</TargetFilename>
+				<TargetFilename condition="end with">hha.dll.bak</TargetFilename>
+				<TargetFilename condition="end with">hha.dll</TargetFilename>
+				<TargetFilename condition="end with">hhc.exe</TargetFilename>
+				<TargetFilename condition="end with">hkcmd.exe</TargetFilename>
+				<TargetFilename condition="end with">iviewers.dll</TargetFilename>
+				<TargetFilename condition="end with">jli.dll</TargetFilename>
+				<TargetFilename condition="end with">libvlc.dll</TargetFilename>
+				<TargetFilename condition="end with">mPclient.dll</TargetFilename>
+				<TargetFilename condition="end with">mcf.ep</TargetFilename>
+				<TargetFilename condition="end with">mcf.exe</TargetFilename>
+				<TargetFilename condition="end with">mcupdui.exe</TargetFilename>
+				<TargetFilename condition="end with">mcut.exe</TargetFilename>
+				<TargetFilename condition="end with">mcutil.dll.bbc</TargetFilename>
+				<TargetFilename condition="end with">mcvsmap.exe</TargetFilename>
+				<TargetFilename condition="end with">msi.dll.dat</TargetFilename>
+				<TargetFilename condition="end with">msi.dll</TargetFilename>
+				<TargetFilename condition="end with">msseces.asm</TargetFilename>
+				<TargetFilename condition="end with">msseces.exe</TargetFilename>
+				<TargetFilename condition="end with">mtcReport.ktc</TargetFilename>
+				<TargetFilename condition="end with">rc.dll</TargetFilename>
+				<TargetFilename condition="end with">rc.exe</TargetFilename>
+				<TargetFilename condition="end with">rc.hlp</TargetFilename>
+				<TargetFilename condition="end with">sep_NE.exe</TargetFilename>
+				<TargetFilename condition="end with">sep_NE.slf</TargetFilename>
+				<TargetFilename condition="end with">tplcdclr.exe</TargetFilename>
+				<TargetFilename condition="end with">winmm.dll</TargetFilename>
+				<TargetFilename condition="end with">wts.chm</TargetFilename>
+				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">ssMUIDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
+			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\\tsclient</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
+			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\7z</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cpl</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.mht</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.crx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.gadget</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.JSE</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.exe</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.zip\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FON</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FOT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.iqy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ico</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.isp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.manifest</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">MEMORY.dmp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msi</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cs</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.customDestinations-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Minidump</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.PAF</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rtf</TargetFilename> 
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.reg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHS</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.slk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCR</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.set</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SettingContent-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHD</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SPL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scr</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HammerDrillStatus.dll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft\Windows\WER\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ICL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sdb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHB</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Temp1_</TargetFilename>
+			<!--Uncategorized-->
+			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
+			<TargetFilename condition="end with">.ade</TargetFilename>
+			<TargetFilename condition="end with">.adp</TargetFilename>
+			<TargetFilename condition="end with">.application</TargetFilename>
+			<TargetFilename condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename condition="end with">.asc</TargetFilename>
+			<TargetFilename condition="end with">.bmf</TargetFilename>
+			<TargetFilename condition="end with">.cer</TargetFilename>
+			<TargetFilename condition="end with">.dmp</TargetFilename>
+			<TargetFilename condition="end with">.gpg</TargetFilename>
+			<TargetFilename condition="end with">.htm</TargetFilename>
+			<TargetFilename condition="end with">.html</TargetFilename>
+			<TargetFilename condition="end with">.json</TargetFilename>
+			<TargetFilename condition="end with">.jsp</TargetFilename>
+			<TargetFilename condition="end with">.key</TargetFilename>
+			<TargetFilename condition="end with">.mof</TargetFilename>
+			<TargetFilename condition="end with">.ocx</TargetFilename>
+			<TargetFilename condition="end with">.p7b</TargetFilename>
+			<TargetFilename condition="end with">.p12</TargetFilename>
+			<TargetFilename condition="end with">.pem</TargetFilename>
+			<TargetFilename condition="end with">.pfx</TargetFilename>
+			<TargetFilename condition="end with">.pgp</TargetFilename>
+			<TargetFilename condition="end with">.php</TargetFilename>
+			<TargetFilename condition="end with">.ppk</TargetFilename>
+			<TargetFilename condition="end with">.war</TargetFilename>
+			<TargetFilename condition="end with">.xml</TargetFilename>
+		</FileCreate>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
+	<RuleGroup name="RG=RegistryEvent Include Group" groupRelation="or">
+		<RegistryEvent onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<Rule name="Forensic=RDP Connection History Tracking" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
+				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">MountedDevices</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Mountpoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
+				<TargetObject condition="end with">LoggedOnUser</TargetObject>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnUser</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnProvider</TargetObject>
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Suspicious Set Value of MSDT in Registry: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\ms-msdt\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Scripted Diagnostics Turn Off Check Enabled: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</TargetObject>
+				<TargetObject condition="excludes">\print\</TargetObject>
+				<TargetObject condition="excludes">\AzureAttestService\CoInitializeSecurityParam</TargetObject>
+				<Image condition="excludes">C:\$WINDOWS.~BT\</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project Object Model Macro Settings,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\AccessVBOM</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
+				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
+				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Potential Office Macro Execution Detected" groupRelation="and">
+				<Image condition="contains any">EXCEL.exe;WINWORD.exe</Image>
+				<TargetObject condition="contains any">{8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B}</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
+			<Rule name="Attack=T0000,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
+				<TargetObject condition="is">HKCU\di</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">HKCU\�</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
+				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
+				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
+				<TargetObject condition="end with">update_url</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Last Password Change</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Account Expiration</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Last Failed Logon</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject> <!-- http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/ -->
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
+				<Image condition="excludes">Add_exclusions_here</Image>
+			</Rule>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Boot" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: System" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Automatic" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000002)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Manual" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000003)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Disabled" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000004)</Details>
+			</Rule>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
+			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
+			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Printers\Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\Environments\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Servers\Printers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\V4 Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SWD\PRINTENUM</TargetObject>-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=New user created,Risk=40" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<TargetObject condition="excludes">$</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
+			</Rule>
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=Hidden New user created,Risk=40" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<TargetObject condition="contains">$</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<Rule name="Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
+				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint Protocol Handlers" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\</TargetObject>
+				<TargetObject condition="end with">(Default)</TargetObject>
+				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
+				<Details condition="begin with">URL:</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Protocol Handlers" groupRelation="and">
+				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
+				<TargetObject condition="end with">(Default)</TargetObject>
+				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
+				<Details condition="begin with">URL:</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint File Associations" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\</TargetObject>
+				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
+				<Details condition="contains">%1</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Default File Associations" groupRelation="and">
+				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
+				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
+				<Details condition="contains">%1</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor COM Hijacking" groupRelation="and">
+				<TargetObject condition="end with">\shell\open\command\DelegateExecute</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Accessibility Features-->
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=sethc.exe Priv Escalation,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Session Manager\KnownDlls</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Outlook Addins" groupRelation="and">
+				<TargetObject condition="contains">Outlook\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Word Addins" groupRelation="and">
+				<TargetObject condition="contains">Word\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Excel Addins" groupRelation="and">
+				<TargetObject condition="contains">Excel\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Powerpoint Addins" groupRelation="and">
+				<TargetObject condition="contains">Powerpoint\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Inclusions" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\VSTO\Security\Inclusion\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Solution Metadata" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\VSTO\SolutionMetadata\</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=0,Desc=CMSTPLUA UAC Bypass" groupRelation="and">
+				<TargetObject condition="contains any">cmmgr32.exe</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
+				<Details condition="contains any">C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\</Details>
+				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
+			</Rule>
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
+				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
+			</Rule>
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=1,Alert=Image File Execution Options,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
+				<TargetObject condition="contains any">Debugger;ReportingMode;MonitorProcess</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=0,Alert=SilentProcessExit Globalflag Set,Risk=75" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
+				<TargetObject condition="contains">GlobalFlag</TargetObject>
+				<Details condition="contains">DWORD (0x00000200)</Details> <!--SilentProcessExit Dword Value-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Execution entry,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
+				<TargetObject condition="contains">MonitorProcess</TargetObject> <!--SilentProcessExit Monitor Process from werfault-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Reporting Mode Enabled - Check for Child processes of werfault.exe,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
+				<TargetObject condition="contains">ReportingMode</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details> <!--SilentProcessExit Reporting Mode Enabled-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Added,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
+			</Rule>
+			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exeption Handler execution on crash,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\</TargetObject>
+				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
+				<TargetObject condition="end with">SD</TargetObject>
+				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
+				<TargetObject condition="end with">ID</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Author</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Path</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Date</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<Rule name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Environment Value Modification" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=ConsentPromptBehaviorAdmin Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
+			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
+			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
+			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
+				<TargetObject condition="end with">$</TargetObject>
+ 				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
+				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
+				<!--Customize: Add your configuration dir above-->
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to Per-Process Exploit Protection,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions</TargetObject>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmwp.exe\0\MitigationOptions</TargetObject>
+				<Image condition="excludes">msiexec.exe</Image>
+				<Image condition="excludes">TiWorker.exe</Image>
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Modification to WOW64 Per-Process Exploit Protection Mitigation Options,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+				<Image condition="excludes">C:\Program Files\Microsoft Office 15\root\integration\integrator.exe</Image>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
+				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\</TargetObject>
+				<TargetObject condition="contains all">\Instances\;Altitude</TargetObject>
+				<TargetObject condition="is not">HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=1,Desc=Notifications for all macros,Risk=50" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000002)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Notifications for digitally signed macros - all other macros disabled,Risk=0" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000003)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=All Office Macros Disabled without notification,Risk=0" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000004)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">\Outlook\Security</TargetObject>
+				<!--Allow Outlook Details rules to fire-->
+				<TargetObject condition="excludes">\Security\Level</TargetObject>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Word\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Excel\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Level1Remove</TargetObject>
+			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideSCAHealth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<!--Detect if Windows Defender is Disabled-->
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="end with">\Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="end with">\Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="excludes">\Enabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
+				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
+				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
+				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
+				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
+				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
+				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Eventlog Security Descriptor Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
+				<TargetObject condition="end with">\CustomSD</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Eventlog Size Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
+				<TargetObject condition="end with">\MaxSize</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">globallyopenports</TargetObject>
+			</Rule>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
+
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\.NETFramework\ETWEnabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Tampering,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\.NETFramework\NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\COMPlus_ETWEnabled</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\LastKey</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
+				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">&#x202e;</TargetObject>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
+
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
+				<EventType condition="is not">CreateKey</EventType>
+				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\Sysmon.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\certsrv.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\CompatTelRunner.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
+				<Image condition="excludes">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+				<Image condition="excludes">C:\Windows\system32\SearchProtocolHost.exe</Image>
+				<Image condition="excludes">C:\Windows\system32\taskhost.exe</Image>
+				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\System32\DriverStore\FileRepository\asus</Image>
+				<Image condition="excludes">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
+				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">fDenyTSConnections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">RDP-tcp\PortNumber</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">&#xfffd;</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials: Credentials in Registry-->
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,Level=1,Desc=User Account Deleted" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<EventType condition="is">DeleteKey</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<Rule name="Attack=T1485,Technique=Inhibit System Recovery,Tactic=Impact,Level=0,Desc=VSS Disablement Detection,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Services\VSS\Diag\(Default)</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!-- UEBA/Uncategorized Detections-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
+			</Rule>
+			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\LastKey</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
+			</Rule>
+			<Rule name="Forensic=IE history Detection" groupRelation="and">
+				<TargetObject condition="end with">\TypedURLs</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
+				<Details condition="excludes">Binary Data</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
+			</Rule>
+			<Rule name="Forensic=Adobe Recent File List History" groupRelation="and">
+				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
+				<TargetObject condition="end with">tDIText</TargetObject>
+			</Rule>
+			<Rule name="Forensic=Office History MRU" groupRelation="and">
+				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
+			</Rule>
+			<!--Common Malware Persistence locations-->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
+			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\URL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">NullSessionShares</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">NullSessionPipes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PasswordExpiryNotification</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisplayVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ModifyPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UninstallString</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			<!--CLSID launch commands and file association changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Explorer\FileExts\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject name="Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
+			<!--Windows shell hijack-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideFileExt</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SharedTaskScheduler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjects</TargetObject>
+			<!--AppPaths hijacking-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<!--Terminal service boobytraps-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<!--Group Policy interity-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
+			<!--Winsock and Winsock2-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<!--Credential providers-->
+			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<!--Networking-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject name="Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
+			<!--DLLs that get injected into every process launch-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
+			<!--Office-->
+			<!--Microsoft Office-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<!--Removed addins on 11/13/2018 due to high count-->
+			<!--IE-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<!--Magic registry keys-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<!--Infection artifacts-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
+			<!--Windows internals integrity monitoring-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
+			<!--Group Policy Scripts-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<!--Detect Network History-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Trusted Locations</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
+			<TargetObject name="Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
+			<TargetObject name="Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
+			<TargetObject name="Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
+			<TargetObject name="Forensic=Office History" condition="contains">\Place MRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LinkDate</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LowerCaseLongPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Publisher</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Compatibility Assistant\Store\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDriverBinary\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
+				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
+			</Rule>			
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
+				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Explorer\MountPoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,Level=1,Desc=Service Set for Deletion" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DeleteFlag</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<!--Detect User Activity-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\bluetooth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\contacts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\location</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\microphone</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\usb\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\webcam</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastVisitedMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			<TargetObject name="Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\FriendlyName</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
+			<!--Windows application compatibility shims-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
+			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<Details condition="contains any">ndis;rndis</Details>
+			</Rule>
+			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
+				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
+				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
+			</Rule>
+			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
+			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
+			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
+			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
+			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Client\Enabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Server\Enabled</TargetObject>
+			<TargetObject name="Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server Client\Servers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
+		</RegistryEvent>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
+	<!--EVENT 15: "File stream created"-->
+	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
+		<FileCreateStreamHash onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
+				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
+			</Rule>
+			<Rule name="Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
+				<Contents condition="contains any">blob:;about:internet</Contents>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
+				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
+				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hash>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hash>
+			</Rule>
+		</FileCreateStreamHash>
+	</RuleGroup>
+	<RuleGroup name="RG=ADS Exclude Group" groupRelation="or">
+		<FileCreateStreamHash onmatch="exclude">
+			<Hash condition="contains">IMPHASH=00000000000000000000000000000000</Hash>
+			<TargetFilename condition="contains">AppData\Local\Microsoft\Windows\AppCache\</TargetFilename>
+			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename>
+			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> 
+			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
+			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename>
+			<TargetFilename condition="end with">Microsoft\Windows\Start Menu\Programs\Startup</TargetFilename>
+		</FileCreateStreamHash>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
+	<!--EVENT 16: "Sysmon config state changed"-->
+	<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
+	<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
+	<!--Cannot be filtered.-->
+
+	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
+	<!--EVENT 17: "Pipe Created"-->
+	<!--EVENT 18: "Pipe Connected"-->
+	<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
+	<RuleGroup name="RG=PipeEvent Include Group" groupRelation="or">
+		<PipeEvent onmatch="include">
+			<Rule name="Attack=T1071,Technique=Application Layer Protocol,Tactic=Command and Control,Level=4,Alert=Cobalt Strike named pipe detected,Risk=100" groupRelation="and">
+				<PipeName condition="contains any">msagent_;\MSSE-;postex;\status_</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=NA,Level=4,Alert=Turla Advanced Persistent Threat Named Pipe Detection,Risk=100" groupRelation="and">
+				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			</Rule>
+			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Level=4,Alert=lateral movement: psexec named pipe detected" groupRelation="or">
+				<PipeName condition="contains">\PSEXESVC</PipeName>
+				<PipeName condition="end with">-stdin</PipeName>
+				<PipeName condition="end with">-stdout</PipeName>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
+				<PipeName condition="contains">\svcctl</PipeName>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=NTSVCS Execution" groupRelation="or">
+				<PipeName condition="contains">\ntsvcs</PipeName>
+			</Rule>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100" condition="contains">tssmp_endpoint</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100" condition="contains">\NamePipe_MoreWindows</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=WCEServicePipe detected,Risk=100" condition="contains">\WCEServicePipe</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=ahexec Named Pipe Detection,Risk=100" condition="contains">\ahexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=cachedump detected,Risk=100" condition="contains">\cachedumppipe</PipeName><!-- Credits @9f81f59bc58452127884ce513865ed20Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=csexec Named Pipe Detection,Risk=100" condition="contains">\csexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100" condition="contains">\isapi_dg</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsadump detected,Risk=100" condition="contains">\lsadump</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10" condition="contains">\lsassw</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=paexec Named Pipe Detection,Risk=100" condition="contains">\paexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=pcheap_reuse Named Pipe Detection" condition="contains">\pcheap_reuse</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Covanant C2 Named Pipe Detection" condition="contains">\gruntsvc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=remcom Named Pipe Detection,Risk=100" condition="contains">\remcom</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100" condition="contains">\rpchlp_3</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
+				<PipeName condition="contains any">\pipe\</PipeName>
+				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
+			</Rule>
+			<!-- Noisy
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\srvsvc</PipeName>
+			-->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
+			<!--Include Everything else to mark above rules-->
+			<!-- Disabled for now
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\</PipeName>
+			-->
+		</PipeEvent>
+	</RuleGroup>
+	<RuleGroup name="RG=PipeEvent Exclude Group" groupRelation="or">
+		<PipeEvent onmatch="exclude">
+		<EventType name="Exclude ConnectPipe for noise reduction" condition="is">ConnectPipe</EventType>
+		<!--COMMENT: Exclude known-good pipe users-->
+				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+			<!--SECTION: Microsoft-->
+			<PipeName condition="contains">lsass</PipeName>
+			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
+			<PipeName condition="is">\spoolss</PipeName>
+			<Image condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Rediculous amount of spam, likely spikes cpu if logged -->
+			<Image condition="image">C:\Windows\System32\LxRun.exe</Image> <!--WSL-->
+			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="image">C:\Windows\System32\smss.exe</Image>
+			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
+			<Image condition="image">C:\Windows\System32\wininit.exe</Image>
+			<Image condition="image">C:\Windows\system32\DFSRs.exe</Image>
+			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
+			<Rule name="ngen excludes" groupRelation="and">
+				<Image condition="begin with">C:\Windows\Microsoft.NET\Framework</Image>
+				<Image condition="end with">\ngen.exe</Image>
+			</Rule>
+			<Rule name="ShellExperienceHost excludes" groupRelation="and">
+				<Image condition="begin with">C:\Windows\SystemApps\ShellExperienceHost_</Image>
+				<Image condition="end with">\ShellExperienceHost.exe</Image>
+			</Rule>
+			<Image condition="image">C:\Windows\system32\SearchProtocolHost.exe</Image>
+			<Image condition="image">\System</Image>
+			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
+			<!--SECTION: Microsoft Exchange Server -->
+			<Image condition="contains">Exchange Server</Image>
+			<!--SECTION: Microsoft IIS -->
+			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
+			<Image condition="image">C:\Windows\syswow64\snmp.exe</Image>
+			<Image condition="image">c:\windows\system32\inetsrv\w3wp.exe</Image>
+			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
+			<!--SECTION: Microsoft DNS Server -->
+			<Image condition="image">C:\Windows\system32\dns.exe</Image>
+			<!--SECTION: Microsoft SQL Server -->
+			<PipeName condition="is">\sql\query</PipeName>
+			<Image condition="image">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
+			<PipeName condition="contains">\TDLN-</PipeName>
+			<PipeName condition="contains">vmware-</PipeName>
+			<PipeName condition="is">\InitShutdown</PipeName>
+			<PipeName condition="is">\MsFteWds</PipeName>
+			<PipeName condition="is">\W32TIME_ALT</PipeName>
+			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
+			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
+			<PipeName condition="is">\browser</PipeName>
+			<PipeName condition="is">\epmapper</PipeName>
+			<PipeName condition="is">\eventlog</PipeName>
+			<PipeName condition="is">\scerpc</PipeName>
+			<PipeName condition="is">\wkssvc</PipeName>
+			<PipeName condition="is">\ntapvsrq</PipeName>
+			<PipeName condition="contains">Anonymous Pipe</PipeName>
+		</PipeEvent>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
+	<!--EVENT 19: "WmiEventFilter activity detected"-->
+	<!--EVENT 20: "WmiEventConsumer activity detected"-->
+	<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
+	<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
+	<RuleGroup name="RG=WmiEvent Include Group" groupRelation="or">
+		<WmiEvent onmatch="include">
+			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="is">Created</Operation>
+		</WmiEvent>
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 22 : DNS Queries-->
+	<RuleGroup name="RG=DNS Query Includes" groupRelation="or">
+		<DnsQuery onmatch="include">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Powershell TXT Record exfiltration" groupRelation="and">
+				<QueryResults condition="contains any">type: 16;type:  16</QueryResults>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Powershell,Tactic=Execution,Level=4,Alert=Powershell Connection to github" groupRelation="and">
+				<QueryName condition="contains">github</QueryName>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
+				<QueryName condition="contains">.</QueryName>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="end with">dropboxapi.com</QueryName>
+				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains">1drv</QueryName>
+				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains all">.box.com;upload</QueryName>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains any">mega.nz;mega.co.nz</QueryName>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains any">privatlab.com</QueryName>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
+				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
+			</Rule>
+			<!--Crypto Currency Mining pools-->
+			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
+			</Rule>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">graph.microsoft.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">dl.dropboxusercontent.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">api.onedrive.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">zoom.us</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">teamviewer</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Screenconnect</QueryName>
+			<!--Public Port Scan Detection-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
+			<!--Domain TLD's to log-->
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.download</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.kp</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.su</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ss</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sy</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ve</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xxx</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.click</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.club</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ir</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ru</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.host</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.icu</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pw</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.website</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ninja</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rocks</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.top</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ua</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xyz</QueryName>
+			<!--Malware Domains-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
+			</Rule>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">githubusercontent.com;github.com</QueryName> 
+			<!--Common Suspicious destinations-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
+			<!-- Malicious/Suspicious hosting domains-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
+			<!--Dynamic DNS Lookups-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
+			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
+			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">gc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">wpad</QueryName>
+			<Rule name="Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+				<QueryName condition="begin with">_ldap.</QueryName>
+				<Image condition="excludes">C:\Windows\</Image>
+				<Image condition="excludes">unknown process</Image>
+				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</Image>
+			</Rule>
+			<!--
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  28</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  5</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  15</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  2</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  12</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  6</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  99</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  33</QueryResults>
+			-->
+			<Image name="Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+		</DnsQuery>
+	</RuleGroup>
+	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
+		<DnsQuery onmatch="exclude">
+			<!-- Image Exclusions -->
+			<Image condition="begin with">C:\Program Files (x86)\Admin Arsenal\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\CheckPoint\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Fortinet\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\OpenDNS\OpenDNS Connector</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Razer\Razer Services\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\VMware</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Veeam\</Image>
+			<Image condition="begin with">C:\Program Files\CheckPoint\</Image>
+			<Image condition="begin with">C:\Program Files\Trend Micro\</Image>
+			<Image condition="end with">Slack.exe</Image>
+			<Image condition="end with">\controls\cef\ConnectWise.exe</Image>
+			<Image condition="end with">git-remote-https.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe</Image>
+			<Image condition="image">C:\Program Files\VMware\vCenter Server\jre\bin\java.exe</Image>
+			<Image condition="image">C:\Program Files\VMware\vCenter Server\python\python.exe</Image>
+			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\dsregcmd.exe</Image>
+			<Image condition="image">C:\Windows\sysmon64.exe</Image>
+			<Image condition="image">C:\Windows\sysmon.exe</Image>
+			<QueryName condition="begin with">brave-sync.s3.dualstack.</QueryName>
+			<QueryName condition="end with">.salesforceliveagent.com</QueryName>
+			<QueryName condition="is">ads-serve.brave.com</QueryName>
+			<!--Network noise-->
+			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
+			<QueryName condition="is">..localmachine</QueryName>
+			<!--Microsoft-->
+			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
+			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
+			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
+			<!--Microsoft:Office365/AzureAD-->
+			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
+			<QueryName condition="end with">.msauth.net</QueryName>
+			<QueryName condition="end with">.msftauth.net</QueryName>
+			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
+			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
+			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<!--3rd-party applications-->
+			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
+			<QueryName condition="end with">googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">cloudsearch.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">id.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">www.googleapis.com</QueryName> <!--Google-->
+			<!--Goodlist CDN-->
+			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.netflix.com</QueryName>
+			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
+			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
+			<QueryName condition="is">ajax.googleapis.com</QueryName>
+			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
+			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
+			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
+			<!--Personal-->
+			<QueryName condition="end with">.steamcontent.com</QueryName> <!--If you seriously host malware C2 in game binaries in Steam, I give up-->
+			<!--Web resources-->
+			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.fontawesome.com</QueryName>
+			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<!--Ads-->
+			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
+			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
+			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
+			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
+			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
+			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
+			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
+			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
+			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
+			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
+			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
+			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
+			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.domdex.com</QueryName> 
+			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
+			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
+			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
+			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
+			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
+			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
+			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
+			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.quantcount.com</QueryName>
+			<QueryName condition="end with">.quantserve.com</QueryName>
+			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
+			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
+			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
+			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
+			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.simpli.fi</QueryName>
+			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.tapad.com</QueryName>
+			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
+			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
+			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
+			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
+			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">ads.yahoo.com</QueryName> <!--Ads: Yahoo-->
+			<QueryName condition="is">1rx.io</QueryName>
+			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
+			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
+			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
+			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">www.googletagservices.com</QueryName>
+			<!--SocialNet-->
+			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
+			<!--OSCP/CRL Common-->
+			<QueryName condition="contains">adsniper.ru</QueryName>
+			<QueryName condition="contains">cdnvideo.ru</QueryName>
+			<QueryName condition="contains">chat.minergate.com</QueryName>
+			<QueryName condition="contains">cwsa.minergate.com</QueryName>
+			<QueryName condition="contains">forum.minergate.com</QueryName>
+			<QueryName condition="contains">leadlab.click</QueryName>
+			<QueryName condition="contains">mc.yandex.ru</QueryName>
+			<QueryName condition="contains">pool.ntp.org</QueryName>
+			<QueryName condition="contains">vmg.host</QueryName>
+			<QueryName condition="contains">yandex.ru</QueryName>
+			<QueryName condition="end with">.adobe.com</QueryName>
+			<QueryName condition="end with">.autodesk.com</QueryName>
+			<QueryName condition="end with">.avast.com</QueryName>
+			<QueryName condition="end with">.avcdn.net</QueryName>
+			<QueryName condition="end with">.cdn.bitdefender.net</QueryName>
+			<QueryName condition="end with">.digicert.com</QueryName>
+			<QueryName condition="end with">.eset.com</QueryName>
+			<QueryName condition="end with">.globalsign.com</QueryName>
+			<QueryName condition="end with">.globalsign.net</QueryName>
+			<QueryName condition="end with">.intuit.com</QueryName>
+			<QueryName condition="end with">.java.com</QueryName>
+			<QueryName condition="end with">.macromedia.com</QueryName>
+			<QueryName condition="end with">.oracle.com</QueryName>
+			<QueryName condition="end with">.quickbooks.com</QueryName>
+			<QueryName condition="end with">.usertrust.com</QueryName>
+			<QueryName condition="end with">amazontrust.com</QueryName>
+			<QueryName condition="end with">ocsp.identrust.com</QueryName>
+			<QueryName condition="end with">pki.goog</QueryName>
+			<QueryName condition="is">ads.playground.xyz</QueryName>
+			<QueryName condition="is">citrixupdates.cloud.com</QueryName>
+			<QueryName condition="is">forticlient.fortinet.net</QueryName>
+			<QueryName condition="is">mft10.onbaseonline.com</QueryName>
+			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
+			<QueryName condition="is">ocsp.comodoca.com</QueryName>
+			<QueryName condition="is">ocsp.cybertrust.ne.jp</QueryName>
+			<QueryName condition="is">ocsp.entrust.net</QueryName>
+			<QueryName condition="is">ocsp.entrust.net</QueryName>
+			<QueryName condition="is">ocsp.godaddy.com</QueryName>
+			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
+			<QueryName condition="is">ocsp.intel.com</QueryName>
+			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
+			<QueryName condition="is">ocsp.quovadisglobal.com</QueryName>
+			<QueryName condition="is">ocsp.quovadisoffshore.com</QueryName>
+			<QueryName condition="is">ocsp.sectigo.com</QueryName>
+			<QueryName condition="is">ocsp.starfieldtech.com</QueryName>
+			<QueryName condition="is">ocsp.thawte.com</QueryName>
+			<QueryName condition="is">ocsp.trustwave.com</QueryName>
+			<QueryName condition="is">ocsp.verisign.com</QueryName>
+			<QueryName condition="is">pki-goog.l.google.com</QueryName>
+			<QueryName condition="is">pki.intel.com</QueryName>
+			<QueryName condition="is">scrootca1.ocsp.secomtrust.net</QueryName>
+			<QueryName condition="is">scrootca2.ocsp.secomtrust.net</QueryName>
+			<QueryName condition="is">stats.anchor.host</QueryName>
+			<QueryName condition="is">status.rapidssl.com</QueryName>
+			<QueryName condition="is">status.thawte.com</QueryName>
+			<QueryName condition="is">ts-ocsp.ws.symantec.com</QueryName>
+			<QueryName condition="is">upgrade.bitdefender.com</QueryName>
+		</DnsQuery>
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 23 : File Delete and overwrite events which saves a copy to the archivedir: Includes -->
+	<!-- Default set to disabled due to disk space implications, enable with care!-->
+	<RuleGroup groupRelation="or">
+	  <FileDelete onmatch="include" />
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 24 : Clipboard change events, only captures text, not files: Includes -->
+	<!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
+	<RuleGroup groupRelation="or">
+	  <ClipboardChange onmatch="include" />
+	</RuleGroup>
+	<!--SYSMON EVENT ID 25 : Process tampering events-->
+	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
+		<ProcessTampering onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
+				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
+				<Image condition="excludes">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
+				<Image condition="excludes">C:\Program Files\Symantec\</Image>
+			</Rule>
+		</ProcessTampering>
+	</RuleGroup>
+	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
+		<ProcessTampering onmatch="exclude">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
+			</Rule>
+		</ProcessTampering>
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 26 : File Delete and overwrite events, does NOT save the file: Includes -->
+	<RuleGroup groupRelation="or">
+		<FileDeleteDetected onmatch="include">
+		</FileDeleteDetected>
+	</RuleGroup>
+	<RuleGroup groupRelation="or">
+		<FileDeleteDetected onmatch="exclude">
+			<Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
+		</FileDeleteDetected>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
+	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
+		<FileBlockExecutable onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
+				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
+				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">powershell.exel;powershell_ise.exe</Image>
+				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="contains any">.pdf;.doc;.xls;.doc;.ppt;.txt;.rtf;.htm;.iso;.zip;.rar;.7z</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+				<Image condition="contains any">psexesvc</Image>
+				<Image condition="contains any">psexec</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+				<Image condition="is">wmiprvse.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
+				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
+				<Image condition="excludes any">intuit</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth" groupRelation="or">
+				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
+				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
+				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
+				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
+				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=03866661686829D806989E2FC5A72606</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=E57401FBDADCD4571FF385AB82BD5D6D</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
+				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
+				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
+				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
+				<Image condition="image">certutil.exe</Image>
+				<Image condition="image">certoc.exe</Image>
+				<Image condition="image">CertReq.exe</Image>
+				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
+				<Image condition="image">Desktopimgdownldr.exe</Image>
+				<Image condition="image">esentutl.exe</Image>
+				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
+				<Image condition="image">finger.exe</Image>
+				<Image condition="image">presentationhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
+				<Image condition="image">bitsadmin.exe</Image>
+				<TargetFilename condition="excludes any">C:\Windows;$WINDOWS.;\SoftwareDistribution\</TargetFilename>
+				<User condition="is not">System</User>
+				<User condition="excludes any">TrustedInstaller;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</User>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
+				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
+			</Rule>
+		</FileBlockExecutable>
+	</RuleGroup>
+	</EventFiltering>
+</Sysmon>
\ No newline at end of file

From 234fe3d2900cda29a6f14bdefcb17aabfcbce314 Mon Sep 17 00:00:00 2001
From: cyberkryption <cyberkryption@gmail.com>
Date: Fri, 23 Sep 2022 15:19:05 +0100
Subject: [PATCH 361/471] Update sysmonconfig-cyberkryption.xml

---
 sysmonconfig-cyberkryption.xml | 64 +++++++++++++++++-----------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/sysmonconfig-cyberkryption.xml b/sysmonconfig-cyberkryption.xml
index 540c518d..0e7633fa 100644
--- a/sysmonconfig-cyberkryption.xml
+++ b/sysmonconfig-cyberkryption.xml
@@ -312,7 +312,7 @@
 			</Rule>
 			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">python.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
 			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
@@ -904,7 +904,7 @@
 				<CommandLine condition="contains">0x</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
 				<Image condition="image">csc.exe</Image>
 				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
 			</Rule>
@@ -1679,7 +1679,7 @@
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">mstsc.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
 			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
 			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
@@ -1960,7 +1960,7 @@
 			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
 			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
 			<!--Crypto Currency Miner Detections-->
-			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
 				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
 				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
 			</Rule>
@@ -1968,9 +1968,9 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
 			</Rule>
-			<Hashes condition="end with" name="Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
 			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
 			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
 			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
@@ -2052,22 +2052,22 @@
 			</Rule>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<Rule  name="Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
 				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
 			</Rule>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\\tsclient</CommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">sysnative</CommandLine>
 			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">AutoIt</Description>
 			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="is">more.com</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">acrord32.exe</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">gpupdate.exe</Image>
@@ -2230,7 +2230,7 @@
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
 				<Image condition="contains">\wwwroot\</Image>
 			</Rule>
-			<Image name="Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
@@ -2543,7 +2543,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Rules-->
@@ -2580,7 +2580,7 @@
 				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Notepad connecting to the internet" groupRelation="and">
 				<Image condition="image">notepad.exe</Image>
 				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
 			</Rule>
@@ -3092,7 +3092,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<SignatureStatus condition="is">Expired</SignatureStatus>
 			</Rule>
-			<Rule name="Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
 				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
@@ -3426,8 +3426,8 @@
 				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
 				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
 			</Rule>
-			<CallTrace name="Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
 				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
@@ -3435,11 +3435,11 @@
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
 			</Rule>
-			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
 				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Potential Metasploit Process Migration" groupRelation="and">
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains">0x147a</GrantedAccess>
 			</Rule>
@@ -3773,8 +3773,8 @@
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
 				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
 			</Rule>
-			<TargetFilename condition="contains" name="Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Files Created from">$Recycle.Bin</Image>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
@@ -4102,8 +4102,8 @@
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Level=0,Desc=URL">.url</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=URL">.url</TargetFilename>
 			<!--Drivers dropped-->
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sys</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.inf</TargetFilename>
@@ -4563,7 +4563,7 @@
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
@@ -5470,7 +5470,7 @@
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
 			</Rule>
-			<Rule name="Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
 				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
 				<Contents condition="contains any">blob:;about:internet</Contents>
 			</Rule>
@@ -5684,7 +5684,7 @@
 				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
 			</Rule>
 			<!--Crypto Currency Mining pools-->
-			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
 				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
 			</Rule>
 			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">graph.microsoft.com</QueryName>
@@ -5741,7 +5741,7 @@
 			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
 			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
 			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">wpad</QueryName>
-			<Rule name="Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
 				<QueryName condition="begin with">_ldap.</QueryName>
 				<Image condition="excludes">C:\Windows\</Image>
 				<Image condition="excludes">unknown process</Image>
@@ -5757,7 +5757,7 @@
 			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  99</QueryResults>
 			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  33</QueryResults>
 			-->
-			<Image name="Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
 		</DnsQuery>
 	</RuleGroup>
 	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">

From 7ec3de1a7741dcd6e077ae02d1a14b69aed347f1 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 23 Sep 2022 10:49:55 -0400
Subject: [PATCH 362/471] merge in changes from cyberkryption

---
 sysmonconfig-export.xml | 1252 +++++++++++++++++++--------------------
 1 file changed, 626 insertions(+), 626 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4bbab408..0e7633fa 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -299,7 +299,7 @@
 				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
 			</Rule>
 			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
-			<CommandLine name="Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ScriptFile</CommandLine>
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
@@ -312,8 +312,8 @@
 			</Rule>
 			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
-			<Image name="Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">python.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
 			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
 			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
@@ -637,7 +637,7 @@
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
 				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
 			</Rule>
-			<ParentCommandLine name="Level=0,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
 			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
@@ -701,8 +701,8 @@
 
 			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
 			<Image condition="contains">unknown process</Image>
-			<Image name="Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</ParentImage>			
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -825,7 +825,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
 			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
 			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
-			<ParentCommandLine name="Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
 			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
 				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
 				<CommandLine condition="contains">:</CommandLine>
@@ -904,7 +904,7 @@
 				<CommandLine condition="contains">0x</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
 				<Image condition="image">csc.exe</Image>
 				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
 			</Rule>
@@ -926,7 +926,7 @@
 				<ParentImage condition="is">csc.exe</ParentImage>
 				<CommandLine condition="contains any">out:;target:library</CommandLine>
 			</Rule>
-			<Image name="Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
@@ -1034,11 +1034,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Rule name="Level=0,Desc=InstallUtil 1" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
 			</Rule>
-			<Rule name="Level=0,Desc=InstallUtil 2" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
 			</Rule>
@@ -1214,7 +1214,7 @@
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
 			<CommandLine condition="contains">InstallHinfSection</CommandLine>
-			<Image name="Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">infDefaultInstall.exe</Image>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
@@ -1266,7 +1266,7 @@
 				<Image condition="image">msbuild.exe</Image>
 				<CommandLine condition="contains">.lnk</CommandLine>
 			</Rule>
-			<CommandLine name="Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.csproj</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -1442,7 +1442,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
 			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
 			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Level=0,Desc=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
 
 			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
 			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
@@ -1547,14 +1547,14 @@
 				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
 			</Rule>
 			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
-			<Image name="Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">rwinsta.exe</Image>
 			
 			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
 
 			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<Rule name="Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
 				<Image condition="excludes">Microsoft Office\root\Office</Image>
 				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
@@ -1677,9 +1677,9 @@
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
-			<Image name="Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">mstsc.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
 			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
 			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
@@ -1928,8 +1928,8 @@
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
-			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-p -nw</CommandLine><!-- vshadow -->
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-p -nw</CommandLine><!-- vshadow -->
 			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
 			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
@@ -1960,7 +1960,7 @@
 			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
 			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
 			<!--Crypto Currency Miner Detections-->
-			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
 				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
 				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
 			</Rule>
@@ -1968,9 +1968,9 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
 			</Rule>
-			<Hashes condition="end with" name="Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
 			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
 			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
 			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
@@ -2024,54 +2024,54 @@
 			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
 			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
-			<Description name="Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
-			<Description name="Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
-			<Description name="Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
-			<Description name="Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HTML Application host</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Manager Profile Installer</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Application Virtualization Injector</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Application Compatibility Database Installer</Description>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<ParentCommandLine name="Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
 			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
-			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">java.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">javaw.exe</ParentImage>
 			<!--Detect Output Redirection-->
 			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
-			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
-			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
-			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">2></CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&gt;</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&lt;</CommandLine>
 			-->
 			<!--Detect Multiple Commands-->
-			<Rule  name="Level=0,Desc=SVCHost Processes" groupRelation="and">
+			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 			</Rule>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<Rule  name="Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
 				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
 			</Rule>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
-			<CommandLine name="Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
-			<CommandLine name="Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
-			<Description name="Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
-			<Description name="Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
-			<Image name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
-			<Image name="Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
-			<Image name="Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
-			<ParentImage name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">sysnative</CommandLine>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">AutoIt</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Filter Loader</Description> 
+			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">acrord32.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">gpupdate.exe</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
 			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
 		</ProcessCreate>
@@ -2230,7 +2230,7 @@
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
 				<Image condition="contains">\wwwroot\</Image>
 			</Rule>
-			<Image name="Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
@@ -2247,8 +2247,8 @@
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
-			<Image name="Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Windows\IME\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\ProgramData</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
@@ -2475,11 +2475,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
 
 			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<Rule name="Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<DestinationPort condition="is">50050</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<DestinationPort condition="is">25</DestinationPort>
 				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
 				<Initiated>true</Initiated>
@@ -2543,11 +2543,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Rules-->
-			<Rule name="Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 				<DestinationPort condition="is not">3389</DestinationPort>
 				<DestinationPort condition="is not">22</DestinationPort>
@@ -2555,24 +2555,24 @@
 				<DestinationPort condition="is not">5985</DestinationPort>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 				<Initiated>true</Initiated>
 				<SourcePort condition="is not">135</SourcePort>
 				<SourcePort condition="is not">445</SourcePort>
 				<DestinationPort condition="is not">5985</DestinationPort>
 			</Rule>
-			<Rule name="Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="is not">System</Image>
 				<Image condition="excludes">svchost.exe</Image>
 				<DestinationPort condition="is">445</DestinationPort>
 			</Rule>
-			<Rule name="Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="is not">System</Image>
 				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
 				<DestinationPort condition="is">389</DestinationPort>
 			</Rule>
-			<Rule name="Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
 				<DestinationPort condition="is">389</DestinationPort>
 				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
@@ -2580,103 +2580,103 @@
 				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Notepad connecting to the internet" groupRelation="and">
 				<Image condition="image">notepad.exe</Image>
 				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
 			</Rule>
-			<Rule name="Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is not">80</DestinationPort>
 				<DestinationPort condition="is not">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<DestinationHostname name="Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
-			<DestinationHostname name="Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
-			<Rule name="Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">github</DestinationHostname> 
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">githubusercontent.com</DestinationHostname>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Apache Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">apache.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=JAVA Network Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">java.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=PHP Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Setup Network connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains">setup</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains">tomcat</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains">unins</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains">unknown process</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains">explorer.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Windows SMTP Server" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">inetinfo.exe</Image>
 			</Rule>
 			<!--3rd Party tools-->
-			<Image name="Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
-			<Image name="Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
-			<Image name="Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
-			<Image name="Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">procdump</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">psexe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">vnc;vncs;vncv</Image>
 			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
 				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
 			</Rule>
 			<!--Destination Ports to Monitor-->
-			<DestinationPort name="Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</DestinationPort>
 			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
 			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
-			<DestinationPort name="Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
-			<DestinationPort name="Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
-			<DestinationPort name="Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
-			<DestinationPort name="Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
-			<DestinationPort name="Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
-			<DestinationPort name="Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
-			<DestinationPort name="Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1293</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1701</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1194</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3540</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3389</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">22</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3128</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">8080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1723</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">23</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">4500</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9001</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9030</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5800</DestinationPort>
 			<!--Source Ports to Monitor-->
-			<SourcePort name="Level=0,Desc=Port: 0" condition="is">0</SourcePort>
-			<Rule name="Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</SourcePort>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<SourcePort name="Level=0,Desc=HTTP" condition="is">80</SourcePort>
-			<SourcePort name="Level=0,Desc=HTTPS" condition="is">443</SourcePort>
-			<SourcePort name="Level=0,Desc=LDAPS" condition="is">636</SourcePort>
-			<SourcePort name="Level=0,Desc=VNC" condition="is">5900</SourcePort>
-			<SourcePort name="Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">80</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">636</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
 			<!--Suspicious network connections-->
 			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
 		</NetworkConnect>
@@ -2815,7 +2815,7 @@
 			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
 			<Image condition="image">MSExchangeHMWorker.exe</Image>
 			<Image condition="image">MSExchangeSubmission.exe</Image>
-			<Image name="Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\</Image>
 		</NetworkConnect>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
@@ -2827,18 +2827,18 @@
 		<!--COMMENT:	Useful data in building infection timelines.-->
 		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
 		<ProcessTerminate onmatch="include">
-			<Rule name="Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="begin with">C:\Windows\</Image>
 				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="begin with">C:\Windows\system32\</Image>
 				<Image condition="excludes">config\systemprofile\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
 				<Image condition="excludes">:\PROGRA~</Image>
 				<Image condition="excludes">:\Program Files</Image>
@@ -2852,29 +2852,29 @@
 				<Image condition="excludes">:\$WinREAgent</Image>
 				<Image condition="excludes">:\inetpub\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="begin with">\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="begin with">C:\Users\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="begin with">C:\inetpub\</Image>
 			</Rule>
 		<!-- Useful data in building infection timelines.-->
 			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
 			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
-			<Image name="Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
 			<Image condition="contains">\Temp\</Image>
-			<Image name="Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">C:\Users\</Image>
 		</ProcessTerminate>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
@@ -2899,14 +2899,14 @@
 			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
 			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
 			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
-			<ImageLoaded name="Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
-			<ImageLoaded name="Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Temp</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Users</ImageLoaded>
 			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
 			<SignatureStatus condition="contains">?</SignatureStatus>
 			<SignatureStatus condition="contains">Revoked</SignatureStatus>
 			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
 			<SignatureStatus condition="contains">Valid</SignatureStatus>
-			<Signed name="Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
+			<Signed name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">false</Signed>
 		</DriverLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
@@ -2924,12 +2924,12 @@
 				<Image condition="is">msdt.exe</Image>
 				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
 				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
@@ -2943,7 +2943,7 @@
 				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
 				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">EQNEDT32.EXE</Image>
 				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
 			</Rule>
@@ -2955,87 +2955,87 @@
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
 				<Image condition="contains any">wscript.exe;cscript.exe;powershell.exe;rundll32.exe;msbuild.exe;msiexec.exe;csc.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
 				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">wmiprvse.exe</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">powershell.exe</Image>
 				<ImageLoaded condition="is">msi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains">powershell</Image>
 				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="excludes">powershell</Image>
 				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Office clr.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="is">clr.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">installutil.exe</Image>
 				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Automation DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
 				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="begin with">\\</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
 				<ImageLoaded condition="end with">.wll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
 				<ImageLoaded condition="end with">.xll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
 				<ImageLoaded condition="contains any">.xla</ImageLoaded>
 			</Rule>
@@ -3059,14 +3059,14 @@
 				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
 				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">C:\Windows\Explorer.EXE</Image>
 				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
@@ -3075,24 +3075,24 @@
 				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
 				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
 			</Rule>
-			<Rule name="Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">false</Signed>
 			</Rule>
-			<Rule name="Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<SignatureStatus condition="is">Revoked</SignatureStatus>
 			</Rule>
-			<Rule name="Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<SignatureStatus condition="is">Expired</SignatureStatus>
 			</Rule>
-			<Rule name="Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
 				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
@@ -3119,20 +3119,20 @@
 				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
 				<Image condition="excludes">C:\Windows\explorer.exe</Image>
 			</Rule>
-			<ImageLoaded name="Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 		</ImageLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
 		<ImageLoad onmatch="exclude">
-			<Rule name="Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains">\Microsoft Office\</Image>
 				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains">\Microsoft Office\</Image>
 				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">true</Signed>
 			</Rule>
@@ -3286,10 +3286,10 @@
 			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
 			</Rule>
-			<Rule name="Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
 			</Rule>
-			<Rule name="Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
 			</Rule>
 			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
@@ -3342,7 +3342,7 @@
 				<GrantedAccess>0x1F3FFF</GrantedAccess>
 				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<SourceImage condition="end with">.exe</SourceImage>
 				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
 				<GrantedAccess>0x1C00</GrantedAccess>
@@ -3372,11 +3372,11 @@
 				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
 				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
 			</Rule>
-			<Rule name="Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<SourceImage condition="image">powershell.exe</SourceImage>
 				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
 			</Rule>
-			<Rule name="Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<CallTrace condition="contains">getasynckeystate</CallTrace>
 			</Rule>
 			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
@@ -3426,8 +3426,8 @@
 				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
 				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
 			</Rule>
-			<CallTrace name="Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
 				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
@@ -3435,11 +3435,11 @@
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
 			</Rule>
-			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
 				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Potential Metasploit Process Migration" groupRelation="and">
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains">0x147a</GrantedAccess>
 			</Rule>
@@ -3460,12 +3460,12 @@
 			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
 			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
-			<SourceImage name="Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
-			<SourceImage name="Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">cscript.exe</SourceImage>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">wscript.exe</SourceImage>
 			<SourceImage condition="end with">jjs.exe</SourceImage>
 			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
 			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
-			<CallTrace name="Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CorperfmontExt.dll</CallTrace>
 		</ProcessAccess>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
@@ -3488,7 +3488,7 @@
 			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
 			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<Rule name="Level=0,Desc=Direct System Call Events" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
@@ -3673,7 +3673,7 @@
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
@@ -3704,13 +3704,13 @@
 				<TargetFilename condition="end with">.aspx</TargetFilename>
 				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
 			</Rule>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ecp\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\oab\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\owa\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">httpproxy\rpc\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\ecp\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\htdocs\</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
@@ -3761,7 +3761,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<TargetFilename name="Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</TargetFilename>
 
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
@@ -3773,8 +3773,8 @@
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
 				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
 			</Rule>
-			<TargetFilename condition="contains" name="Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Files Created from">$Recycle.Bin</Image>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
@@ -3899,9 +3899,9 @@
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
-			<TargetFilename name="Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Rar$</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
-			<TargetFilename name="Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">RarSFX</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
@@ -3941,11 +3941,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="is">Teamviewer.exe</Image>
-			<Image name="Level=0,Desc=File Created by rundll32" condition="is">rundll32.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">rundll32.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="is">mstsc.exe</Image>
-			<Image name="Level=0,Desc=File Created with command shell,Risk=30" condition="is">cmd.exe</Image>
-			<Image name="Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="is">ipy.exe</Image>
-			<Image name="Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="is">WScript.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">cmd.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">WScript.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="is">cscript.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="is">mshta.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="is">python.exe</Image>
@@ -4009,88 +4009,88 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Detections-->
-			<Rule name="Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
 			</Rule>
-			<Rule name="Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">\system32\</TargetFilename> 
 			</Rule>
-			<Rule name="Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
 			</Rule>
-			<Rule name="Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
 			</Rule>
-			<Rule name="Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.wll</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.xll</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
 				<TargetFilename condition="contains any">.xla</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.vsto</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.bat</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.dll</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.sys</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.theme</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="image">VirtualboxVM.exe</Image>
 			</Rule>
-			<Image name="Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">notepad++.exe</Image>
 			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
@@ -4102,47 +4102,47 @@
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Level=0,Desc=URL">.url</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=URL">.url</TargetFilename>
 			<!--Drivers dropped-->
-			<TargetFilename name="Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sys</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.inf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Drivers\</TargetFilename>
 			<TargetFilename condition="end with">.drv</TargetFilename> 
 			<!--Microsoft Office File Monitoring-->
-			<TargetFilename name="Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlam</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xla</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xls</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlt</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xltm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlw</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.potm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sldm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Office\Recent</TargetFilename>
 			<TargetFilename name="Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
-			<Rule name="Level=0,Desc=Legacy Office files" groupRelation="or">
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Downloads\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Content.Outlook\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.wbk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ped</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dot</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dotx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.doc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docx</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
 				<TargetFilename condition="end with">.accdb</TargetFilename>
 				<TargetFilename condition="end with">.accde</TargetFilename>
 				<TargetFilename condition="end with">.accdr</TargetFilename>
@@ -4165,7 +4165,7 @@
 				<TargetFilename condition="end with">.xps</TargetFilename>
 			</Rule>
 			<!--SECTION: Certificates -->
-			<Rule name="Level=0,Desc=Certificate" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
 				<TargetFilename condition="end with">.pem</TargetFilename>
 				<TargetFilename condition="end with">.crt</TargetFilename>
 				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
@@ -4183,7 +4183,7 @@
 				<TargetFilename condition="end with">.key</TargetFilename>
 			</Rule>
 			<!-- side loading -->
-			<Rule name="Level=0,Desc=Sideload Detection" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
 				<TargetFilename condition="end with">.hlp</TargetFilename>
 				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
 				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
@@ -4272,64 +4272,64 @@
 				<TargetFilename condition="end with">wts.chm</TargetFilename>
 				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
 			</Rule>
-			<TargetFilename name="Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">ssMUIDLL.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
 			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
-			<TargetFilename name="Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\\tsclient</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
 			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
-			<TargetFilename name="Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-			<TargetFilename name="Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
-			<TargetFilename name="Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
-			<TargetFilename name="Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
-			<TargetFilename name="Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
-			<TargetFilename name="Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
-			<TargetFilename name="Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
-			<TargetFilename name="Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
-			<TargetFilename name="Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\7z</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cpl</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.mht</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.crx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.gadget</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.JSE</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.exe</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.zip\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FON</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FOT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.iqy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ico</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.isp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.manifest</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">MEMORY.dmp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msi</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cs</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.customDestinations-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Minidump</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.PAF</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
-			<TargetFilename name="Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
-			<TargetFilename name="Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
-			<TargetFilename name="Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
-			<TargetFilename name="Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Set" condition="end with">.set</TargetFilename>
-			<TargetFilename name="Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rtf</TargetFilename> 
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.reg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHS</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.slk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCR</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.set</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SettingContent-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHD</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SPL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scr</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HammerDrillStatus.dll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft\Windows\WER\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ICL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sdb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHB</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Temp1_</TargetFilename>
 			<!--Uncategorized-->
 			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
 			<TargetFilename condition="end with">.ade</TargetFilename>
@@ -4392,28 +4392,28 @@
 				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<TargetObject name="Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
-			<TargetObject name="Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Keyloggers and new Keyboards" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect USB Input Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Mice" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Composite Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Bluetooth Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Disk Drive" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New WPD Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Biometric Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">MountedDevices</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Mountpoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			<Rule name="Level=0,Desc=Interactive Logon Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
 				<TargetObject condition="end with">LoggedOnUser</TargetObject>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
-			<TargetObject name="Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnUser</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnProvider</TargetObject>
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
@@ -4459,10 +4459,10 @@
 			<Rule name="Attack=T0000,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
 				<TargetObject condition="is">HKCU\di</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Lokibot Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">HKCU\�</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
 				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
 				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
@@ -4470,34 +4470,34 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
 				<TargetObject condition="end with">update_url</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Level=0,Desc=Forced password reset detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Machine Password Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=User Last Password Changed" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Last Password Change</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Account Expiration" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Account Expiration</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Last Failed Logon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Last Failed Logon</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -4542,12 +4542,12 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
 			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
-			<!--<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
+			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Printers\Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\Environments\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Servers\Printers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\V4 Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SWD\PRINTENUM</TargetObject>-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
@@ -4563,7 +4563,7 @@
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
@@ -4604,7 +4604,7 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<TargetObject name="Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Session Manager\KnownDlls</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
@@ -4657,12 +4657,12 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
-			<TargetObject name="Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
@@ -4717,26 +4717,26 @@
 				<TargetObject condition="end with">SD</TargetObject>
 				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
 				<TargetObject condition="end with">ID</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Author</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Path</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Date</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -4760,7 +4760,7 @@
 				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
 			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
 			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
@@ -4775,7 +4775,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
 			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
 				<TargetObject condition="end with">$</TargetObject>
@@ -4809,7 +4809,7 @@
 				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Rule name="Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
 				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
@@ -4837,45 +4837,45 @@
 				<TargetObject condition="contains">\Security\Level</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
-			<Rule name="Level=0,Desc=Outlook Security Changes" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">\Outlook\Security</TargetObject>
 				<!--Allow Outlook Details rules to fire-->
 				<TargetObject condition="excludes">\Security\Level</TargetObject>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
-			<TargetObject name="Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Word\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Excel\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Level1Remove</TargetObject>
 			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
-			<TargetObject name="Level=0,Desc=Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/" condition="end with">\HideSCAHealth</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideSCAHealth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
 			<!--Detect if Windows Defender is Disabled-->
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
-			<TargetObject name="Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
 			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="excludes">\Enabled</TargetObject>
 			</Rule>
@@ -4908,11 +4908,11 @@
 				<TargetObject condition="end with">\MaxSize</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<Rule name="Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">globallyopenports</TargetObject>
 			</Rule>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
-			<TargetObject name="Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
@@ -4938,20 +4938,20 @@
 			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
 				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">&#x202e;</TargetObject>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<Rule name="Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
 				<EventType condition="is not">CreateKey</EventType>
 				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
@@ -4968,16 +4968,16 @@
 				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
-			<TargetObject name="Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
-			<TargetObject name="Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
-			<TargetObject name="Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">fDenyTSConnections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">RDP-tcp\PortNumber</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">&#xfffd;</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
@@ -5111,7 +5111,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
@@ -5156,35 +5156,35 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!-- UEBA/Uncategorized Detections-->
-			<Rule name="Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
 			</Rule>
 			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
 			</Rule>
 			<Rule name="Forensic=IE history Detection" groupRelation="and">
 				<TargetObject condition="end with">\TypedURLs</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=IPv6 Changes detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
 				<Details condition="excludes">Binary Data</Details>
 			</Rule>
-			<Rule name="Level=0,Desc=Network Card Changes detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
 			</Rule>
 			<Rule name="Forensic=Adobe Recent File List History" groupRelation="and">
@@ -5194,7 +5194,7 @@
 			<Rule name="Forensic=Office History MRU" groupRelation="and">
 				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
 			</Rule>
 			<!--Common Malware Persistence locations-->
@@ -5212,140 +5212,140 @@
 			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject name="Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject name="Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject name="Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
-			<TargetObject name="Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
-			<TargetObject name="Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject name="Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject name="Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
-			<TargetObject name="Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
-			<TargetObject name="Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
-			<TargetObject name="Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject name="Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject name="Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
-			<TargetObject name="Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
-			<TargetObject name="Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
-			<TargetObject name="Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
-			<TargetObject name="Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject name="Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\URL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">NullSessionShares</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">NullSessionPipes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PasswordExpiryNotification</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisplayVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ModifyPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UninstallString</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
 			<!--CLSID launch commands and file association changes-->
-			<TargetObject name="Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Explorer\FileExts\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject name="Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
 			<!--Windows shell hijack-->
-			<TargetObject name="Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
-			<TargetObject name="Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject name="Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
-			<TargetObject name="Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
-			<TargetObject name="Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject name="Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject name="Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject name="Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideFileExt</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SharedTaskScheduler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjects</TargetObject>
 			<!--AppPaths hijacking-->
-			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<!--Terminal service boobytraps-->
-			<TargetObject name="Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
-			<TargetObject name="Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
 			<!--Winsock and Winsock2-->
-			<TargetObject name="Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<TargetObject name="Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
-			<TargetObject name="Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
-			<TargetObject name="Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
 			<!--Credential providers-->
 			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject name="Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
-			<TargetObject name="Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
 			<!--Networking-->
-			<TargetObject name="Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetObject name="Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
 			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject name="Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
 			<!--Office-->
 			<!--Microsoft Office-->
-			<TargetObject name="Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
 			<!--Removed addins on 11/13/2018 due to high count-->
 			<!--IE-->
-			<TargetObject name="Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject name="Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<!--Magic registry keys-->
-			<TargetObject name="Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject name="Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
 			<!--Infection artifacts-->
-			<TargetObject name="Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject name="Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
 			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			<TargetObject name="Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
-			<TargetObject name="Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject name="Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
-			<TargetObject name="Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<!--Group Policy Scripts-->
-			<TargetObject name="Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
 			<!--Detect Network History-->
-			<TargetObject name="Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
-			<TargetObject name="Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
-			<TargetObject name="Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
-			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
-			<TargetObject name="Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Trusted Locations</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
 			<TargetObject name="Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
 			<TargetObject name="Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
 			<TargetObject name="Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
@@ -5353,66 +5353,66 @@
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
 			<TargetObject name="Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary\</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
-			<Rule name="Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LinkDate</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LowerCaseLongPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Publisher</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Compatibility Assistant\Store\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDriverBinary\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
 				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
 			</Rule>			
-			<Rule name="Level=0,Forensic=AmCache Application File Info" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
 				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Forensic=AmCache Office Information" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
-			<TargetObject name="Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Explorer\MountPoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
 			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,Level=1,Desc=Service Set for Deletion" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DeleteFlag</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
 			<!--Detect User Activity-->
-			<TargetObject name="Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\bluetooth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\contacts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\location</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\microphone</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\usb\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\webcam</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastVisitedMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
 			<TargetObject name="Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject name="Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject name="Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<TargetObject name="Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\FriendlyName</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
 			<!--Windows application compatibility shims-->
-			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
 			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
@@ -5444,33 +5444,33 @@
 			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
 			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
 			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Client\Enabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Server\Enabled</TargetObject>
 			<TargetObject name="Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
 			<TargetObject name="Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
-			<TargetObject name="Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
-			<TargetObject name="Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<TargetObject name="Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server Client\Servers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
 	<!--EVENT 15: "File stream created"-->
 	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
 		<FileCreateStreamHash onmatch="include">
-			<Rule name="Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
 			</Rule>
-			<Rule name="Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
 				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
 				<Contents condition="contains any">blob:;about:internet</Contents>
 			</Rule>
@@ -5553,7 +5553,7 @@
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
@@ -5562,13 +5562,13 @@
 				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
 			</Rule>
 			<!-- Noisy
-			<PipeName name="Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\srvsvc</PipeName>
 			-->
-			<PipeName name="Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
-			<PipeName name="Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
 			<!--Include Everything else to mark above rules-->
 			<!-- Disabled for now
-			<PipeName name="Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\</PipeName>
 			-->
 		</PipeEvent>
 	</RuleGroup>
@@ -5650,7 +5650,7 @@
 				<QueryName condition="contains">github</QueryName>
 				<Image condition="image">powershell.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
 				<QueryName condition="contains">.</QueryName>
 			</Rule>
@@ -5674,25 +5674,25 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
 				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
 			</Rule>
-			<Rule name="Level=0,Desc=Social Networking" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
 				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
 			</Rule>
-			<Rule name="Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
 				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
 			</Rule>
-			<Rule name="Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
 			</Rule>
 			<!--Crypto Currency Mining pools-->
-			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
 				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
 			</Rule>
-			<QueryName name="Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
-			<QueryName name="Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
-			<QueryName name="Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
-			<QueryName name="Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
-			<QueryName name="Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
-			<QueryName name="Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">graph.microsoft.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">dl.dropboxusercontent.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">api.onedrive.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">zoom.us</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">teamviewer</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Screenconnect</QueryName>
 			<!--Public Port Scan Detection-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
@@ -5701,33 +5701,33 @@
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
 			<!--Domain TLD's to log-->
-			<QueryName name="Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
-			<QueryName name="Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
-			<QueryName name="Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
-			<QueryName name="Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
-			<QueryName name="Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
-			<QueryName name="Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
-			<QueryName name="Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
-			<QueryName name="Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
-			<QueryName name="Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
-			<QueryName name="Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
-			<QueryName name="Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
-			<QueryName name="Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
-			<QueryName name="Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
-			<QueryName name="Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
-			<QueryName name="Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.download</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.kp</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.su</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ss</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sy</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ve</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xxx</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.click</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.club</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ir</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ru</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.host</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.icu</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pw</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.website</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ninja</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rocks</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.top</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ua</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xyz</QueryName>
 			<!--Malware Domains-->
-			<Rule name="Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
 			</Rule>
-			<QueryName name="Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">githubusercontent.com;github.com</QueryName> 
 			<!--Common Suspicious destinations-->
 			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
 			<!-- Malicious/Suspicious hosting domains-->
@@ -5736,28 +5736,28 @@
 			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
 			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
 			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
-			<QueryName name="Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
-			<Rule name="Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">gc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">wpad</QueryName>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
 				<QueryName condition="begin with">_ldap.</QueryName>
 				<Image condition="excludes">C:\Windows\</Image>
 				<Image condition="excludes">unknown process</Image>
 				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</Image>
 			</Rule>
 			<!--
-			<QueryResults name="Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
-			<QueryResults name="Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
-			<QueryResults name="Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
-			<QueryResults name="Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
-			<QueryResults name="Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
-			<QueryResults name="Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
-			<QueryResults name="Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
-			<QueryResults name="Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  28</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  5</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  15</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  2</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  12</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  6</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  99</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  33</QueryResults>
 			-->
-			<Image name="Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
 		</DnsQuery>
 	</RuleGroup>
 	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
@@ -6029,7 +6029,7 @@
 	<!--SYSMON EVENT ID 25 : Process tampering events-->
 	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
 		<ProcessTampering onmatch="include">
-			<Rule name="Level=0,Desc=Process Tampering Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
@@ -6040,7 +6040,7 @@
 	</RuleGroup>
 	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
 		<ProcessTampering onmatch="exclude">
-			<Rule name="Level=0,Desc=exclude common noise" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
 			</Rule>
 		</ProcessTampering>
@@ -6060,35 +6060,35 @@
 	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
 	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
 		<FileBlockExecutable onmatch="include">
-			<Rule name="Level=0,Desc=Block Office from Creating Executables" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
 				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Block Web Servers from creating binary files" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">powershell.exel;powershell_ise.exe</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Block double extensions" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="contains any">.pdf;.doc;.xls;.doc;.ppt;.txt;.rtf;.htm;.iso;.zip;.rar;.7z</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
 				<Image condition="contains any">psexesvc</Image>
 				<Image condition="contains any">psexec</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
 				<Image condition="is">wmiprvse.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
 				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
 				<Image condition="excludes any">intuit</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth" groupRelation="or">

From 2c4d896122cb0193e7e6731759e18b6d8de0a08b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 23 Sep 2022 11:10:27 -0400
Subject: [PATCH 363/471] Fix dupe ='s

---
 sysmonconfig-export.xml | 62 ++++++++++++++++++++---------------------
 1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 0e7633fa..9fa80068 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -312,7 +312,7 @@
 			</Rule>
 			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">python.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
 			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
@@ -904,7 +904,7 @@
 				<CommandLine condition="contains">0x</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
 				<Image condition="image">csc.exe</Image>
 				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
 			</Rule>
@@ -1679,7 +1679,7 @@
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">mstsc.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
 			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
 			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
@@ -1960,7 +1960,7 @@
 			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
 			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
 			<!--Crypto Currency Miner Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
 				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
 				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
 			</Rule>
@@ -1968,9 +1968,9 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
 			</Rule>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
 			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
 			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
 			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
@@ -2052,22 +2052,22 @@
 			</Rule>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
 			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
 				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
 			</Rule>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\\tsclient</CommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">sysnative</CommandLine>
 			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">AutoIt</Description>
 			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">acrord32.exe</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">gpupdate.exe</Image>
@@ -2230,7 +2230,7 @@
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
 				<Image condition="contains">\wwwroot\</Image>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
@@ -2543,7 +2543,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Rules-->
@@ -2580,7 +2580,7 @@
 				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Notepad connecting to the internet" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
 				<Image condition="image">notepad.exe</Image>
 				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
 			</Rule>
@@ -3092,7 +3092,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
 				<SignatureStatus condition="is">Expired</SignatureStatus>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
 				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
@@ -3426,8 +3426,8 @@
 				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
 				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
 			</Rule>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
 				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
@@ -3435,11 +3435,11 @@
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Potential MalDoc Behavior" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
 				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains">0x147a</GrantedAccess>
 			</Rule>
@@ -3630,7 +3630,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
 			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
-				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;==READ==THIS==PLEASE==;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
+				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
 			</Rule>
 			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
 			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
@@ -3773,8 +3773,8 @@
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
 				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
 			</Rule>
-			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Files Created from">$Recycle.Bin</Image>
+			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
@@ -4102,8 +4102,8 @@
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=URL">.url</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=URL">.url</TargetFilename>
 			<!--Drivers dropped-->
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sys</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.inf</TargetFilename>
@@ -4563,7 +4563,7 @@
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
@@ -5470,7 +5470,7 @@
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
 				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
 				<Contents condition="contains any">blob:;about:internet</Contents>
 			</Rule>
@@ -5684,7 +5684,7 @@
 				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
 			</Rule>
 			<!--Crypto Currency Mining pools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
 				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
 			</Rule>
 			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">graph.microsoft.com</QueryName>
@@ -5741,7 +5741,7 @@
 			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
 			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
 			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">wpad</QueryName>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
 				<QueryName condition="begin with">_ldap.</QueryName>
 				<Image condition="excludes">C:\Windows\</Image>
 				<Image condition="excludes">unknown process</Image>

From 9f7e99a7e99380a9fba10c15b6a09befc35a2b63 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 23 Sep 2022 13:12:24 -0400
Subject: [PATCH 364/471] Revert "merge in changes from cyberkryption"

This reverts commit 7ec3de1a7741dcd6e077ae02d1a14b69aed347f1.
---
 sysmonconfig-export.xml | 1252 +++++++++++++++++++--------------------
 1 file changed, 626 insertions(+), 626 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9fa80068..50017341 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -299,7 +299,7 @@
 				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
 			</Rule>
 			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ScriptFile</CommandLine>
+			<CommandLine name="Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
@@ -312,8 +312,8 @@
 			</Rule>
 			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">python.exe</Image>
+			<Image name="Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
 			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
 			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
@@ -637,7 +637,7 @@
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
 				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
 			</Rule>
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
+			<ParentCommandLine name="Level=0,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
 			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
@@ -701,8 +701,8 @@
 
 			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
 			<Image condition="contains">unknown process</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<Image name="Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
+			<ParentImage name="Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -825,7 +825,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
 			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
 			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			<ParentCommandLine name="Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
 			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
 				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
 				<CommandLine condition="contains">:</CommandLine>
@@ -904,7 +904,7 @@
 				<CommandLine condition="contains">0x</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+			<Rule name="Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
 				<Image condition="image">csc.exe</Image>
 				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
 			</Rule>
@@ -926,7 +926,7 @@
 				<ParentImage condition="is">csc.exe</ParentImage>
 				<CommandLine condition="contains any">out:;target:library</CommandLine>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			<Image name="Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
@@ -1034,11 +1034,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=InstallUtil 1" groupRelation="and">
 				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=InstallUtil 2" groupRelation="and">
 				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
 			</Rule>
@@ -1214,7 +1214,7 @@
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
 			<CommandLine condition="contains">InstallHinfSection</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">infDefaultInstall.exe</Image>
+			<Image name="Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
@@ -1266,7 +1266,7 @@
 				<Image condition="image">msbuild.exe</Image>
 				<CommandLine condition="contains">.lnk</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.csproj</CommandLine>
+			<CommandLine name="Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -1442,7 +1442,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
 			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
 			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image name="Level=0,Desc=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
 
 			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
 			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
@@ -1547,14 +1547,14 @@
 				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
 			</Rule>
 			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">rwinsta.exe</Image>
+			<Image name="Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
 			
 			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
 
 			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
 				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
 				<Image condition="excludes">Microsoft Office\root\Office</Image>
 				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
@@ -1677,9 +1677,9 @@
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">mstsc.exe</Image>
+			<Image name="Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<Image name="Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
 			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
 			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
@@ -1928,8 +1928,8 @@
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-p -nw</CommandLine><!-- vshadow -->
+			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
+			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-p -nw</CommandLine><!-- vshadow -->
 			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
 			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
@@ -1960,7 +1960,7 @@
 			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
 			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
 			<!--Crypto Currency Miner Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
 				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
 				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
 			</Rule>
@@ -1968,9 +1968,9 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
 			</Rule>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes condition="end with" name="Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
 			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
 			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
 			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
@@ -2024,54 +2024,54 @@
 			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
 			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HTML Application host</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Manager Profile Installer</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Application Virtualization Injector</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Application Compatibility Database Installer</Description>
+			<Description name="Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
+			<Description name="Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
+			<Description name="Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
+			<Description name="Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
+			<ParentCommandLine name="Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
 			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">java.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">javaw.exe</ParentImage>
+			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
+			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
 			<!--Detect Output Redirection-->
 			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">2></CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&gt;</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&lt;</CommandLine>
+			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
+			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
+			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
 			-->
 			<!--Detect Multiple Commands-->
-			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule  name="Level=0,Desc=SVCHost Processes" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 			</Rule>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<Rule  name="Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
 				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
 			</Rule>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">sysnative</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">AutoIt</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">acrord32.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">gpupdate.exe</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine name="Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
+			<CommandLine name="Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
+			<Description name="Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
+			<Description name="Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
+			<Image name="Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
+			<Image name="Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
+			<Image name="Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
+			<ParentImage name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
 			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
 		</ProcessCreate>
@@ -2230,7 +2230,7 @@
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
 				<Image condition="contains">\wwwroot\</Image>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
@@ -2247,8 +2247,8 @@
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Windows\IME\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\ProgramData</Image>
+			<Image name="Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
+			<Image name="Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
@@ -2475,11 +2475,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
 
 			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
 				<DestinationPort condition="is">50050</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
 				<DestinationPort condition="is">25</DestinationPort>
 				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
 				<Initiated>true</Initiated>
@@ -2543,11 +2543,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<DestinationHostname name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Rules-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 				<DestinationPort condition="is not">3389</DestinationPort>
 				<DestinationPort condition="is not">22</DestinationPort>
@@ -2555,24 +2555,24 @@
 				<DestinationPort condition="is not">5985</DestinationPort>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 				<Initiated>true</Initiated>
 				<SourcePort condition="is not">135</SourcePort>
 				<SourcePort condition="is not">445</SourcePort>
 				<DestinationPort condition="is not">5985</DestinationPort>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
 				<Image condition="is not">System</Image>
 				<Image condition="excludes">svchost.exe</Image>
 				<DestinationPort condition="is">445</DestinationPort>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
 				<Image condition="is not">System</Image>
 				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
 				<DestinationPort condition="is">389</DestinationPort>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
 				<DestinationPort condition="is">389</DestinationPort>
 				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
@@ -2580,103 +2580,103 @@
 				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
+			<Rule name="Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
 				<Image condition="image">notepad.exe</Image>
 				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is not">80</DestinationPort>
 				<DestinationPort condition="is not">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">github</DestinationHostname> 
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">githubusercontent.com</DestinationHostname>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<DestinationHostname name="Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
+			<DestinationHostname name="Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
+			<Rule name="Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Apache Webserver" groupRelation="and">
 				<Image condition="image">apache.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=JAVA Network Connections" groupRelation="and">
 				<Image condition="image">java.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=PHP Webserver" groupRelation="and">
 				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Setup Network connectivity" groupRelation="and">
 				<Image condition="contains">setup</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
 				<Image condition="contains">tomcat</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
 				<Image condition="contains">unins</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
 				<Image condition="contains">unknown process</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
 				<Image condition="contains">explorer.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Windows SMTP Server" groupRelation="and">
 				<Image condition="image">inetinfo.exe</Image>
 			</Rule>
 			<!--3rd Party tools-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">procdump</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">psexe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">vnc;vncs;vncv</Image>
+			<Image name="Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
+			<Image name="Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
+			<Image name="Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
+			<Image name="Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
 			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
 				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
 			</Rule>
 			<!--Destination Ports to Monitor-->
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
 			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
 			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1293</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1701</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1194</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3540</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3389</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">22</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3128</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">8080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1723</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">23</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">4500</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9001</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9030</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5800</DestinationPort>
+			<DestinationPort name="Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
+			<DestinationPort name="Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
+			<DestinationPort name="Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
+			<DestinationPort name="Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
+			<DestinationPort name="Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
+			<DestinationPort name="Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
+			<DestinationPort name="Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
+			<DestinationPort name="Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
 			<!--Source Ports to Monitor-->
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</SourcePort>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<SourcePort name="Level=0,Desc=Port: 0" condition="is">0</SourcePort>
+			<Rule name="Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">80</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">636</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
+			<SourcePort name="Level=0,Desc=HTTP" condition="is">80</SourcePort>
+			<SourcePort name="Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Level=0,Desc=LDAPS" condition="is">636</SourcePort>
+			<SourcePort name="Level=0,Desc=VNC" condition="is">5900</SourcePort>
+			<SourcePort name="Level=0,Desc=HTTPS" condition="is">443</SourcePort>
 			<!--Suspicious network connections-->
 			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
 		</NetworkConnect>
@@ -2815,7 +2815,7 @@
 			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
 			<Image condition="image">MSExchangeHMWorker.exe</Image>
 			<Image condition="image">MSExchangeSubmission.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\</Image>
+			<Image name="Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
 		</NetworkConnect>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
@@ -2827,18 +2827,18 @@
 		<!--COMMENT:	Useful data in building infection timelines.-->
 		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
 		<ProcessTerminate onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
 				<Image condition="begin with">C:\Windows\</Image>
 				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination Events in System32" groupRelation="and">
 				<Image condition="begin with">C:\Windows\system32\</Image>
 				<Image condition="excludes">config\systemprofile\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
 				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
 				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
 				<Image condition="excludes">:\PROGRA~</Image>
 				<Image condition="excludes">:\Program Files</Image>
@@ -2852,29 +2852,29 @@
 				<Image condition="excludes">:\$WinREAgent</Image>
 				<Image condition="excludes">:\inetpub\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
 				<Image condition="begin with">\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
 				<Image condition="begin with">C:\Users\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
 				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
 				<Image condition="begin with">C:\inetpub\</Image>
 			</Rule>
 		<!-- Useful data in building infection timelines.-->
 			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
 			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
+			<Image name="Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
 			<Image condition="contains">\Temp\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">C:\Users\</Image>
+			<Image name="Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
 		</ProcessTerminate>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
@@ -2899,14 +2899,14 @@
 			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
 			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
 			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Temp</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Users</ImageLoaded>
+			<ImageLoaded name="Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
+			<ImageLoaded name="Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
 			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
 			<SignatureStatus condition="contains">?</SignatureStatus>
 			<SignatureStatus condition="contains">Revoked</SignatureStatus>
 			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
 			<SignatureStatus condition="contains">Valid</SignatureStatus>
-			<Signed name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">false</Signed>
+			<Signed name="Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
 		</DriverLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
@@ -2924,12 +2924,12 @@
 				<Image condition="is">msdt.exe</Image>
 				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
 				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
 				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
@@ -2943,7 +2943,7 @@
 				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
 				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
 				<Image condition="image">EQNEDT32.EXE</Image>
 				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
 			</Rule>
@@ -2955,87 +2955,87 @@
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
 				<Image condition="contains any">wscript.exe;cscript.exe;powershell.exe;rundll32.exe;msbuild.exe;msiexec.exe;csc.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
 				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
 				<Image condition="image">wmiprvse.exe</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
 				<Image condition="image">powershell.exe</Image>
 				<ImageLoaded condition="is">msi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
 				<Image condition="contains">powershell</Image>
 				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
 				<Image condition="excludes">powershell</Image>
 				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Office clr.dll Load" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="is">clr.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
 				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
 				<Image condition="contains any">installutil.exe</Image>
 				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Automation DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
 				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
 				<ImageLoaded condition="begin with">\\</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=WLL Office Application Startup" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
 				<ImageLoaded condition="end with">.wll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=XLL Office Application Startup" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
 				<ImageLoaded condition="end with">.xll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
 				<ImageLoaded condition="contains any">.xla</ImageLoaded>
 			</Rule>
@@ -3059,14 +3059,14 @@
 				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
 				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
 				<Image condition="image">C:\Windows\Explorer.EXE</Image>
 				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
@@ -3075,24 +3075,24 @@
 				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
 				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">false</Signed>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
 				<SignatureStatus condition="is">Revoked</SignatureStatus>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
 				<SignatureStatus condition="is">Expired</SignatureStatus>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+			<Rule name="Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
 				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
@@ -3119,20 +3119,20 @@
 				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
 				<Image condition="excludes">C:\Windows\explorer.exe</Image>
 			</Rule>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+			<ImageLoaded name="Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 		</ImageLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
 		<ImageLoad onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
 				<Image condition="contains">\Microsoft Office\</Image>
 				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
 				<Image condition="contains">\Microsoft Office\</Image>
 				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">true</Signed>
 			</Rule>
@@ -3286,10 +3286,10 @@
 			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
 				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
 			</Rule>
 			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
@@ -3342,7 +3342,7 @@
 				<GrantedAccess>0x1F3FFF</GrantedAccess>
 				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
 				<SourceImage condition="end with">.exe</SourceImage>
 				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
 				<GrantedAccess>0x1C00</GrantedAccess>
@@ -3372,11 +3372,11 @@
 				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
 				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
 				<SourceImage condition="image">powershell.exe</SourceImage>
 				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains">getasynckeystate</CallTrace>
 			</Rule>
 			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
@@ -3426,8 +3426,8 @@
 				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
 				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
 			</Rule>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+			<CallTrace name="Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
 				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
@@ -3435,11 +3435,11 @@
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
+			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
 				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+			<Rule name="Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains">0x147a</GrantedAccess>
 			</Rule>
@@ -3460,12 +3460,12 @@
 			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
 			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">cscript.exe</SourceImage>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">wscript.exe</SourceImage>
+			<SourceImage name="Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
+			<SourceImage name="Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
 			<SourceImage condition="end with">jjs.exe</SourceImage>
 			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
 			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CorperfmontExt.dll</CallTrace>
+			<CallTrace name="Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
 		</ProcessAccess>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
@@ -3488,7 +3488,7 @@
 			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
 			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Direct System Call Events" groupRelation="and">
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
@@ -3673,7 +3673,7 @@
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename name="Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
@@ -3704,13 +3704,13 @@
 				<TargetFilename condition="end with">.aspx</TargetFilename>
 				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ecp\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\oab\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\owa\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">httpproxy\rpc\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\ecp\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\htdocs\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
@@ -3761,7 +3761,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
 
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
@@ -3773,8 +3773,8 @@
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
 				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
 			</Rule>
-			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<TargetFilename condition="contains" name="Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Level=0,Desc=Files Created from">$Recycle.Bin</Image>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
@@ -3899,9 +3899,9 @@
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Rar$</TargetFilename>
+			<TargetFilename name="Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">RarSFX</TargetFilename>
+			<TargetFilename name="Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
@@ -3941,11 +3941,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="is">Teamviewer.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">rundll32.exe</Image>
+			<Image name="Level=0,Desc=File Created by rundll32" condition="is">rundll32.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="is">mstsc.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">cmd.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">WScript.exe</Image>
+			<Image name="Level=0,Desc=File Created with command shell,Risk=30" condition="is">cmd.exe</Image>
+			<Image name="Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="is">ipy.exe</Image>
+			<Image name="Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="is">WScript.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="is">cscript.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="is">mshta.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="is">python.exe</Image>
@@ -4009,88 +4009,88 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
 				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">\system32\</TargetFilename> 
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=WLL Office Application Startup" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.wll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
 				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=XLL Office Application Startup" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.xll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
 				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
 				<TargetFilename condition="contains any">.xla</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
 				<TargetFilename condition="end with">.vsto</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
 				<TargetFilename condition="end with">.bat</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.dll</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.sys</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
 				<TargetFilename condition="end with">.theme</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
 				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
 				<Image condition="image">VirtualboxVM.exe</Image>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">notepad++.exe</Image>
+			<Image name="Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
 			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
@@ -4102,47 +4102,47 @@
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=URL">.url</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Level=0,Desc=URL">.url</TargetFilename>
 			<!--Drivers dropped-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sys</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.inf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Drivers\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
 			<TargetFilename condition="end with">.drv</TargetFilename> 
 			<!--Microsoft Office File Monitoring-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlam</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xla</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xls</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlt</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xltm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlw</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.potm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sldm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Office\Recent</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
 			<TargetFilename name="Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Downloads\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Content.Outlook\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.wbk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ped</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dot</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dotx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.doc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docx</TargetFilename>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+			<TargetFilename name="Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
+			<Rule name="Level=0,Desc=Legacy Office files" groupRelation="or">
 				<TargetFilename condition="end with">.accdb</TargetFilename>
 				<TargetFilename condition="end with">.accde</TargetFilename>
 				<TargetFilename condition="end with">.accdr</TargetFilename>
@@ -4165,7 +4165,7 @@
 				<TargetFilename condition="end with">.xps</TargetFilename>
 			</Rule>
 			<!--SECTION: Certificates -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+			<Rule name="Level=0,Desc=Certificate" groupRelation="or">
 				<TargetFilename condition="end with">.pem</TargetFilename>
 				<TargetFilename condition="end with">.crt</TargetFilename>
 				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
@@ -4183,7 +4183,7 @@
 				<TargetFilename condition="end with">.key</TargetFilename>
 			</Rule>
 			<!-- side loading -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+			<Rule name="Level=0,Desc=Sideload Detection" groupRelation="or">
 				<TargetFilename condition="end with">.hlp</TargetFilename>
 				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
 				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
@@ -4272,64 +4272,64 @@
 				<TargetFilename condition="end with">wts.chm</TargetFilename>
 				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">ssMUIDLL.dll</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
 			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\\tsclient</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
+			<TargetFilename name="Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
 			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\7z</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.chm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cpl</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.mht</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.crx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.gadget</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.JSE</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.exe</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.zip\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FON</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FOT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.iqy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ico</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.isp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.manifest</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">MEMORY.dmp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msi</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cs</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.customDestinations-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Minidump</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.PAF</TargetFilename>
+			<TargetFilename name="Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
+			<TargetFilename name="Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
+			<TargetFilename name="Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
+			<TargetFilename name="Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
+			<TargetFilename name="Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
+			<TargetFilename name="Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
+			<TargetFilename name="Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
+			<TargetFilename name="Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
+			<TargetFilename name="Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rtf</TargetFilename> 
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.reg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHS</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.slk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCR</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.set</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SettingContent-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHD</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SPL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scr</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HammerDrillStatus.dll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft\Windows\WER\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ICL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sdb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHB</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Temp1_</TargetFilename>
+			<TargetFilename name="Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
+			<TargetFilename name="Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
+			<TargetFilename name="Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
+			<TargetFilename name="Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Set" condition="end with">.set</TargetFilename>
+			<TargetFilename name="Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
+			<TargetFilename name="Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
 			<!--Uncategorized-->
 			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
 			<TargetFilename condition="end with">.ade</TargetFilename>
@@ -4392,28 +4392,28 @@
 				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Mountpoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
+			<TargetObject name="Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
+			<TargetObject name="Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
+			<TargetObject name="Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Keyloggers and new Keyboards" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect USB Input Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Mice" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Composite Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Bluetooth Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Disk Drive" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New WPD Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect New Biometric Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Interactive Logon Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
 				<TargetObject condition="end with">LoggedOnUser</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnUser</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnProvider</TargetObject>
+			<TargetObject name="Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
+			<TargetObject name="Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
@@ -4459,10 +4459,10 @@
 			<Rule name="Attack=T0000,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
 				<TargetObject condition="is">HKCU\di</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Lokibot Detection" groupRelation="and">
 				<TargetObject condition="contains">HKCU\�</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+			<Rule name="Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
 				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
 				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
@@ -4470,34 +4470,34 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
 				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
 				<TargetObject condition="end with">update_url</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Forced password reset detected" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Machine Password Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=User Last Password Changed" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Last Password Change</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Account Expiration" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Account Expiration</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Last Failed Logon" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Last Failed Logon</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -4542,12 +4542,12 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
 			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
-			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Printers\Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\Environments\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Servers\Printers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\V4 Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SWD\PRINTENUM</TargetObject>-->
+			<!--<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
+			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
@@ -4563,7 +4563,7 @@
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+			<Rule name="Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
@@ -4604,7 +4604,7 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Session Manager\KnownDlls</TargetObject>
+			<TargetObject name="Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
@@ -4657,12 +4657,12 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
@@ -4717,26 +4717,26 @@
 				<TargetObject condition="end with">SD</TargetObject>
 				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
 				<TargetObject condition="end with">ID</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Author</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Path</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Date</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -4760,7 +4760,7 @@
 				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
 			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
 			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
@@ -4775,7 +4775,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
 			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
 				<TargetObject condition="end with">$</TargetObject>
@@ -4809,7 +4809,7 @@
 				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
 				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
 				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
@@ -4837,45 +4837,45 @@
 				<TargetObject condition="contains">\Security\Level</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Outlook Security Changes" groupRelation="and">
 				<TargetObject condition="contains">\Outlook\Security</TargetObject>
 				<!--Allow Outlook Details rules to fire-->
 				<TargetObject condition="excludes">\Security\Level</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Excel\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Level1Remove</TargetObject>
+			<TargetObject name="Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
+			<TargetObject name="Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
+			<TargetObject name="Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
 			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideSCAHealth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<TargetObject name="Level=0,Desc=Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/" condition="end with">\HideSCAHealth</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject name="Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
 			<!--Detect if Windows Defender is Disabled-->
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
+			<TargetObject name="Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
 			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="excludes">\Enabled</TargetObject>
 			</Rule>
@@ -4908,11 +4908,11 @@
 				<TargetObject condition="end with">\MaxSize</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
 				<TargetObject condition="contains">globallyopenports</TargetObject>
 			</Rule>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
+			<TargetObject name="Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
@@ -4938,20 +4938,20 @@
 			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
 				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
 				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
 				<TargetObject condition="contains">&#x202e;</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
 				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
 				<EventType condition="is not">CreateKey</EventType>
 				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
@@ -4968,16 +4968,16 @@
 				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">fDenyTSConnections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">RDP-tcp\PortNumber</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			<TargetObject name="Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
+			<TargetObject name="Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
+			<TargetObject name="Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
+			<TargetObject name="Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
 				<TargetObject condition="contains">&#xfffd;</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
 				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
@@ -5111,7 +5111,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
@@ -5156,35 +5156,35 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!-- UEBA/Uncategorized Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
 			</Rule>
 			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
 				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
 				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
 			</Rule>
 			<Rule name="Forensic=IE history Detection" groupRelation="and">
 				<TargetObject condition="end with">\TypedURLs</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=IPv6 Changes detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
 				<Details condition="excludes">Binary Data</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Network Card Changes detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
 				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
 			</Rule>
 			<Rule name="Forensic=Adobe Recent File List History" groupRelation="and">
@@ -5194,7 +5194,7 @@
 			<Rule name="Forensic=Office History MRU" groupRelation="and">
 				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
 			</Rule>
 			<!--Common Malware Persistence locations-->
@@ -5212,140 +5212,140 @@
 			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\URL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">NullSessionShares</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">NullSessionPipes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PasswordExpiryNotification</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisplayVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ModifyPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UninstallString</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			<TargetObject name="Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject name="Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject name="Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject name="Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject name="Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
+			<TargetObject name="Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
+			<TargetObject name="Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject name="Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject name="Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
+			<TargetObject name="Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
+			<TargetObject name="Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
+			<TargetObject name="Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject name="Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject name="Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
+			<TargetObject name="Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
+			<TargetObject name="Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
+			<TargetObject name="Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
+			<TargetObject name="Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
 			<!--CLSID launch commands and file association changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject name="Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
+			<TargetObject name="Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
 			<TargetObject name="Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
 			<!--Windows shell hijack-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideFileExt</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjects</TargetObject>
+			<TargetObject name="Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject name="Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<TargetObject name="Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
+			<TargetObject name="Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
+			<TargetObject name="Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject name="Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject name="Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject name="Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
+			<TargetObject name="Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
 			<!--AppPaths hijacking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<!--Terminal service boobytraps-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
+			<TargetObject name="Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
 			<!--Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<TargetObject name="Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject name="Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
+			<TargetObject name="Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
 			<!--Credential providers-->
 			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject name="Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
+			<TargetObject name="Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject name="Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
 			<!--Networking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject name="Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
 			<TargetObject name="Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
 			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
+			<TargetObject name="Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
+			<TargetObject name="Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
 			<!--Office-->
 			<!--Microsoft Office-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<TargetObject name="Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
 			<!--Removed addins on 11/13/2018 due to high count-->
 			<!--IE-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<!--Magic registry keys-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<TargetObject name="Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
+			<TargetObject name="Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
 			<!--Infection artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
+			<TargetObject name="Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
+			<TargetObject name="Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
 			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
+			<TargetObject name="Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
+			<TargetObject name="Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
+			<TargetObject name="Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+			<TargetObject name="Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
+			<TargetObject name="Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<!--Group Policy Scripts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
 			<!--Detect Network History-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Trusted Locations</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
+			<TargetObject name="Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
+			<TargetObject name="Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
+			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
+			<TargetObject name="Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
+			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
 			<TargetObject name="Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
 			<TargetObject name="Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
 			<TargetObject name="Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
@@ -5353,66 +5353,66 @@
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
 			<TargetObject name="Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\BinProductVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDriverBinary\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary\</TargetObject>
+			<TargetObject name="Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
+			<Rule name="Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
 				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
 			</Rule>			
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Forensic=AmCache Application File Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
 				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Forensic=AmCache Office Information" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Explorer\MountPoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			<TargetObject name="Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
+			<TargetObject name="Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
 			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,Level=1,Desc=Service Set for Deletion" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DeleteFlag</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
 			<!--Detect User Activity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
+			<TargetObject name="Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			<TargetObject name="Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
+			<TargetObject name="Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
 			<TargetObject name="Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<TargetObject name="Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
+			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
+			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
+			<TargetObject name="Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
+			<TargetObject name="Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
+			<TargetObject name="Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject name="Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<TargetObject name="Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
 			<!--Windows application compatibility shims-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
 			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
@@ -5444,33 +5444,33 @@
 			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
 			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
 			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Client\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Server\Enabled</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
+			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
 			<TargetObject name="Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
 			<TargetObject name="Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server Client\Servers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
+			<TargetObject name="Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
 	<!--EVENT 15: "File stream created"-->
 	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
 		<FileCreateStreamHash onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+			<Rule name="Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
 				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
 				<Contents condition="contains any">blob:;about:internet</Contents>
 			</Rule>
@@ -5553,7 +5553,7 @@
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
+			<PipeName name="Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
@@ -5562,13 +5562,13 @@
 				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
 			</Rule>
 			<!-- Noisy
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\srvsvc</PipeName>
+			<PipeName name="Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
 			-->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
+			<PipeName name="Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
+			<PipeName name="Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
 			<!--Include Everything else to mark above rules-->
 			<!-- Disabled for now
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\</PipeName>
+			<PipeName name="Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
 			-->
 		</PipeEvent>
 	</RuleGroup>
@@ -5650,7 +5650,7 @@
 				<QueryName condition="contains">github</QueryName>
 				<Image condition="image">powershell.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
 				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
 				<QueryName condition="contains">.</QueryName>
 			</Rule>
@@ -5674,25 +5674,25 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
 				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+			<Rule name="Level=0,Desc=Social Networking" groupRelation="or">
 				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+			<Rule name="Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
 				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
 				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
 			</Rule>
 			<!--Crypto Currency Mining pools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
 				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
 			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">graph.microsoft.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">dl.dropboxusercontent.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">api.onedrive.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">zoom.us</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">teamviewer</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Screenconnect</QueryName>
+			<QueryName name="Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
+			<QueryName name="Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
+			<QueryName name="Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
+			<QueryName name="Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
+			<QueryName name="Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
+			<QueryName name="Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
 			<!--Public Port Scan Detection-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
@@ -5701,33 +5701,33 @@
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
 			<!--Domain TLD's to log-->
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.download</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.kp</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.su</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ss</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sy</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ve</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xxx</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.click</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.club</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ir</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ru</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.host</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.icu</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pw</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.website</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ninja</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rocks</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.top</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ua</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xyz</QueryName>
+			<QueryName name="Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
+			<QueryName name="Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
+			<QueryName name="Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
+			<QueryName name="Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
+			<QueryName name="Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
+			<QueryName name="Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
+			<QueryName name="Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
+			<QueryName name="Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
+			<QueryName name="Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
+			<QueryName name="Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
+			<QueryName name="Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
+			<QueryName name="Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
+			<QueryName name="Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
+			<QueryName name="Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
+			<QueryName name="Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
+			<QueryName name="Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
 			<!--Malware Domains-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
 				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
 			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">githubusercontent.com;github.com</QueryName> 
+			<QueryName name="Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
 			<!--Common Suspicious destinations-->
 			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
 			<!-- Malicious/Suspicious hosting domains-->
@@ -5736,28 +5736,28 @@
 			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
 			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
 			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">wpad</QueryName>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+			<QueryName name="Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
+			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
+			<QueryName name="Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
+			<QueryName name="Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
+			<Rule name="Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
 				<QueryName condition="begin with">_ldap.</QueryName>
 				<Image condition="excludes">C:\Windows\</Image>
 				<Image condition="excludes">unknown process</Image>
 				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</Image>
 			</Rule>
 			<!--
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  28</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  5</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  15</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  2</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  12</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  6</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  99</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  33</QueryResults>
+			<QueryResults name="Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
+			<QueryResults name="Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
+			<QueryResults name="Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
+			<QueryResults name="Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
+			<QueryResults name="Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
+			<QueryResults name="Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
+			<QueryResults name="Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
+			<QueryResults name="Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
 			-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+			<Image name="Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
 		</DnsQuery>
 	</RuleGroup>
 	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
@@ -6029,7 +6029,7 @@
 	<!--SYSMON EVENT ID 25 : Process tampering events-->
 	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
 		<ProcessTampering onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Process Tampering Detected" groupRelation="and">
 				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
@@ -6040,7 +6040,7 @@
 	</RuleGroup>
 	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
 		<ProcessTampering onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=exclude common noise" groupRelation="and">
 				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
 			</Rule>
 		</ProcessTampering>
@@ -6060,35 +6060,35 @@
 	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
 	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
 		<FileBlockExecutable onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Block Office from Creating Executables" groupRelation="and">
 				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
 				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Block Web Servers from creating binary files" groupRelation="and">
 				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
 				<Image condition="contains any">powershell.exel;powershell_ise.exe</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="contains any">.pdf;.doc;.xls;.doc;.ppt;.txt;.rtf;.htm;.iso;.zip;.rar;.7z</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+			<Rule name="Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
 				<Image condition="contains any">psexesvc</Image>
 				<Image condition="contains any">psexec</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
+			<Rule name="Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
 				<Image condition="is">wmiprvse.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
 				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
 				<Image condition="excludes any">intuit</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
+			<Rule name="Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
 				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth" groupRelation="or">

From ca5c12e1f5a0ea3b23dd6c77b004894a93e03dbf Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 23 Sep 2022 13:14:00 -0400
Subject: [PATCH 365/471] Renove

---
 sysmonconfig-cyberkryption.xml | 6208 --------------------------------
 1 file changed, 6208 deletions(-)
 delete mode 100644 sysmonconfig-cyberkryption.xml

diff --git a/sysmonconfig-cyberkryption.xml b/sysmonconfig-cyberkryption.xml
deleted file mode 100644
index 0e7633fa..00000000
--- a/sysmonconfig-cyberkryption.xml
+++ /dev/null
@@ -1,6208 +0,0 @@
-<!--
-	   ____                           ___ ________________    _______ __
-	  / __/_ _____ __ _  ___  ___    / _ /_  __/_  __/ __/___/ ___/ //_/
-	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
-	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
-		/___/                                                           
-	author:	ionstorm
-	project:	https://github.com/ion-storm/sysmon-config
-	license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
-	Methodology: Detect the Most Techniques per Data source in MITRE ATT&CK.
-				 Provide Visibility into Forensic Artifact Events for UEBA.
-				 Detect Exploitation events with wide CVE Coverage.
-				 Risk Scoring of CVE, UEBA, Forensic, MITRE ATT&CK Events.
-				 
-				 Primary Tags:
-				 Attack: Mitre ATT&CK Identifier
-				 Technique: Mitre ATT&CK Technique
-				 Tactic: Mitre ATT&CK Tactic
-				 Alert: Alert Text for SIEM/XDR
-				 Info: Informational Alert Text
-				 Level: The level field contains one of five string values. It describes the criticality of a triggered rule. 
-				 While low and medium level events have an informative character, events with high and critical level should 
-				 lead to immediate reviews by security analysts.
-				 Desc: Description of non-alerting UEBA/Behavioral Based Rules
-				 Forensic: Forensic Artifacts
-				 CVE: CVE Vulnerability Identification
-				 FP: False Positive Rate
-				 Author: Author of rule
-				 
-				 Additional Tag Details:
-				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
-				 kp=y 	Kill process with child processes
-				 kpp=y 	Kill Parent Processes & all Child Processes
-				 kc=y    Kill network connections
-				 ki=y    Kill Injected Thread
-				 sd=y 	Shutdown System
-				 fw=y	Add Windows Firewall Rule to block inbound/outbound network connectivity from process
-				 yara=y  Yara Scan file
-				 ydel=y  Delete on Yara Detection
-				 rf=y    Restore Deleted File
-				 nr=y 	Null route ip
-				 iso=y Isolate Host
-				 SD=y Service Desk Ticket
-				 SOC=y SOC Ticket Creation
-				 
-				 Risk Score ratings: (Risk=??)
-				 Low Risk: 1-39
-				 Medium Risk: 40-69
-				 High Risk: 70-89
-				 Critical Risk: 90-100
-				 
-				 Levels: (from Sigma)
-				 (0) informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered 
-				 by such rules because it is expected that a huge amount of events will match these rules.
-				 (1) low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. 
-				 Immediate reaction shouldn't be necessary, but a regular review is recommended.
-				 (2) medium: Relevant event that should be reviewed manually on a more frequent basis.
-				 (3) high: Relevant event that should trigger an internal alert and requires a prompt review.
-				 (4) critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
-				 
-				 False Positive Rates: (FP=?)
-				 (0) Zero False Positives rate
-				 (1) Some False Positives rate
-				 (2) Medium False Positive rate
-				 (3) High False Positive rate
-				 
-				 Properly Escape in XML:
-				 < &lt;
-				 > &gt;
-				 " &quot;
-				 ' &apos;
-				 & &amp;
-				 
-				 Other Notes:
-				 The Rulename field has a hard limit of 255 characters, make the best of the size available, shorten tags and descriptions as needed.
-				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
--->
-<Sysmon schemaversion="4.82">
-	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
-	<CheckRevocation/>
-	<EventFiltering>
-	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
-	<RuleGroup name="RG=ProcessCreate Include Group" groupRelation="or">
-		<ProcessCreate onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=3,Alert=Nessus Scan Detected,Risk=100" groupRelation="or">
-				<ParentCommandLine condition="contains any">TEMP\nessus_;nessus_task_list</ParentCommandLine>
-				<CommandLine condition="contains any">TEMP\nessus_;nessus_task_list</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe</CommandLine>
-				<OriginalFileName condition="is any">advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</OriginalFileName>
-				<Product condition="contains any">Network Scanner;Advanced IP Scanner</Product>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=ADFind.exe Discovery,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains">adfind</OriginalFileName>
-				<Product condition="contains">adfind</Product>
-				<CommandLine condition="contains any">-gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<Rule name="Attack=T1587,Technique=Develop Capabilities,Tactic=Resource Development,Alert=PurpleSharp Indicator,Risk=40" groupRelation="or">
-				<CommandLine condition="contains any">PurpleSharp;xyz123456</CommandLine> 
-				<OriginalFileName condition="contains any">PurpleSharp</OriginalFileName> 
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
-				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
-			</Rule>
-			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">Content.Outlook</Image>
-			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Arbitrary Shell Command Execution Via Settingcontent-Ms,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
-				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
-				<Image condition="end with">.doc.exe</Image>
-				<Image condition="end with">.docx.exe</Image>
-				<Image condition="end with">.docx.exe</Image>
-				<Image condition="end with">.xls.exe</Image>
-				<Image condition="end with">.xlsx.exe</Image>
-				<Image condition="end with">.ppt.exe</Image>
-				<Image condition="end with">.pptx.exe</Image>
-				<Image condition="end with">.rtf.exe</Image>
-				<Image condition="end with">.pdf.exe</Image>
-				<Image condition="end with">.txt.exe</Image>
-				<Image condition="end with">      .exe</Image>
-				<Image condition="end with">______.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
-				<ParentImage condition="image">Hwp.exe</ParentImage>
-				<Image condition="image">gbb.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
-				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
-				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
-				<ParentImage condition="image">dns.exe</ParentImage>
-				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2019-0708,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
-				<CommandLine condition="excludes any">perfenabled</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2021-26857,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
-				<CommandLine condition="excludes any">perfenabled</CommandLine>
-				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<Image condition="contains any">\wwwroot\</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
-				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
-				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
-				<ParentImage condition="image">\jre\bin\java.exe</ParentImage>
-				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
-				<!--Allow Confluence Rule to fire-->
-				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
-				<ParentImage condition="image">keytool.exe</ParentImage>
-				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Apache Spark Exploit,CVE=CVE-2022-33891,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">bash.exe;cmd.exe;powershell.exe;pwsh.exe</ParentImage>
-				<CommandLine condition="contains any">id -Gn `;id /Gn `;id -Gn ';id /Gn '</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Attack=T1133,Technique=External Remote Services,Tactic=Initial Access,Level=2,Alert=Screenconnect Remote Access,Risk=50" groupRelation="and">
-				<CommandLine condition="contains all">e=Access&amp;;y=Guest&amp;;&amp;p=;&amp;c=;&amp;k=</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=WMI Execution Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">process;call;create</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=Suspicious WMIC Commands,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Execution Locations,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
-				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
-				<Image condition="image">conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
-				<Image condition="image">conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
-				<ParentImage condition="image">conhost.exe</ParentImage>
-				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
-			</Rule>
-			<!-- Disabled for now
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
-				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			-->
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
-				<ParentImage condition="image">cmd.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<CommandLine condition="excludes">Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\</CommandLine>
-				<CommandLine condition="excludes">mysql server</CommandLine>
-				<CommandLine condition="excludes">select-object displayversion,displayname</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from Scripting Utilities,Risk=50" groupRelation="and">
-				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from cscript or wscript,Risk=50" groupRelation="and">
-				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Powershell Launched from mshta,Risk=100" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<ParentImage condition="image">mshta.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,UEBA=Suspicious WSCRIPT Command Line,Risk=50" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<CommandLine condition="excludes any">IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
-				<Image condition="image">wscript.exe</Image>
-				<CommandLine condition="contains">.jse</CommandLine>
-				<CommandLine condition="contains">.js</CommandLine>
-				<CommandLine condition="contains">.vba</CommandLine>
-				<CommandLine condition="contains">.vbe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
-				<Image condition="image">cscript.exe</Image>
-				<CommandLine condition="contains">.js</CommandLine>
-				<CommandLine condition="contains">.jse</CommandLine>
-				<CommandLine condition="contains">.vba</CommandLine>
-				<CommandLine condition="contains">.vbe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine>
-				<CommandLine condition="contains any">.jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059.003,Technique=Scripting,Tactic=Execution,Level=4,Alert=Possible WinNTI Malware,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
-				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
-				<Image condition="image">regedit.exe</Image>
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			<!-- Disabled for now
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			-->
-			<Rule name="UEBA=Unusual Child Process,Risk=30" groupRelation="and">
-				<Image condition="is any">svchost.exe;taskhostw.exe;userinit.exe;smss.exe;csrss.exe;wininit.exe;winlogon.exe;lsass.exe;logonui.exe;services.exe</Image>
-				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
-				<ParentImage condition="excludes any">wininit.exe;winlogon.exe;services.exe;dwm.exe;System;smss.exe;svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>
-				<Image condition="excludes any">C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe</Image>
-				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
-				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
-			</Rule>
-			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ScriptFile</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<ParentImage condition="begin with">C:\users\</ParentImage>
-				<ParentImage condition="excludes">Microsoft VS Code\Code.exe</ParentImage>
-				<ParentImage condition="excludes">\Deployment tool extract\setupodt.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">python.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Browser Exploitation Detected,Risk=90" groupRelation="and">
-				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-				<CommandLine condition="excludes all">.cmd;-</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
-				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
-				<Image condition="begin with">C:\Users\</Image>
-				<Image condition="end with">.exe</Image>
-				<Product condition="excludes">Zoom Video</Product>
-				<Product condition="excludes">Firefox</Product>
-				<Product condition="excludes">Microsoft Edge</Product>
-				<Product condition="excludes">Microsoft Teams</Product>
-				<Image condition="excludes">GrammarlyAddInSetupe</Image>
-				<Image condition="excludes">Teams.exe</Image>
-				<Image condition="excludes">Zoom.exe</Image>
-				<Image condition="excludes">browser_broker.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">edge.exe</Image>
-				<Image condition="excludes">firefox.exe</Image>
-				<Image condition="excludes">iexplore.exe</Image>
-				<Image condition="excludes">vivaldi.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Info=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</ParentImage>
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<Product condition="excludes">Firefox</Product>
-				<Product condition="excludes">Microsoft Edge</Product>
-				<Product condition="excludes">Microsoft Teams</Product>
-				<Product condition="excludes">Zoom Video</Product>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
-				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">apache;w3wp.exe;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>				
-				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
-				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">sqlservr</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
-				<Image condition="is">control.exe</Image>
-				<CommandLine condition="excludes any">input.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
-				<OriginalFileName condition="is">msdt.exe</OriginalFileName>
-				<CommandLine condition="contains all">BrowseForFile=;PCWDiagnostic</CommandLine>
-				<CommandLine condition="contains any">/af;-af</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
-				<ParentImage condition="is not">pcwrun.exe</ParentImage>
-				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
-				<CommandLine condition="contains any">/af;-af</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
-				<CommandLine condition="contains any">/cab;-cab</CommandLine>
-				<CommandLine condition="contains">.diagcab</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
-				<Image condition="is">msdt.exe</Image>
-			</Rule>
-			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
-				<Image condition="is">FLTLDR.EXE</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution" condition="contains any">/dde;-dde</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
-				<Image condition="image">schtasks.exe</Image>
-				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
-			</Rule>
-			<OriginalFileName name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
-				<Image condition="image">schtasks.exe</Image>
-				<CommandLine condition="contains any">/Run;-run</CommandLine>
-				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=Child process from schtasks" groupRelation="and">
-				<ParentImage condition="image">schtasks.exe</ParentImage>
-			</Rule>
-			<Image name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
-			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
-				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
-				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
-				<CommandLine condition="excludes all">netsvcs;-p;-s;Schedule</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=Service Stop detected,Risk=0" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains">stop</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=NET.EXE Service Start detected,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains">start</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 1,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
-				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;/Q /c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 2,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
-				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;-Q -c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PowerSploit/Empire Persistence,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">schtasks;Create;ONLOGON;TN;Updater;TR;powershell</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service added via SC,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains">create</CommandLine>
-				<CurrentDirectory condition="excludes any">\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains all">config;binpath</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
-				<Image condition="contains any">cmd.exe;powershell.exe</Image>
-				<ParentImage condition="image">services.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
-				<Description condition="contains">Execute processes remotely</Description>
-				<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
-				<Description condition="contains">PsExec Service</Description> 
-				<Description condition="contains">PsExec Launched</Description> 
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=Sysinternals Initial Tool Execution,Risk=100" groupRelation="or">
-				<CommandLine condition="contains">accepteula</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec SYSTEM Execution,Risk=100" groupRelation="and">
-				<Description condition="contains">Execute processes remotely</Description>
-				<CommandLine condition="contains any">-s;/s</CommandLine>
-			</Rule>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
-			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
-			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
-				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
-				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
-				<CommandLine condition="contains">&gt;</CommandLine>
-				<CommandLine condition="contains">cmd.exe" /c cd</CommandLine>
-			</Rule>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
-				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s</CommandLine>
-			</Rule>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
-				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
-				<ParentCommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</ParentCommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
-			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
-			<!--Suspicious/Malicious Hash Detection-->
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
-				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
-			</Rule>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
-				<CommandLine condition="contains any">e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 2" groupRelation="and">
-				<CommandLine condition="contains all">FromBase64String</CommandLine>
-				<CommandLine condition="contains any">JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 3" groupRelation="and">
-				<CommandLine condition="contains any">/v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 4" groupRelation="and">
-				<CommandLine condition="contains any">JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Emotet Command Line detection" groupRelation="and">
-				<CommandLine condition="contains any">e^;^en^;^nc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Obfuscation Character" groupRelation="and">
-				<CommandLine condition="contains">^</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
-				<CommandLine condition="contains any">..\;\..</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Formbook detections" groupRelation="and">
-				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
-				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
-				<CommandLine condition="contains any">user;group;localgroup</CommandLine>
-				<CommandLine condition="contains any">remove;delete;active;del</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<Rule name="Attack=T1098,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Created,Risk=80" groupRelation="and">
-				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
-				<CommandLine condition="contains">user</CommandLine>
-				<CommandLine condition="contains any">add</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" condition="image">dsmod.exe</Image>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
-				<ParentImage condition="image">WerFault.exe</ParentImage>
-				<ParentCommandLine condition="contains any">-s;/s</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<CommandLine condition="contains all">echo;\pipe\;&gt;</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<CommandLine condition="contains all">/c;copy;dll;\\;admin$</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Exec DLL Detected" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;StartW</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 1" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;update;appdata;temp;/i:</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 2" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;update;appdata;temp;-i:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass Child Processes" groupRelation="and">
-				<ParentImage condition="image">dllhost.exe</ParentImage>
-				<ParentCommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass" groupRelation="and">
-				<Image condition="image">dllhost.exe</Image>
-				<CommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<Rule name="Attack=T1548,Technique=Abuse Elevation Control Mechanism,Tactic=Privilege Escalation,Level=3,Alert=Abused Debug priviledge by Arbitrary Parent Process,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;pwsh.exe;cmd.exe</Image>
-				<User condition="contains any">AUTHORI;AUTORI</User>
-				<CommandLine condition="excludes any">route ; ADD </CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Risk=20" groupRelation="and">
-				<ParentImage condition="image">eventvwr.exe</ParentImage>
-				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
-			</Rule>
-			<ParentImage name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
-			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
-			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
-			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">computerdefaults.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">dism.exe</OriginalFileName>
-			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">fodhelper.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<Rule name="Attack=T1088,Technique=Access Token Manipulation,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
-				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
-				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
-			</Rule>
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
-			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=Utilman Lock Screen Bypass,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
-				<ParentImage condition="image">winlogon.exe</ParentImage>
-				<Image condition="image">utilman.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=sethc.exe Lock Screen Bypass,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
-				<ParentImage condition="image">winlogon.exe</ParentImage>
-				<Image condition="image">sethc.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=4,Alert=Utilman Priv Escalation" groupRelation="and">
-				<ParentImage condition="image">utilman.exe</ParentImage>
-				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
-			</Rule>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
-			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
-				<Image condition="excludes">C:\Windows\Setup</Image>
-				<Image condition="excludes">C:\Windows\SysWOW64</Image>
-				<Image condition="excludes">C:\Windows\System32</Image>
-				<Image condition="excludes">C:\Windows\WinSxS</Image>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
-				<ParentImage condition="image">consent.exe</ParentImage>
-				<CommandLine condition="contains">http</CommandLine>
-				<Image condition="image">iexplore.exe</Image>
-				<User condition="contains">SYSTEM</User>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
-				<ParentImage condition="image">dwm.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=7zip Priv Escalation Detection,CVE=CVE-2022-29072" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">7zFM.exe</ParentImage>
-				<CommandLine condition="excludes any">;/c;-c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=Possible InstallerFileTakeOver LPE,CVE=CVE-2021-41379" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">elevation_service.exe</ParentImage>
-				<IntegrityLevel condition="contains">System</IntegrityLevel>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<Image condition="contains">unknown process</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</ParentImage>			
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<Rule name="Attack=T1484.001,Technique=Group Policy Modification,Tactic=Defense Evasion,Level=3,Alert=Auditpol System Audit Policy Change - Should be set via group policy instead" groupRelation="and">
-				<OriginalFileName condition="contains">auditpol</OriginalFileName>
-				<CommandLine condition="contains any">/set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Hidden/SuperHidden File or Folder created" groupRelation="and">
-				<CommandLine condition="contains any">+s;+h</CommandLine>
-				<Image condition="image">attrib.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Powershell Hidden File or Folder created" groupRelation="and">
-				<CommandLine condition="contains all">Hidden;Attributes</CommandLine>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
-				<Product condition="is">Sysinternals Sysmon</Product>
-				<CommandLine condition="contains any">/u;/c;-u;-c</CommandLine>
-				<CurrentDirectory condition="excludes">C:\ProgramdData\sysmon\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
-				<Image condition="image">MpCmdRun.exe</Image>
-				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools:  Disable Windows Event Logging-->
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Level=4,Alert=PSTools PSKill,Risk=8">PsKill.exe</Image>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Risk=100,Level=4,Alert=Disabling of Windows Defender Features" groupRelation="and">
-				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
-				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
-			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
-				<Image condition="image">wevtutil.exe</Image>
-				<CommandLine condition="contains"> cl </CommandLine>
-				<CommandLine condition="excludes">wevtutil im</CommandLine>
-				<CommandLine condition="excludes">wevtutil.exe im</CommandLine>
-				<CurrentDirectory condition="excludes">ClickToRun</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,Risk=50" groupRelation="and">
-				<OriginalFileName condition="is">fltMC.exe</OriginalFileName>
-				<CommandLine condition="contains any">detach;unload</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Level=4,Alert=IIS Log disablement,Risk=80" groupRelation="and">
-				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
-				<CommandLine condition="contains all">DontLog;True</CommandLine>
-				<Image condition="excludes">iisetup.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="or">
-				<CommandLine condition="contains all">set;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">New-ItemProperty;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">reg;add;dword;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">$env;NGenAssemblyUsageLog</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="or">
-				<CommandLine condition="contains all">set;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">New-ItemProperty;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">reg;add;dword;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">$env;COMPlus_ETWEnabled</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
-				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp</CommandLine>
-			</Rule>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
-
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
-			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">.com</Image>
-			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
-
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
-				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
-			</Rule>		
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
-				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
-				<CommandLine condition="contains">:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=REG Registry Deletions" groupRelation="and">
-				<Image condition="image">reg.exe</Image>
-				<CommandLine condition="contains">delete </CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Regedit Registry Deletions" groupRelation="and">
-				<Image condition="image">regedit.exe</Image>
-				<CommandLine condition="contains any">/d;-d</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Deletions" groupRelation="and">
-				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
-				<CommandLine condition="contains">remove-item</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Modifications" groupRelation="and">
-				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
-				<CommandLine condition="contains">set-item;new-item</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Code Page Switch,Risk=50" groupRelation="and">
-				<Image condition="image">chcp.exe</Image>
-				<CommandLine condition="contains">936</CommandLine>
-				<CommandLine condition="contains">1256</CommandLine>
-				<CommandLine condition="contains">864</CommandLine>
-				<CommandLine condition="contains">1258</CommandLine>
-				<CommandLine condition="contains">855</CommandLine>
-				<CommandLine condition="contains">866</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Command Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Hidden Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Execution Policy Bypass,Risk=75" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-ex;/ex</CommandLine>
-				<CommandLine condition="contains">bypass</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-noni;/noni</CommandLine>
-				<CommandLine condition="excludes">Import-Module FileServerResourceManager</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\LogicMonitor</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1027,Tactic=Defense Evasion,Technique=Obfuscated Files or Information,Level=4,Alert=Powershell Obfuscation Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
-			<CommandLine name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Common Obfuscated Commands,Risk=100" condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
-			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains any">decode;encode</CommandLine>
-			</Rule>
-			<!--FIX MITRE Mapping-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
-				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
-				<CommandLine condition="contains">0x</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
-				<Image condition="image">csc.exe</Image>
-				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=Suspicious Parent of Csc.exe,Risk=80" groupRelation="and">
-				<Image condition="image">csc.exe</Image>
-				<ParentImage condition="image">wscript.exe</ParentImage>
-				<ParentImage condition="image">cscript.exe</ParentImage>
-				<ParentImage condition="image">mshta.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=MOFComp compilation of .Mof File,Risk=80" groupRelation="and">
-				<Image condition="image">mofcomp.exe</Image>
-				<CommandLine condition="contains">.mof</CommandLine>
-				<CurrentDirectory condition="excludes">C:\WINDOWS\Installer\MSI</CurrentDirectory>
-				<ParentImage condition="excludes">MsMpEng.exe</ParentImage>
-				<ParentImage condition="excludes">aspnet_regiis.exe</ParentImage>
-				<ParentImage condition="excludes">msiexec.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
-				<ParentImage condition="is">csc.exe</ParentImage>
-				<CommandLine condition="contains any">out:;target:library</CommandLine>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of Autochk,Risk=30" groupRelation="and">
-				<Image condition="image">autochk.exe</Image>
-				<ParentImage condition="excludes any">\smss.exe;\fontdrvhost.exe;\dwm.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
-				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
-				<ParentImage condition="excludes">\svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
-				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
-				<ParentImage condition="excludes any">svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
-				<Image condition="image">SearchProtocolHost.exe</Image>
-				<ParentImage condition="excludes any">\SearchIndexer.exe;\dllhost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
-				<Image condition="image">dllhost.exe</Image>
-				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
-				<Image condition="image">smss.exe</Image>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-				<ParentImage condition="is not">System</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
-				<Image condition="image">csrss.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\smss.exe;svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
-				<Image condition="image">wininit.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
-				<Image condition="image">winlogon.exe</Image>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of lsass/LsaIso,Risk=30" groupRelation="and">
-				<Image condition="contains any">\lsass.exe;LsaIso.exe</Image>
-				<ParentImage condition="excludes">\wininit.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of LogonUI,Risk=30" groupRelation="and">
-				<Image condition="image">LogonUI.exe</Image>
-				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of services,Risk=30" groupRelation="and">
-				<Image condition="image">services.exe</Image>
-				<ParentImage condition="excludes">\wininit.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
-				<Image condition="image">svchost.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\MsMpEng.exe;\services.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
-				<Image condition="image">spoolsv.exe</Image>
-				<ParentImage condition="excludes">\services.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of taskhost,Risk=30" groupRelation="and">
-				<Image condition="image">taskhost.exe</Image>
-				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of userinit,Risk=30" groupRelation="and">
-				<Image condition="image">userinit.exe</Image>
-				<ParentImage condition="excludes any">\dwm.exe;\winlogon.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
-				<Image condition="contains any">\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe</ParentImage>
-				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
-				<ParentImage condition="image">autochk.exe</ParentImage>
-				<Image condition="excludes any">\chkdsk.exe;\doskey.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of smss,Risk=30" groupRelation="and">
-				<ParentImage condition="image">smss.exe</ParentImage>
-				<Image condition="excludes any">\autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of wermgr,Risk=30" groupRelation="and">
-				<ParentImage condition="image">wermgr.exe</ParentImage>
-				<Image condition="excludes any">\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
-				<ParentImage condition="image">conhost.exe</ParentImage>
-				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
-			</Rule>
-			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
-				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
-				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName>
-				<CommandLine condition="contains">INJECTRUNNING</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 1,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">/ni;/s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 2,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">/ns;/s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 3,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">-ni;-s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 4,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">-ns;-s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
-				<CommandLine condition="contains all">rundll32.exe;shell32.dll;_RunDLL</CommandLine>
-				<Image condition="is not">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
-				<Image condition="image">odbcconf.exe</Image>
-				<CommandLine condition="contains any">/S /A {REGSVR;-S -A {REGSVR</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">bginfo</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">cbd</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">SyncAppvPublishingServer.exe</Image>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ATBroker.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">Appvlp.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">InfDefaultInstall.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">PresentationHost.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider2.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ScriptRunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">csi.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">extexport.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">msconfig.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">rasdlui.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">tttracer.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">verclsid.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">csi.exe</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">bginfo</ParentCommandLine>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">devtoolslauncher.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wsreset.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
-			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains">DllRegisterServer</CommandLine>
-				<CommandLine condition="excludes any">xapauthenticodesip.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Suspicious Regsvr32 loading in Appdata temp" groupRelation="and">
-				<Image condition="image">regsvr32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine> 
-			</Rule>
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Defense Evasion/Execution,Level=4,Alert=Suspicious Regsvr32 loading in Public User folder" groupRelation="and">
-				<Image condition="image">regsvr32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
-			</Rule>
-			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution" condition="contains">Microsoft(C) Register Server</Description>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<CommandLine condition="contains any">/y;-y</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\DartSock.dll</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\ImageViewer2.OCX</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\SysTray.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg6.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\todg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\todgub7.dll</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\xarraydb.ocx</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=MSIExec Signed Binary Proxy Execution,Risk=70" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<CommandLine condition="contains any">/i;-i</CommandLine>
-				<CommandLine condition="contains any">http</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Rundll32-->
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Rundll32 Suspicious call by Ordinal,Risk=80" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">,;#</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\resources\themes\Aero\AeroLite.msstyles</CommandLine>
-				<CommandLine condition="excludes">uxtheme.dll</CommandLine>
-				<CommandLine condition="excludes">ImageView_Fullscreen</CommandLine>
-				<CommandLine condition="excludes">EDGEHTML.dll</CommandLine>
-				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
-				<CurrentDirectory condition="excludes">\AppData\Local\WebEx\WebEx\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=3,Alert=Rundll32 Single Threaded Apartment Switch - check for com hijacks,Risk=75" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains any">-sta;/sta</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Executing Powershell,Risk=70" groupRelation="and">
-				<ParentImage condition="image">RUNDLL32.EXE</ParentImage>
-				<OriginalFileName condition="contains">powershell</OriginalFileName>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenURL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">url.dll;OpenURL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious FileProtocolHandler Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RouteTheCall Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">zipfldr.dll;RouteTheCall</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious Control_RunDLL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">Shell32.dll;Control_RunDLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious javascript Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains">javascript:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RegisterXLL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains">RegisterXLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Public User folder" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Public</CommandLine>
-				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine> 
-				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage> 
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Appdata Temp" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine>
-				<CommandLine condition="excludes any">ImageView_</CommandLine>
-				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine>
-				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
-			<CommandLine condition="contains">InstallHinfSection</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">infDefaultInstall.exe</Image>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MSHTA-->
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
-				<ParentImage condition="image">mshta.exe</ParentImage>
-				<Image condition="contains any">cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin</Image>
-			</Rule>
-			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Odbcconf-->
-			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
-
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=Powershell Calling MSBuild" groupRelation="and">
-				<ParentImage condition="contains any">powershell.exe;powershell_ise.exe</ParentImage>
-				<Image condition="image">msbuild.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<Image condition="contains">regasm</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<Image condition="image">userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Building from xml - Silent Trinity" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<ParentCommandLine condition="contains">.xml</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=RegAsm Parent process" groupRelation="and">
-				<ParentImage condition="image">regasm.exe</ParentImage>
-				<Image condition="excludes">\conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild building from lnk file" groupRelation="and">
-				<Image condition="image">msbuild.exe</Image>
-				<CommandLine condition="contains">.lnk</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.csproj</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
-			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=Network Sniffing tool Detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">sniff</CommandLine>
-				<CommandLine condition="excludes">C:\Program Files\Adobe\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=PCAP Sniffing tool Detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="is any">tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe</OriginalFileName>
-				<CommandLine condition="contains any">windump;tshark;tcpdump;windump;wireshark</CommandLine>
-				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
-				<Image condition="image">vssadmin.exe</Image>
-				<CommandLine condition="contains any">create;shadow</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">shadowcopy;call;create</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">call;create;esentutl;vss</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">win32_shadowcopy;create;clientaccessible</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">mklink;GLOBALROOT;Shadow</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">copy;NTDS\ntds.dit</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
-				<Image condition="image">ntdsutil.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">copy;System32\config\SYSTEM</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">reg;save;HKLM</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
-			</Rule>
-			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
-				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
-			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
-			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
-			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump.exe</Image>
-			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
-				<CommandLine condition="contains all">list;text;password</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
-				<CommandLine condition="excludes">/domain</CommandLine>
-				<CommandLine condition="excludes">SUService</CommandLine>
-				<CommandLine condition="excludes">\users</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=Domain User or Group Discovery,Risk=50" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
-				<CommandLine condition="contains any">/domain</CommandLine>
-				<CommandLine condition="excludes">SUService</CommandLine>
-				<CommandLine condition="excludes">\users</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=Sharphound Discovery,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus</CommandLine>
-				<Company condition="contains any">sharphound;bloodhound</Company>
-				<Description condition="contains any">sharphound;bloodhound</Description>
-				<Image condition="contains any">sharphound;bloodhound</Image>
-				<OriginalFileName condition="contains any">sharphound;bloodhound</OriginalFileName>
-				<ParentImage condition="contains any">sharphound;bloodhound</ParentImage>
-				<Product condition="contains any">sharphound;bloodhound</Product>
-			</Rule>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
-				<OriginalFileName condition="contains">auditpol</OriginalFileName>
-				<CommandLine condition="contains any">/get;-get;/list;-list;/backup;-backup</CommandLine>
-			</Rule>
-			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
-			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Sysmon Detection with driver altitude " groupRelation="or">
-				<CommandLine condition="contains all">find;385201</CommandLine>
-				<CommandLine condition="contains all">select-string;385201</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Antivirus/edr/siem Discovery" groupRelation="or">
-				<CommandLine condition="contains all">find;virus</CommandLine>
-				<CommandLine condition="contains all">select-string;virus</CommandLine>
-				<CommandLine condition="contains all">process;Description;virus</CommandLine>
-				<CommandLine condition="contains all">find;cb</CommandLine>
-				<CommandLine condition="contains all">select-string;cb</CommandLine>
-				<CommandLine condition="contains all">process;Description;cb</CommandLine>
-				<CommandLine condition="contains all">find;defender</CommandLine>
-				<CommandLine condition="contains all">select-string;defender</CommandLine>
-				<CommandLine condition="contains all">process;Description;defender</CommandLine>
-				<CommandLine condition="contains all">find;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">select-string;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">process;Description;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">find;sentinel</CommandLine>
-				<CommandLine condition="contains all">select-string;sentinel</CommandLine>
-				<CommandLine condition="contains all">process;Description;sentinel</CommandLine>
-				<CommandLine condition="contains all">find;nessusd</CommandLine>
-				<CommandLine condition="contains all">select-string;nessusd</CommandLine>
-				<CommandLine condition="contains all">process;Description;nessusd</CommandLine>
-				<CommandLine condition="contains all">find;td-agent</CommandLine>
-				<CommandLine condition="contains all">select-string;td-agent</CommandLine>
-				<CommandLine condition="contains all">process;Description;td-agent</CommandLine>
-				<CommandLine condition="contains all">find;cbagentd</CommandLine>
-				<CommandLine condition="contains all">select-string;cbagentd</CommandLine>
-				<CommandLine condition="contains all">process;Description;cbagentd</CommandLine>
-				<CommandLine condition="contains all">find;sysmon</CommandLine>
-				<CommandLine condition="contains all">select-string;sysmon</CommandLine>
-				<CommandLine condition="contains all">process;Description;sysmon</CommandLine>
-				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">find;csfalcon</CommandLine>
-				<CommandLine condition="contains all">select-string;csfalcon</CommandLine>
-				<CommandLine condition="contains all">process;Description;csfalcon</CommandLine>
-				<CommandLine condition="contains all">find;splunk</CommandLine>
-				<CommandLine condition="contains all">select-string;splunk</CommandLine>
-				<CommandLine condition="contains all">process;Description;splunk</CommandLine>
-				<CommandLine condition="contains all">find;sidecar</CommandLine>
-				<CommandLine condition="contains all">select-string;sidecar</CommandLine>
-				<CommandLine condition="contains all">process;Description;sidecar</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" groupRelation="or">
-				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="is">fltMC.exe</OriginalFileName>
-				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="contains">misc::mflt</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
-			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="contains any">get;list;show</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Changes with netsh,Risk=60" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="excludes any">get;list;show</CommandLine>
-			</Rule>
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
-				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=WMIC Account Discovery,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">get;useraccount</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="contains any">add;del;set</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=NBTStat DNS Lookup,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">nbtstat</CommandLine> 
-				<CommandLine condition="excludes">nessus</CommandLine> 
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=route.exe discovery,Risk=60" groupRelation="and">
-				<Image condition="image">route.exe</Image>
-				<CommandLine condition="contains">print</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Route Modification,Risk=40" groupRelation="and">
-				<Image condition="image">route.exe</Image>
-				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
-			</Rule>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">rwinsta.exe</Image>
-			
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
-				<Image condition="excludes">Microsoft Office\root\Office</Image>
-				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Tactic=Lateral Movement,Technique=SMB/Windows Admin Shares,Level=3,Alert=Command Ran over Admin Share" groupRelation="and">
-				<CommandLine condition="contains">admin$</CommandLine>
-				<CommandLine condition="excludes any">davclnt.dll</CommandLine>
-				<ParentCommandLine condition="excludes any">WebClientGroup</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
-				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
-				<CommandLine condition="contains">dest:rdp-tcp:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Emotet Executed via WMI,Risk=100" groupRelation="and">
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-				<Image condition="contains">\Users\</Image>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Network Detective System Scan Detected,Risk=100" groupRelation="and">
-				<Image condition="contains">NetworkDetective</Image>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Remote Tenable Malware Scan Detected,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains">tenable</CommandLine>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD.exe Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-				<CommandLine condition="excludes any">do_vbsUpload;Spiceworks</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=regsvr32.exe Executed via WMI,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">regsvr32.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD Executed via WMI,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">cmd.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=RSAT Tool Launch,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">dsa.msc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=HyperV Remote Management Tool Launch,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">virtmgmt.msc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Potential Malicious Remote WMI Execution Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="image">wmiprvse.exe</ParentImage>
-				<Image condition="excludes">CompMgmtLauncher.exe</Image>
-				<Image condition="excludes">DismHost.exe</Image>
-				<Image condition="excludes">Microsoft.NET\Framework</Image>
-				<Image condition="excludes">NetEvtFwdr.exe</Image>
-				<Image condition="excludes">ServerManager.exe</Image>
-				<Image condition="excludes">WerFault.exe</Image>
-				<Image condition="excludes">chcp.com</Image>
-				<Image condition="excludes">g2mupdate.exe</Image>
-				<Image condition="excludes">slack.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,AlertSuspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
-				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
-				<Image condition="image">cmd.exe</Image>
-				<Image condition="image">sh.exe</Image>
-				<Image condition="image">bash.exe</Image>
-				<Image condition="image">wsl.exe</Image>
-				<Image condition="image">powershell.exe</Image>
-				<Image condition="image">powershell_ise.exe</Image>
-				<Image condition="image">schtasks.exe</Image>
-				<Image condition="image">at.exe</Image>
-				<Image condition="image">certutil.exe</Image>
-				<Image condition="image">mshta.exe</Image>
-				<Image condition="image">whoami.exe</Image>
-				<Image condition="image">ping.exe</Image>
-				<Image condition="image">ping.exe</Image>
-				<Image condition="image">bitsadmin.exe</Image>
-			</Rule>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="end with">winrshost.exe</ParentImage>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
-			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
-				<ParentImage condition="image">wmiprvse.exe</ParentImage>
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
-				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
-			</Rule>
-			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
-			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
-				<Image condition="contains any">sftp;psftp</Image><!-- SSH -->
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
-				<CommandLine condition="is">rundll32.exe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">..\;,</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot 2,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,StartW</CommandLine>
-			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
-			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
-			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
-				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
-				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
-			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,Level=4,Alert=Dark Halo Protected zip file creation,Risk=100" groupRelation="and">
-				<Image condition="image">7z.exe</Image>
-				<CommandLine condition="contains any">a -mx9 -r0 -p;a -v500m -mx9 -r0 -p</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data injected into clipboard,Risk=30" condition="is">clip.exe</Image>
-			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">New-MailboxExportRequest</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
-				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
-				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
-				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI</CommandLine>
-				<OriginalFileName condition="excludes any">msedgeupdate.dll</OriginalFileName>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
-				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded powershell" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<CommandLine condition="contains any">AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1105,Technique=Remote File Copy,Tactic=Command and Control,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
-				<Image condition="image">certutil.exe</Image>
-				<CommandLine condition="contains all">urlcache;split;f</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Command Line file transfer,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest</CommandLine>
-				<Image condition="contains any">powershell.exe;cmd.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
-				<OriginalFileName condition="is">bitsadmin.exe</OriginalFileName>
-				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
-				<CommandLine condition="excludes all">util;setieproxy;localsystem;AUTODETECT</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
-				<Description condition="contains">BITS administration utility</Description><!-- to detect renamed ones -->
-				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 1,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains all">split;f</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 2,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains any">verifyctl;URL</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
-			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image><!-- Tor-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
-			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">psexec</OriginalFileName>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Exfiltration,Level=0,Desc=SCP Data exfiltration detected,Risk=100" groupRelation="and">
-				<Image condition="contains any">winscp.exe;winscp.com;scp.exe;pscp</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv &gt;&gt;;rsync -r</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=merlin CnC exfiltration detected 4,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">.exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=DNS Exfil detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">-q=txt;/q=txt</CommandLine>
-				<Image condition="image">nslookup.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration to Cloud Storage,Tactic=Exfiltration,Level=4,Alert=Rclone detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains any">rclone</OriginalFileName>
-				<Description condition="contains any">Rsync for cloud storage</Description>
-				<Product condition="contains any">rclone</Product>
-				<Company condition="contains any">rclone</Company>
-				<Image condition="contains any">\rclone</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=S3browser detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains any">s3browser</OriginalFileName>
-				<Description condition="contains any">s3browser</Description>
-				<Product condition="contains any">s3browser</Product>
-				<Image condition="contains any">s3browser</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=FTP exfiltration detected,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">add-ftp;.UploadFile(</CommandLine>
-				<Image condition="contains any">ftp.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Tactic=Exfiltration,Technique=Exfiltration to Cloud Storage,Level=0,Desc=Webdav Share Mounted" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">davclnt.dll;DavSetCookie</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
-				<Image condition="image">bcdedit.exe</Image>
-				<CommandLine condition="contains">safeboot</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
-				<Image condition="image">bootcfg.exe</Image>
-				<CommandLine condition="contains">safeboot</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Virtual Machine,Risk=60" groupRelation="and">
-				<CommandLine condition="contains any">-startvm;vrun.exe -vm</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with vssadmin Detected,Risk=100" groupRelation="and">
-				<Image condition="image">vssadmin.exe</Image>
-				<CommandLine condition="contains any">delete;resize</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowcopy delete Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">shadowcopy;delete</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wbadmin.exe</OriginalFileName>
-				<CommandLine condition="contains all">SYSTEMSTATEBACKUP;delete</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowstorage Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains">wmic shadowstorage SET MaxSpace=</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Destructive WMIC Commands Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains any">cleareventlog;call disable;nteventlog where filename</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with diskpart" groupRelation="and">
-				<OriginalFileName condition="contains">diskpart.exe</OriginalFileName>
-				<CommandLine condition="contains any">format;clean;delete;remove</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.exe" groupRelation="and">
-				<OriginalFileName condition="contains">manage-bde.exe</OriginalFileName>
-				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.wsf" groupRelation="and">
-				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
-				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-p -nw</CommandLine><!-- vshadow -->
-			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
-			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all"> del ; /f </CommandLine>
-				<CommandLine condition="contains all"> del ; -f </CommandLine>
-				<CommandLine condition="contains all"> rmdir ; /s ; /q </CommandLine>
-				<CommandLine condition="contains all"> rmdir ; -s ; -q </CommandLine>
-				<CommandLine condition="contains all"> rd ; /s ; /q </CommandLine>
-				<CommandLine condition="contains all"> rd ; -s ; -q </CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
-				<Image condition="image">fsutil.exe</Image>
-				<CommandLine condition="contains">deletejournal</CommandLine>
-				<CommandLine condition="contains">usn</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
-			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
-			<!--Crypto Currency Miner Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
-				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
-				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
-			</Rule>
-			<!--Malware Hashes-->
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
-			</Rule>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
-			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
-			<!--UEBA Activities-->
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="excludes">pwd=</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Video and Audio Session Start" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="contains">zc=0</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Screen Share,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="contains">zc=1</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Microsoft Teams URL clicked" groupRelation="and">
-				<CommandLine condition="contains">msteams:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Webex URL clicked" groupRelation="and">
-				<CommandLine condition="contains">wbx:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files within Downloads,Risk=30" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">\Downloads\</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">\Desktop\</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\awk.exe;\sed.exe</Image>
-			</Rule>
-			<CommandLine condition="contains">listena</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HTML Application host</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Manager Profile Installer</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Application Virtualization Injector</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Application Compatibility Database Installer</Description>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
-			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
-			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
-			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">java.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">javaw.exe</ParentImage>
-			<!--Detect Output Redirection-->
-			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">2></CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&gt;</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&lt;</CommandLine>
-			-->
-			<!--Detect Multiple Commands-->
-			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-			</Rule>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
-				<CommandLine condition="contains">\pipe\</CommandLine>
-				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
-			</Rule>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">sysnative</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">AutoIt</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="is">more.com</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">acrord32.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">gpupdate.exe</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
-			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
-			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
-		</ProcessCreate>
-	</RuleGroup>
-	<RuleGroup name="RG=Process Create Exclude Group" groupRelation="or">
-		<ProcessCreate onmatch="exclude">
-			<Rule name="exclude werfault from wmi" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
-				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
-			</Rule>
-		</ProcessCreate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
-	<RuleGroup name="RG=FileCreateTime Include Group" groupRelation="or">
-		<FileCreateTime onmatch="include">
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\Users</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\ProgramData</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Temp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\tmp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\drivers\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Download</Image>
-		</FileCreateTime>
-	</RuleGroup>
-	<RuleGroup name="RG=FileCreateTime Exclude Group" groupRelation="or">
-		<FileCreateTime onmatch="exclude">
-			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
-			<Image condition="image">TrustedInstaller.exe</Image>
-			<Image condition="image">OneDrive.exe</Image>
-			<Image condition="image">vivaldi.exe</Image>
-			<Image condition="image">chrome.exe</Image>
-			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image>
-			<Image condition="contains">setup</Image>
-			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
-			<Image condition="end with">\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe</Image>
-		</FileCreateTime>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
-	<RuleGroup name="RG=NetworkConnect Include Group" groupRelation="or">
-		<NetworkConnect onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,Level=4,Alert=WSCRIPT Network connection,Risk=80" groupRelation="and">
-				<Image condition="image">wscript.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
-				<Image condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
-				<DestinationIp condition="excludes any">127.0.0.1</DestinationIp>		
-			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
-				<Image condition="contains">\wwwroot\</Image>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Recycle Bin,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Windows\IME\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\ProgramData</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=T1027.004,Tactic=Defense Evasion,Technique=Compile After Delivery,Level=4,Alert=CSC Network Conections" groupRelation="and">
-				<Image condition="image">CSC.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
-			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Installutil-->
-			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Msiexec-->
-			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvcs/regasm-->
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
-				<Image condition="contains any">regasm.exe;regsvcs.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<Rule name="Attack=T1127,Tactic=Defense Evasion,Technique=Signed Binary Proxy Execution,Level=4,Alert=MSBuild Network Conections" groupRelation="and">
-				<Image condition="image">msbuild.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=4,Alert=NBTSTAT Query,Risk=30" condition="contains">nbtstat</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3389,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
-				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
-				<Image condition="excludes">FSAssessment.exe</Image>
-				<Image condition="excludes">FSDiscovery.exe</Image>
-				<Image condition="excludes">MobaRTE.exe</Image>
-				<Image condition="excludes">RDCMan.exe</Image>
-				<Image condition="excludes">RSSensor.exe</Image>
-				<Image condition="excludes">RTS2App.exe</Image>
-				<Image condition="excludes">RTSApp.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager.exe</Image>
-				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
-				<Image condition="excludes">Terminals.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">mRemote.exe</Image>
-				<Image condition="excludes">mRemoteNG.exe</Image>
-				<Image condition="excludes">mstsc.exe</Image>
-				<Image condition="excludes">spiceworks-finder.exe</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<Image condition="excludes">thor64.exe</Image>
-				<Image condition="excludes">thor.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3391</DestinationPort>
-				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
-				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
-				<Image condition="excludes">FSAssessment.exe</Image>
-				<Image condition="excludes">FSDiscovery.exe</Image>
-				<Image condition="excludes">MobaRTE.exe</Image>
-				<Image condition="excludes">RDCMan.exe</Image>
-				<Image condition="excludes">RSSensor.exe</Image>
-				<Image condition="excludes">RTS2App.exe</Image>
-				<Image condition="excludes">RTSApp.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager.exe</Image>
-				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
-				<Image condition="excludes">Terminals.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">mRemote.exe</Image>
-				<Image condition="excludes">mRemoteNG.exe</Image>
-				<Image condition="excludes">mstsc.exe</Image>
-				<Image condition="excludes">spiceworks-finder.exe</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<Image condition="excludes">thor64.exe</Image>
-				<Image condition="excludes">thor.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Localhost RDP Tunneling Detection,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<DestinationIp condition="begin with">fe80:0</DestinationIp>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
-				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
-			</Rule>
-			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
-				<Image condition="image">wsmprovhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
-				<Image condition="image">psftp.exe</Image><!-- SFTP -->
-			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">omniinet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">hpsmhd.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<DestinationPort condition="is">50050</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<DestinationPort condition="is">25</DestinationPort>
-				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
-				<Initiated>true</Initiated>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Powershell Network Connection,Risk=30" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<DestinationIp condition="excludes any">0:0:0:0:0:0:0:;127.0.0.1</DestinationIp>
-			</Rule>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
-			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!-- DNS Over HTTPS-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--UEBA Rules-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-				<DestinationPort condition="is not">3389</DestinationPort>
-				<DestinationPort condition="is not">22</DestinationPort>
-				<DestinationPort condition="is not">21</DestinationPort>
-				<DestinationPort condition="is not">5985</DestinationPort>
-				<Initiated>false</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-				<Initiated>true</Initiated>
-				<SourcePort condition="is not">135</SourcePort>
-				<SourcePort condition="is not">445</SourcePort>
-				<DestinationPort condition="is not">5985</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="is not">System</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<DestinationPort condition="is">445</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="is not">System</Image>
-				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
-				<DestinationPort condition="is">389</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
-				<DestinationPort condition="is">389</DestinationPort>
-				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
-				<SourceHostname condition="excludes any">EXCH</SourceHostname>
-				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
-				<Initiated>false</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Notepad connecting to the internet" groupRelation="and">
-				<Image condition="image">notepad.exe</Image>
-				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is not">80</DestinationPort>
-				<DestinationPort condition="is not">443</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">github</DestinationHostname> 
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">githubusercontent.com</DestinationHostname>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">80</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">443</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">apache.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">java.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">setup</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">tomcat</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">unins</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">unknown process</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">explorer.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">inetinfo.exe</Image>
-			</Rule>
-			<!--3rd Party tools-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">procdump</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">psexe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">vnc;vncs;vncv</Image>
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
-				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
-			</Rule>
-			<!--Destination Ports to Monitor-->
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1293</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1701</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1194</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3540</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3389</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">22</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3128</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">8080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1723</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">23</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">4500</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9001</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9030</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5800</DestinationPort>
-			<!--Source Ports to Monitor-->
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</SourcePort>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">443</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">80</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">80</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">636</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
-			<!--Suspicious network connections-->
-			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
-		</NetworkConnect>
-	</RuleGroup>
-	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
-		<NetworkConnect onmatch="exclude">
-			<Protocol condition="contains">udp</Protocol>
-			<!--Exclude Inter-process coms over localhost, may be dangerous at expense for noise reduction -->
-			<Rule name="exclude interprocess communications with localhost" groupRelation="and">
-				<Image condition="contains any">System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe</Image>
-				<SourceIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
-				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
-			</Rule>
-			<!--SECTION: Custom -->
-			<Rule name="exclude dest ldap port 88" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
-				<DestinationPort condition="is">88</DestinationPort>
-			</Rule>
-			<!--Disable Monitoring of Protocols-->
-			<DestinationPortName condition="is">epmap</DestinationPortName>
-			<DestinationPortName condition="is">llmnr</DestinationPortName>
-			<DestinationPortName condition="is">microsoft-ds</DestinationPortName>
-			<DestinationPortName condition="is">netbios-dgm</DestinationPortName>
-			<DestinationPortName condition="is">ntp</DestinationPortName>
-			<DestinationPortName condition="is">ssdp</DestinationPortName>
-			<SourcePortName condition="is">epmap</SourcePortName>
-			<SourcePortName condition="is">llmnr</SourcePortName>
-			<SourcePortName condition="is">microsoft-ds</SourcePortName>
-			<SourcePortName condition="is">netbios-dgm</SourcePortName>
-			<SourcePortName condition="is">ntp</SourcePortName>
-			<SourcePortName condition="is">ssdp</SourcePortName>
-			<!--Disable Monitoring on Ports-->
-			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
-			<DestinationPort condition="is">67</DestinationPort>  <!--Bootp Lookups-->
-			<DestinationPort condition="is">68</DestinationPort>  <!--Bootp Lookups-->
-			<DestinationPort condition="is">1434</DestinationPort>  <!--SQL spam.-->
-			<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
-			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
-			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
-			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
-			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
-			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
-			<DestinationPort condition="is">5989</DestinationPort>  <!--Vcenter Secure server for CIM.-->
-			<DestinationPort condition="is">6007</DestinationPort>  <!--Exchange WMI Spam-->
-			<DestinationPort condition="is">49154</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">49209</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">52176</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">59241</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">53</SourcePort>  <!--DNS Lookups-->
-			<SourcePort condition="is">67</SourcePort>  <!--Bootp Lookups-->
-			<SourcePort condition="is">68</SourcePort>  <!--Bootp Lookups-->
-			<SourcePort condition="is">1812</SourcePort> <!--Radius-->
-			<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">6007</SourcePort>  <!--Exchange WMI Spam-->
-			<SourcePort condition="is">49154</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">49209</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">52176</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">59241</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<!--SECTION: Microsoft -->
-			<DestinationHostname condition="end with">.bing.com</DestinationHostname>
-			<DestinationHostname condition="end with">.cloudapp.net</DestinationHostname>
-			<DestinationHostname condition="end with">.lync.com</DestinationHostname>
-			<DestinationHostname condition="end with">.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">.outlook.com</DestinationHostname>
-			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname>
-			<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
-			<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
-			<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
-			<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
-			<DestinationHostname condition="end with">ctldl.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">cy2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">fe3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">fe3.delivery.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">g.akamaiedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">g.live.com</DestinationHostname>
-			<DestinationHostname condition="end with">g.msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">geo-prod.do.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">geo-prod.dodsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">ile-service.weather.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
-			<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
-			<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
-			<DestinationHostname condition="end with">odern.watson.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
-			<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
-			<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">sls.update.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">storecatalogrevocation.storequality.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">storeedgefd.dsx.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">telecommand.telemetry.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">tile-service.weather.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">tlu.dl.delivery.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
-			<DestinationHostname condition="end with">windows.net</DestinationHostname>
-			<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
-			<Image condition="image">EdgeTransport.exe</Image>
-			<Image condition="image">MSExchangeDelivery.exe</Image>
-			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
-			<Image condition="image">MSExchangeHMWorker.exe</Image>
-			<Image condition="image">MSExchangeSubmission.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\</Image>
-		</NetworkConnect>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
-
-		<!--DATA: UtcTime, State, Version, SchemaVersion-->
-		<!--Cannot be filtered.-->
-
-	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
-		<!--COMMENT:	Useful data in building infection timelines.-->
-		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
-		<ProcessTerminate onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\Windows\system32\</Image>
-				<Image condition="excludes">config\systemprofile\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
-				<Image condition="excludes">:\PROGRA~</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\ProgramData\</Image>
-				<Image condition="excludes">:\Users\</Image>
-				<Image condition="excludes">:\Windows\</Image>
-				<Image condition="excludes">:\inetpub\</Image>
-				<Image condition="excludes">:\$SysReset</Image>
-				<Image condition="excludes">:\$WinREAgent</Image>
-				<Image condition="excludes">:\inetpub\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\Users\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\inetpub\</Image>
-			</Rule>
-		<!-- Useful data in building infection timelines.-->
-			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
-			<Image condition="contains">\Temp\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">C:\Users\</Image>
-		</ProcessTerminate>
-	</RuleGroup>
-	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
-			<ProcessTerminate onmatch="exclude">
-			<Image condition="end with">Microsoft\Teams\current\Teams.exe</Image>
-			<Image condition="end with">\git.exe</Image>
-			<Image condition="end with">Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe</Image>
-			<Image condition="begin with">C:\ProgramData\Lenovo\ImController\</Image>
-		</ProcessTerminate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
-	<RuleGroup name="RG=DriverLoad Include Group" groupRelation="or">
-		<DriverLoad onmatch="include">
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst driver hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Temp</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Users</ImageLoaded>
-			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
-			<SignatureStatus condition="contains">?</SignatureStatus>
-			<SignatureStatus condition="contains">Revoked</SignatureStatus>
-			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
-			<SignatureStatus condition="contains">Valid</SignatureStatus>
-			<Signed name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">false</Signed>
-		</DriverLoad>
-	</RuleGroup>
-	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
-		<DriverLoad onmatch="exclude">
-		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
-				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
-		</DriverLoad>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
-		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
-	<RuleGroup name="RG=Image Load Includes" groupRelation="or">
-		<ImageLoad onmatch="include">
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
-				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
-				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\</ImageLoaded>
-				<Image condition="contains any">spoolsv.exe;printisolationhost.exe</Image>
-				<SignatureStatus condition="excludes">Valid</SignatureStatus>
-				<Company condition="excludes any">Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard</Company>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=DLL Image Load by System in Suspicious Locations" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
-				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">EQNEDT32.EXE</Image>
-				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
-				<Image condition="contains any">C:\Users;\Temp\;\ProgramData\</Image>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
-				<Image condition="contains any">wscript.exe;cscript.exe;powershell.exe;rundll32.exe;msbuild.exe;msiexec.exe;csc.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
-				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">wmiprvse.exe</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<ImageLoaded condition="is">msi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">powershell</Image>
-				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="excludes">powershell</Image>
-				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="is">clr.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">installutil.exe</Image>
-				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
-				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
-				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
-				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
-				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="begin with">\\</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
-				<ImageLoaded condition="end with">.wll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
-				<ImageLoaded condition="end with">.xll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
-				<ImageLoaded condition="contains any">.xla</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains">tor-lib.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
-				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<ImageLoaded condition="contains all">vaultcli.dll;wlanapi.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">combase.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">cryptdll.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">imm32.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">logoncli.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">netapi32.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">ntasn1.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">ntdsapi.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">samlib.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\Explorer.EXE</Image>
-				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
-				<ImageLoaded condition="end with">.exe</ImageLoaded>
-				<Company condition="excludes">Adobe</Company>
-				<Image condition="excludes">C:\ProgramData\Lenovo\</Image>
-				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
-				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
-				<ImageLoaded condition="end with">.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
-				<Signed condition="is">false</Signed>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<SignatureStatus condition="is">Revoked</SignatureStatus>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<SignatureStatus condition="is">Expired</SignatureStatus>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
-				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
-			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
-				<ImageLoaded condition="end with">C:\Windows\System32\wlanapi.dll</ImageLoaded>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience</Image>
-				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\AppHostRegistrationVerifier.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\CompatTelRunner.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\DeviceCensus.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</Image>
-				<Image condition="excludes">C:\Windows\System32\LogonUI.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\MoNotificationUx.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\SystemSettingsBroker.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\dxgiadaptercache.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\netsh.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\wlanext.exe</Image>
-				<Image condition="excludes">C:\Windows\UUS\amd64\MoUsoCoreWorker.exe</Image>
-				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
-				<Image condition="excludes">C:\Windows\explorer.exe</Image>
-			</Rule>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
-		</ImageLoad>
-	</RuleGroup>
-	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
-		<ImageLoad onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">\Microsoft Office\</Image>
-				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">\Microsoft Office\</Image>
-				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
-				<Signed condition="is">true</Signed>
-			</Rule>
-			<!--Universal Exclusions: Be Careful-->
-			<Company condition="contains">Fortinet</Company>
-			<Company condition="contains">Lenovo</Company>
-			<Company condition="contains">Sophos</Company>
-			<Image condition="end with">mscorsvw.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\InstallAgentUserBroker.exe</Image>
-			<Image condition="image">C:\Windows\System32\RuntimeBroker.exe</Image>
-			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="image">C:\Windows\System32\SettingSyncHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\sppsvc.exe</Image>
-			<Image condition="image">C:\Windows\System32\taskhost.exe</Image>
-			<Image condition="image">C:\Windows\System32\taskhostw.exe</Image>
-			<Image condition="image">C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe</Image>
-			<Image condition="image">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
-			<Image condition="image">HxTsr.exe</Image>
-			<Image condition="image">SearchUI.exe</Image>
-			<ImageLoaded condition="contains">C:\Program Files (x86)\Common Files\BIExcelFunctions1.1\32bit\Sage.</ImageLoaded>
-			<ImageLoaded condition="contains">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Pfx.</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Adist64.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\SysWOW64\sppc.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Office.Interop.VisOcx.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Office.Interop.Word.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Vbe.Interop.dll</ImageLoaded>
-			<ImageLoaded condition="is">OFFICE.DLL</ImageLoaded>
-		</ImageLoad>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
-	<RuleGroup name="RG=CreateRemoteThread Include Group" groupRelation="or">
-		<CreateRemoteThread onmatch="include">
-			<!--Custom Rules-->
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
-				<StartAddress condition="is">0x001A0000</StartAddress>
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privledge Escalation,Level=4,Alert=CreateRemoteThread with msiexec,Risk=100" groupRelation="and">
-				<SourceImage condition="contains any">msiexec.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
-				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
-				<StartAddress condition="is">0x001A0000</StartAddress>
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=Rundll32 LSASS Credential dumping,Risk=70" groupRelation="and">
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="image">c:\windows\system32\rundll32.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=4,Alert=Remote Thread Process debugging detected,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">DbgUiRemoteBreakin</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=0,Desc=Remote Query Debug info,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">QueryProcessDebugInformationRemote</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Tactic=Defense Evasion,Level=0,Desc=Query Debug info 2,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">isdebuggerpresent</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Process Debugging Detected,Tactic=Defense Evasion,Level=3,Alert=Process Debug of active Process,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">DebugActiveProcess</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1055.001,Technique=Process Injection: Dynamic-link Library Injection,Tactic=Defense Evasion,Level=3,Alert=LoadLibrary DLL Injection,Risk=70" groupRelation="and">
-				<StartFunction condition="contains">LoadLibrary</StartFunction>
-				<SourceImage condition="excludes">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\igfxEM.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\igfxHK.exe</SourceImage>
-				<SourceImage condition="excludes">Enterprise\Common7\IDE\devenv.exe</SourceImage>
-				<TargetImage condition="excludes">C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe</TargetImage>
-				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
-				<StartFunction condition="contains any">CreateFileMapping;MapViewOfFile</StartFunction>
-			</Rule>			
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=LdrLoadDll DLL Injection,Risk=70" groupRelation="and">
-				<StartFunction condition="contains any">LdrLoadDll</StartFunction>
-			</Rule>
-			<Rule name="Attack=T1106,Technique=Native API,Tactic=Execution,Level=0,Desc=Crypt API Usage" groupRelation="and">
-				<StartFunction condition="contains any">CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey</StartFunction>
-			</Rule>
-			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=0,Desc=Clipboard Usage Detected" groupRelation="and">
-				<SourceImage condition="image">c:\windows\system32\csrss.exe</SourceImage>
-				<StartFunction condition="contains">CrtlRoutine</StartFunction>
-			</Rule>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
-			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
-			<Rule name="Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
-				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
-				<StartFunction condition="contains">EtwEventWrite</StartFunction>
-			</Rule>
-		</CreateRemoteThread>
-	</RuleGroup>
-	<RuleGroup name="RG=CreateRemoteThread Exclude Group" groupRelation="or">
-		<CreateRemoteThread onmatch="exclude">
-			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
-			<SourceImage condition="image">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\audiodg.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\services.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\svchost.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\wininit.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\winlogon.exe</SourceImage>
-		</CreateRemoteThread>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
-	<RuleGroup name="RG=RawAccessRead Include Group" groupRelation="or">
-		<RawAccessRead onmatch="include">
-		</RawAccessRead>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
-	<RuleGroup name="RG=ProcessAccess Include Group" groupRelation="or">
-		<ProcessAccess onmatch="include">
-			<!--Custom Rules-->
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\System32\SHELL32.dll+9b5bd</CallTrace>
-				<TargetImage condition="excludes">\LocalBridge.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
-				<CallTrace condition="contains any">C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2cb3e</CallTrace>
-				<TargetImage condition="excludes any">C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2b496</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\dbgcore.DLL+6cfb</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 2,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">"UNKNOWN(;)|UNKNOWN(</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 3,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">"UNKNOWN</CallTrace>
-				<GrantedAccess condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
-				<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
-				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
-				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1FFFFF</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-				<CallTrace condition="excludes">WmiPerfClass.dll</CallTrace>
-				<SourceImage condition="excludes any">C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="image">C:\Windows\system32\wsmprovhost.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1FFFFF</GrantedAccess>
-				<CallTrace condition="contains all">python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="begin with">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-				<CallTrace condition="contains all">|C:\WINDOWS\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
-				<CallTrace condition="excludes any">wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange</CallTrace>
-				<SourceImage condition="excludes any">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
-				<GrantedAccess>0x1F3FFF</GrantedAccess>
-				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<SourceImage condition="end with">.exe</SourceImage>
-				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
-				<GrantedAccess>0x1C00</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1F1FFF</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1010</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x143A</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1fffff</GrantedAccess>
-				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
-				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
-				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<SourceImage condition="image">powershell.exe</SourceImage>
-				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<CallTrace condition="contains">getasynckeystate</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
-				<CallTrace condition="contains">cmlua.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
-				<CallTrace condition="contains">System.Management.Automation</CallTrace>
-				<CallTrace condition="excludes">C:\ProgramData\Microsoft\Windows Defender\platform\</CallTrace>
-				<CallTrace condition="excludes">ctiuser.dll</CallTrace>
-				<SourceImage condition="is not">C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V16\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\SysWOW64\sdiagnhost.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\Temp\ExchangeSetup\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe</SourceImage>
-				<TargetImage condition="is not">C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\HOSTNAME.EXE</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\ROUTE.exe</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\query.exe</TargetImage>
-				<TargetImage condition="is not">MsMpEng.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="contains">comsvcs.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE7,Risk=80" groupRelation="and">
-				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE6,Risk=80" groupRelation="and">
-				<CallTrace condition="contains any">VBE6.dll;VBEUI.DLL;VBE6INTL.DLL</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=verclsid Office Execution,Risk=80" groupRelation="and">
-				<SourceImage condition="contains">Office</SourceImage>
-				<TargetImage condition="contains">verclsid.exe</TargetImage>
-				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
-				<CallTrace condition="contains any">|UNKNOWN(</CallTrace>
-				<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
-				<SourceImage condition="contains">C:\Program Files\Microsoft Office\Root\Office</SourceImage>
-				<CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
-				<CallTrace condition="contains" >C:\Windows\System32\SHELL32.dll+ae3b9</CallTrace>
-				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
-				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
-			</Rule>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
-				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
-				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
-				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
-				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Potential MalDoc Behavior" groupRelation="and">
-				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
-				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Potential Metasploit Process Migration" groupRelation="and">
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-				<GrantedAccess condition="contains">0x147a</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
-				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
-				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
-				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
-				<GrantedAccess condition="contains">0x1400</GrantedAccess>
-			</Rule>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
-			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">cscript.exe</SourceImage>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">wscript.exe</SourceImage>
-			<SourceImage condition="end with">jjs.exe</SourceImage>
-			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
-			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CorperfmontExt.dll</CallTrace>
-		</ProcessAccess>
-	</RuleGroup>
-	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
-		<ProcessAccess onmatch="exclude">
-			<Rule name="wmi accessing lsass" groupRelation="and">
-				<SourceImage condition="image">wmiprvse.exe</SourceImage>
-				<TargetImage condition="image">lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="lsass accessing winlogon" groupRelation="and">
-				<SourceImage condition="image">lsass.exe</SourceImage>
-				<TargetImage condition="image">winlogon.exe</TargetImage>
-			</Rule>
-			<!-- These binaries appear to access lsass legitimately -->
-			<Rule name="legitimate lsass access" groupRelation="and">
-				<TargetImage condition="contains">lsass.exe</TargetImage>
-				<SourceImage condition="excludes any">C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; <!-- Exchange Process -->\EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe</SourceImage>
-			</Rule>
-			<!-- These binaries get or access processes running .NET -->
-			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
-			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
-			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
-			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
-			</Rule>
-		</ProcessAccess>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
-	<RuleGroup name="RG=FileCreate Include Group" groupRelation="or">
-		<FileCreate onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst suspicious file writes,Risk=100" groupRelation="and">
-				<Image condition="contains any">solarwinds.businesslayerhost</Image>
-				<TargetFilename condition="contains any">.exe;.dll;.ps1;.mz;.jpg;.png</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst malware dll,Risk=100" groupRelation="and">
-				<TargetFilename condition="is">C:\WINDOWS\SysWOW64\netsetupsvc.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
-				<TargetFilename name="Defender AntiMalware Delta Patch" condition="excludes all">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_;.exe</TargetFilename>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
-				<TargetFilename condition="end with">proj</TargetFilename>
-				<TargetFilename condition="end with">.targets</TargetFilename>
-				<TargetFilename condition="end with">.build</TargetFilename>
-				<TargetFilename condition="end with">.props</TargetFilename>
-				<TargetFilename condition="end with">.tasks</TargetFilename>
-				<TargetFilename condition="end with">.sln</TargetFilename>
-				<TargetFilename condition="end with">.cs</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file types,Risk=100" groupRelation="or">
-				<TargetFilename condition="end with">.cdxml</TargetFilename>
-				<TargetFilename condition="end with">.ps1</TargetFilename>
-				<TargetFilename condition="end with">.ps1xml</TargetFilename>
-				<TargetFilename condition="end with">.psc1</TargetFilename>
-				<TargetFilename condition="end with">.psd1</TargetFilename>
-				<TargetFilename condition="end with">.psm1</TargetFilename>
-				<TargetFilename condition="end with">.pssc</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file creations,Risk=10" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=CVE-2019-1315,Risk=70" groupRelation="and">
-				<TargetFilename condition="end with">Report.wer.tmp</TargetFilename>
-				<TargetFilename condition="excludes">\WER\</TargetFilename>
-				<Image condition="image">C:\Windows\system32\wermgr.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
-				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Users</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
-				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
-				<TargetFilename condition="end with">.dll</TargetFilename>
-				<TargetFilename condition="begin with">C:\Users</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
-			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
-				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;==READ==THIS==PLEASE==;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.dotm</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.aspx</TargetFilename>
-				<TargetFilename condition="excludes">\wwwroot\aspnet_client\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating PHP files,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.php</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating AAA files,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.aaa</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM Web Shells Dropped,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">\wwwroot\aspnet_client\</TargetFilename>
-				<TargetFilename condition="contains any">.aspx;.php</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\aspnet_client\;jpg</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASP Files dropped outside wwwroot directory" groupRelation="and">
-				<TargetFilename condition="end with">.asp</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASPX Files dropped outside wwwroot directory" groupRelation="and">
-				<TargetFilename condition="end with">.aspx</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ecp\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\oab\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\owa\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">httpproxy\rpc\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\ecp\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\htdocs\</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Exploitation Detected,Risk=20" groupRelation="and">
-				<TargetFilename condition="end with">.SPL</TargetFilename>
-				<Image condition="excludes any">spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Spooler Created exe file,Risk=40" groupRelation="and">
-				<Image condition="image">spoolsv.exe</Image>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="excludes">C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=InstallerFileTakeOver,Risk=80,CVE=CVE-2021-41379" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<TargetFilename condition="contains">\Microsoft\Edge\Application</TargetFilename>
-				<TargetFilename condition="end with">elevation_service.exe</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</TargetFilename>
-
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
-				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Temp\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
-				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
-				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
-			</Rule>
-			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Files Created from">$Recycle.Bin</Image>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created from System Profile executable" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<Image condition="contains">\config\systemprofile\</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
-			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion" condition="end with">.chm</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">proj</TargetFilename>
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">.sln</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<Rule name="Attack=T1203,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,Level=4,Alert=Exchange Exploitation UM Service File Creation,Risk=80,CVE=CVE-2021-26858" groupRelation="and">
-				<Image condition="contains any">UMWorkerProcess.exe;UMService.exe</Image>
-				<TargetFilename condition="contains any">.</TargetFilename>
-				<TargetFilename condition="excludes any">.log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Rar$</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">RarSFX</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="is">Teamviewer.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">rundll32.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="is">mstsc.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">cmd.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">WScript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="is">cscript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="is">mshta.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="is">python.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="is">wmic.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch Ransomware Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains all">RESTORE_;_FILES.txt</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch2 Ransomware Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains all">DECRYPT_;_FILES.txt</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Nanocore Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">\run.dat;\task.dat;\storage.dat</TargetFilename>
-				<TargetFilename condition="contains">AppData</TargetFilename>
-				<TargetFilename condition="excludes any">Symantec</TargetFilename>
-				<TargetFilename condition="excludes any">BlueJeans</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=RagnarLocker Virtualbox files: susceptible to FP,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">VBoxRT.dll;VboxC.dll</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--UEBA Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
-				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
-				<TargetFilename condition="excludes">\system32\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
-				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
-				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
-				<TargetFilename condition="end with">.wll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
-				<TargetFilename condition="end with">.xll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
-				<TargetFilename condition="contains any">.xla</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.vsto</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.bat</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.dll</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.sys</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.theme</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">VirtualboxVM.exe</Image>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">notepad++.exe</Image>
-			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=URL">.url</TargetFilename>
-			<!--Drivers dropped-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sys</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.inf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Drivers\</TargetFilename>
-			<TargetFilename condition="end with">.drv</TargetFilename> 
-			<!--Microsoft Office File Monitoring-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlam</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xla</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xls</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlt</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xltm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlw</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.potm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sldm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Office\Recent</TargetFilename>
-			<TargetFilename name="Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Downloads\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Content.Outlook\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.wbk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ped</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dot</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dotx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.doc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docx</TargetFilename>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<TargetFilename condition="end with">.accdb</TargetFilename>
-				<TargetFilename condition="end with">.accde</TargetFilename>
-				<TargetFilename condition="end with">.accdr</TargetFilename>
-				<TargetFilename condition="end with">.accdt</TargetFilename>
-				<TargetFilename condition="end with">.mdb</TargetFilename>
-				<TargetFilename condition="end with">.mde</TargetFilename>
-				<TargetFilename condition="end with">.msc</TargetFilename>
-				<TargetFilename condition="end with">.mst</TargetFilename>
-				<TargetFilename condition="end with">.potx</TargetFilename>
-				<TargetFilename condition="end with">.ppam</TargetFilename>
-				<TargetFilename condition="end with">.ppsm</TargetFilename>
-				<TargetFilename condition="end with">.ppsx</TargetFilename>
-				<TargetFilename condition="end with">.ppt</TargetFilename>
-				<TargetFilename condition="end with">.pptm</TargetFilename>
-				<TargetFilename condition="end with">.pptx</TargetFilename>
-				<TargetFilename condition="end with">.pub</TargetFilename>
-				<TargetFilename condition="end with">.sldm</TargetFilename>
-				<TargetFilename condition="end with">.sldx</TargetFilename>
-				<TargetFilename condition="end with">.xls</TargetFilename>
-				<TargetFilename condition="end with">.xps</TargetFilename>
-			</Rule>
-			<!--SECTION: Certificates -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<TargetFilename condition="end with">.pem</TargetFilename>
-				<TargetFilename condition="end with">.crt</TargetFilename>
-				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
-				<TargetFilename condition="end with">.cer</TargetFilename>
-				<TargetFilename condition="end with">.csr</TargetFilename>
-				<TargetFilename condition="end with">.der</TargetFilename>
-				<TargetFilename condition="end with">.p7b</TargetFilename>
-				<TargetFilename condition="end with">.p7r</TargetFilename>
-				<TargetFilename condition="end with">.p7s</TargetFilename>
-				<TargetFilename condition="end with">.pfx</TargetFilename>
-				<TargetFilename condition="end with">.sto</TargetFilename>
-				<TargetFilename condition="end with">.p12</TargetFilename>
-				<TargetFilename condition="end with">.crl</TargetFilename>
-				<TargetFilename condition="end with">.sst</TargetFilename>
-				<TargetFilename condition="end with">.key</TargetFilename>
-			</Rule>
-			<!-- side loading -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<TargetFilename condition="end with">.hlp</TargetFilename>
-				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
-				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
-				<TargetFilename condition="end with">AFLogVw.exe</TargetFilename>
-				<TargetFilename condition="end with">AShld.exe</TargetFilename>
-				<TargetFilename condition="end with">AShldRes.DLL.asr</TargetFilename>
-				<TargetFilename condition="end with">AShldRes.DLL</TargetFilename>
-				<TargetFilename condition="end with">AhnI2.dll</TargetFilename>
-				<TargetFilename condition="end with">CamMute.exe</TargetFilename>
-				<TargetFilename condition="end with">CommFunc.dll</TargetFilename>
-				<TargetFilename condition="end with">CommFunc.jax</TargetFilename>
-				<TargetFilename condition="end with">DESqmWrapper.dll</TargetFilename>
-				<TargetFilename condition="end with">DESqmWrapper.wrapper</TargetFilename>
-				<TargetFilename condition="end with">FSPMAPI.dll.fsp</TargetFilename>
-				<TargetFilename condition="end with">FSPMAPI.dll</TargetFilename>
-				<TargetFilename condition="end with">Gadget.exe</TargetFilename>
-				<TargetFilename condition="end with">LoLTWLauncher.exe</TargetFilename>
-				<TargetFilename condition="end with">Mc.exe</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll.ping</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll.url</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll</TargetFilename>
-				<TargetFilename condition="end with">MpSvc.dll</TargetFilename>
-				<TargetFilename condition="end with">MsMpEng.exe</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmart.exe</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMaxapp.dll</TargetFilename>
-				<TargetFilename condition="end with">OInfo11.ISO</TargetFilename>
-				<TargetFilename condition="end with">OInfo11.ocx</TargetFilename>
-				<TargetFilename condition="end with">OInfoP11.exe</TargetFilename>
-				<TargetFilename condition="end with">OleView.exe</TargetFilename>
-				<TargetFilename condition="end with">OleView.exe</TargetFilename>
-				<TargetFilename condition="end with">POETWLauncher.exe</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll.config</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll.msc</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll</TargetFilename>
-				<TargetFilename condition="end with">RasTls.exe</TargetFilename>
-				<TargetFilename condition="end with">RunHelp.exe</TargetFilename>
-				<TargetFilename condition="end with">Sidebar.dll.doc</TargetFilename>
-				<TargetFilename condition="end with">Sidebar.dll</TargetFilename>
-				<TargetFilename condition="end with">Ushata.dll</TargetFilename>
-				<TargetFilename condition="end with">Ushata.exe</TargetFilename>
-				<TargetFilename condition="end with">Ushata.fox</TargetFilename>
-				<TargetFilename condition="end with">VeetlePlayer.exe</TargetFilename>
-				<TargetFilename condition="end with">boot.ldr</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.dll.rom</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.dll</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.exe</TargetFilename>
-				<TargetFilename condition="end with">dvcemumanager.exe</TargetFilename>
-				<TargetFilename condition="end with">fsguidll.exe</TargetFilename>
-				<TargetFilename condition="end with">fslapi.dll.gui</TargetFilename>
-				<TargetFilename condition="end with">fslapi.dll</TargetFilename>
-				<TargetFilename condition="end with">fsstm.exe</TargetFilename>
-				<TargetFilename condition="end with">hccutils.dll.res</TargetFilename>
-				<TargetFilename condition="end with">hccutils.dll</TargetFilename>
-				<TargetFilename condition="end with">hha.dll.bak</TargetFilename>
-				<TargetFilename condition="end with">hha.dll</TargetFilename>
-				<TargetFilename condition="end with">hhc.exe</TargetFilename>
-				<TargetFilename condition="end with">hkcmd.exe</TargetFilename>
-				<TargetFilename condition="end with">iviewers.dll</TargetFilename>
-				<TargetFilename condition="end with">jli.dll</TargetFilename>
-				<TargetFilename condition="end with">libvlc.dll</TargetFilename>
-				<TargetFilename condition="end with">mPclient.dll</TargetFilename>
-				<TargetFilename condition="end with">mcf.ep</TargetFilename>
-				<TargetFilename condition="end with">mcf.exe</TargetFilename>
-				<TargetFilename condition="end with">mcupdui.exe</TargetFilename>
-				<TargetFilename condition="end with">mcut.exe</TargetFilename>
-				<TargetFilename condition="end with">mcutil.dll.bbc</TargetFilename>
-				<TargetFilename condition="end with">mcvsmap.exe</TargetFilename>
-				<TargetFilename condition="end with">msi.dll.dat</TargetFilename>
-				<TargetFilename condition="end with">msi.dll</TargetFilename>
-				<TargetFilename condition="end with">msseces.asm</TargetFilename>
-				<TargetFilename condition="end with">msseces.exe</TargetFilename>
-				<TargetFilename condition="end with">mtcReport.ktc</TargetFilename>
-				<TargetFilename condition="end with">rc.dll</TargetFilename>
-				<TargetFilename condition="end with">rc.exe</TargetFilename>
-				<TargetFilename condition="end with">rc.hlp</TargetFilename>
-				<TargetFilename condition="end with">sep_NE.exe</TargetFilename>
-				<TargetFilename condition="end with">sep_NE.slf</TargetFilename>
-				<TargetFilename condition="end with">tplcdclr.exe</TargetFilename>
-				<TargetFilename condition="end with">winmm.dll</TargetFilename>
-				<TargetFilename condition="end with">wts.chm</TargetFilename>
-				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">ssMUIDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
-			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\\tsclient</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
-			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\7z</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.chm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cpl</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.mht</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.crx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.gadget</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.JSE</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.exe</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.zip\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FON</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FOT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.iqy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ico</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.isp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.manifest</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">MEMORY.dmp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msi</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cs</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.customDestinations-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Minidump</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.PAF</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rtf</TargetFilename> 
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.reg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHS</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.slk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCR</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.set</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SettingContent-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHD</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SPL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scr</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HammerDrillStatus.dll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft\Windows\WER\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ICL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sdb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHB</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Temp1_</TargetFilename>
-			<!--Uncategorized-->
-			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
-			<TargetFilename condition="end with">.ade</TargetFilename>
-			<TargetFilename condition="end with">.adp</TargetFilename>
-			<TargetFilename condition="end with">.application</TargetFilename>
-			<TargetFilename condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename condition="end with">.asc</TargetFilename>
-			<TargetFilename condition="end with">.bmf</TargetFilename>
-			<TargetFilename condition="end with">.cer</TargetFilename>
-			<TargetFilename condition="end with">.dmp</TargetFilename>
-			<TargetFilename condition="end with">.gpg</TargetFilename>
-			<TargetFilename condition="end with">.htm</TargetFilename>
-			<TargetFilename condition="end with">.html</TargetFilename>
-			<TargetFilename condition="end with">.json</TargetFilename>
-			<TargetFilename condition="end with">.jsp</TargetFilename>
-			<TargetFilename condition="end with">.key</TargetFilename>
-			<TargetFilename condition="end with">.mof</TargetFilename>
-			<TargetFilename condition="end with">.ocx</TargetFilename>
-			<TargetFilename condition="end with">.p7b</TargetFilename>
-			<TargetFilename condition="end with">.p12</TargetFilename>
-			<TargetFilename condition="end with">.pem</TargetFilename>
-			<TargetFilename condition="end with">.pfx</TargetFilename>
-			<TargetFilename condition="end with">.pgp</TargetFilename>
-			<TargetFilename condition="end with">.php</TargetFilename>
-			<TargetFilename condition="end with">.ppk</TargetFilename>
-			<TargetFilename condition="end with">.war</TargetFilename>
-			<TargetFilename condition="end with">.xml</TargetFilename>
-		</FileCreate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
-	<RuleGroup name="RG=RegistryEvent Include Group" groupRelation="or">
-		<RegistryEvent onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Forensic=RDP Connection History Tracking" groupRelation="and">
-				<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
-				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Mountpoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
-				<TargetObject condition="end with">LoggedOnUser</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnUser</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnProvider</TargetObject>
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Suspicious Set Value of MSDT in Registry: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\ms-msdt\</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Scripted Diagnostics Turn Off Check Enabled: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</TargetObject>
-				<TargetObject condition="excludes">\print\</TargetObject>
-				<TargetObject condition="excludes">\AzureAttestService\CoInitializeSecurityParam</TargetObject>
-				<Image condition="excludes">C:\$WINDOWS.~BT\</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project Object Model Macro Settings,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\AccessVBOM</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
-				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
-				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Potential Office Macro Execution Detected" groupRelation="and">
-				<Image condition="contains any">EXCEL.exe;WINWORD.exe</Image>
-				<TargetObject condition="contains any">{8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B}</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
-			<Rule name="Attack=T0000,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
-				<TargetObject condition="is">HKCU\di</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">HKCU\�</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
-				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
-				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
-				<TargetObject condition="end with">update_url</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Last Password Change</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Account Expiration</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Last Failed Logon</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject> <!-- http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/ -->
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
-				<Image condition="excludes">Add_exclusions_here</Image>
-			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Boot" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: System" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Automatic" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000002)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Manual" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000003)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Disabled" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000004)</Details>
-			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
-			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
-			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Printers\Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\Environments\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Servers\Printers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\V4 Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SWD\PRINTENUM</TargetObject>-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=New user created,Risk=40" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<TargetObject condition="excludes">$</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=Hidden New user created,Risk=40" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<TargetObject condition="contains">$</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
-				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint Protocol Handlers" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\</TargetObject>
-				<TargetObject condition="end with">(Default)</TargetObject>
-				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
-				<Details condition="begin with">URL:</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Protocol Handlers" groupRelation="and">
-				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
-				<TargetObject condition="end with">(Default)</TargetObject>
-				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
-				<Details condition="begin with">URL:</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint File Associations" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\</TargetObject>
-				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
-				<Details condition="contains">%1</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Default File Associations" groupRelation="and">
-				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
-				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
-				<Details condition="contains">%1</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor COM Hijacking" groupRelation="and">
-				<TargetObject condition="end with">\shell\open\command\DelegateExecute</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Accessibility Features-->
-			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=sethc.exe Priv Escalation,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Session Manager\KnownDlls</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Outlook Addins" groupRelation="and">
-				<TargetObject condition="contains">Outlook\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Word Addins" groupRelation="and">
-				<TargetObject condition="contains">Word\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Excel Addins" groupRelation="and">
-				<TargetObject condition="contains">Excel\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Powerpoint Addins" groupRelation="and">
-				<TargetObject condition="contains">Powerpoint\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Inclusions" groupRelation="and">
-				<TargetObject condition="contains">Software\Microsoft\VSTO\Security\Inclusion\</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Solution Metadata" groupRelation="and">
-				<TargetObject condition="contains">Software\Microsoft\VSTO\SolutionMetadata\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=0,Desc=CMSTPLUA UAC Bypass" groupRelation="and">
-				<TargetObject condition="contains any">cmmgr32.exe</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
-				<Details condition="contains any">C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\</Details>
-				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
-			</Rule>
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
-				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
-			</Rule>
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=1,Alert=Image File Execution Options,Risk=30" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
-				<TargetObject condition="contains any">Debugger;ReportingMode;MonitorProcess</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=0,Alert=SilentProcessExit Globalflag Set,Risk=75" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
-				<TargetObject condition="contains">GlobalFlag</TargetObject>
-				<Details condition="contains">DWORD (0x00000200)</Details> <!--SilentProcessExit Dword Value-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Execution entry,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
-				<TargetObject condition="contains">MonitorProcess</TargetObject> <!--SilentProcessExit Monitor Process from werfault-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Reporting Mode Enabled - Check for Child processes of werfault.exe,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
-				<TargetObject condition="contains">ReportingMode</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details> <!--SilentProcessExit Reporting Mode Enabled-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Added,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exeption Handler execution on crash,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\</TargetObject>
-				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
-				<TargetObject condition="end with">SD</TargetObject>
-				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
-				<TargetObject condition="end with">ID</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Author</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Path</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Date</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<Rule name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Environment Value Modification" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=ConsentPromptBehaviorAdmin Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
-			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
-			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
-			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
-				<TargetObject condition="end with">$</TargetObject>
- 				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
-				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
-				<!--Customize: Add your configuration dir above-->
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to Per-Process Exploit Protection,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions</TargetObject>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmwp.exe\0\MitigationOptions</TargetObject>
-				<Image condition="excludes">msiexec.exe</Image>
-				<Image condition="excludes">TiWorker.exe</Image>
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Modification to WOW64 Per-Process Exploit Protection Mitigation Options,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-				<Image condition="excludes">C:\Program Files\Microsoft Office 15\root\integration\integrator.exe</Image>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
-				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\</TargetObject>
-				<TargetObject condition="contains all">\Instances\;Altitude</TargetObject>
-				<TargetObject condition="is not">HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=1,Desc=Notifications for all macros,Risk=50" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000002)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Notifications for digitally signed macros - all other macros disabled,Risk=0" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000003)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=All Office Macros Disabled without notification,Risk=0" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000004)</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">\Outlook\Security</TargetObject>
-				<!--Allow Outlook Details rules to fire-->
-				<TargetObject condition="excludes">\Security\Level</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Excel\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Level1Remove</TargetObject>
-			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideSCAHealth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
-			<!--Detect if Windows Defender is Disabled-->
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="end with">\Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="end with">\Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="excludes">\Enabled</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
-				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
-				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
-				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
-				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
-				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
-				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Eventlog Security Descriptor Modification,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
-				<TargetObject condition="end with">\CustomSD</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Eventlog Size Modification,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
-				<TargetObject condition="end with">\MaxSize</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">globallyopenports</TargetObject>
-			</Rule>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
-
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\.NETFramework\ETWEnabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Tampering,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\.NETFramework\NGenAssemblyUsageLog</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\NGenAssemblyUsageLog</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\COMPlus_ETWEnabled</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\LastKey</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
-				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">&#x202e;</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
-
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
-				<EventType condition="is not">CreateKey</EventType>
-				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\Sysmon.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\certsrv.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\CompatTelRunner.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
-				<Image condition="excludes">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-				<Image condition="excludes">C:\Windows\system32\SearchProtocolHost.exe</Image>
-				<Image condition="excludes">C:\Windows\system32\taskhost.exe</Image>
-				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\System32\DriverStore\FileRepository\asus</Image>
-				<Image condition="excludes">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
-				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">fDenyTSConnections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">RDP-tcp\PortNumber</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">&#xfffd;</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials: Credentials in Registry-->
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,Level=1,Desc=User Account Deleted" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<EventType condition="is">DeleteKey</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<Rule name="Attack=T1485,Technique=Inhibit System Recovery,Tactic=Impact,Level=0,Desc=VSS Disablement Detection,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Services\VSS\Diag\(Default)</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!-- UEBA/Uncategorized Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
-			</Rule>
-			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\LastKey</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
-			</Rule>
-			<Rule name="Forensic=IE history Detection" groupRelation="and">
-				<TargetObject condition="end with">\TypedURLs</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
-				<Details condition="excludes">Binary Data</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
-			</Rule>
-			<Rule name="Forensic=Adobe Recent File List History" groupRelation="and">
-				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
-				<TargetObject condition="end with">tDIText</TargetObject>
-			</Rule>
-			<Rule name="Forensic=Office History MRU" groupRelation="and">
-				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
-			</Rule>
-			<!--Common Malware Persistence locations-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
-			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\URL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">NullSessionShares</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">NullSessionPipes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PasswordExpiryNotification</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisplayVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ModifyPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UninstallString</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
-			<!--CLSID launch commands and file association changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject name="Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
-			<!--Windows shell hijack-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideFileExt</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjects</TargetObject>
-			<!--AppPaths hijacking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<!--Terminal service boobytraps-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<!--Group Policy interity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
-			<!--Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<!--Credential providers-->
-			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
-			<!--Networking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetObject name="Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
-			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
-			<!--Office-->
-			<!--Microsoft Office-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
-			<!--Removed addins on 11/13/2018 due to high count-->
-			<!--IE-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<!--Magic registry keys-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
-			<!--Infection artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
-			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
-			<!--Group Policy Scripts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
-			<!--Detect Network History-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Trusted Locations</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
-			<TargetObject name="Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
-			<TargetObject name="Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
-			<TargetObject name="Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
-			<TargetObject name="Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\BinProductVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDriverBinary\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
-				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
-			</Rule>			
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
-				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Explorer\MountPoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
-			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,Level=1,Desc=Service Set for Deletion" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\DeleteFlag</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<!--Detect User Activity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
-			<TargetObject name="Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
-			<!--Windows application compatibility shims-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
-			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
-			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
-				<Details condition="contains any">ndis;rndis</Details>
-			</Rule>
-			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
-				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
-				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
-			</Rule>
-			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Client\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Server\Enabled</TargetObject>
-			<TargetObject name="Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server Client\Servers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
-		</RegistryEvent>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
-	<!--EVENT 15: "File stream created"-->
-	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
-		<FileCreateStreamHash onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
-				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
-				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
-				<Contents condition="contains any">blob:;about:internet</Contents>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
-				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
-				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hash>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hash>
-			</Rule>
-		</FileCreateStreamHash>
-	</RuleGroup>
-	<RuleGroup name="RG=ADS Exclude Group" groupRelation="or">
-		<FileCreateStreamHash onmatch="exclude">
-			<Hash condition="contains">IMPHASH=00000000000000000000000000000000</Hash>
-			<TargetFilename condition="contains">AppData\Local\Microsoft\Windows\AppCache\</TargetFilename>
-			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename>
-			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> 
-			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
-			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename>
-			<TargetFilename condition="end with">Microsoft\Windows\Start Menu\Programs\Startup</TargetFilename>
-		</FileCreateStreamHash>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
-	<!--EVENT 16: "Sysmon config state changed"-->
-	<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
-	<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
-	<!--Cannot be filtered.-->
-
-	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
-	<!--EVENT 17: "Pipe Created"-->
-	<!--EVENT 18: "Pipe Connected"-->
-	<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-	<RuleGroup name="RG=PipeEvent Include Group" groupRelation="or">
-		<PipeEvent onmatch="include">
-			<Rule name="Attack=T1071,Technique=Application Layer Protocol,Tactic=Command and Control,Level=4,Alert=Cobalt Strike named pipe detected,Risk=100" groupRelation="and">
-				<PipeName condition="contains any">msagent_;\MSSE-;postex;\status_</PipeName>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=NA,Level=4,Alert=Turla Advanced Persistent Threat Named Pipe Detection,Risk=100" groupRelation="and">
-				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
-			</Rule>
-			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Level=4,Alert=lateral movement: psexec named pipe detected" groupRelation="or">
-				<PipeName condition="contains">\PSEXESVC</PipeName>
-				<PipeName condition="end with">-stdin</PipeName>
-				<PipeName condition="end with">-stdout</PipeName>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
-				<PipeName condition="contains">\svcctl</PipeName>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=NTSVCS Execution" groupRelation="or">
-				<PipeName condition="contains">\ntsvcs</PipeName>
-			</Rule>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100" condition="contains">tssmp_endpoint</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100" condition="contains">\NamePipe_MoreWindows</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=WCEServicePipe detected,Risk=100" condition="contains">\WCEServicePipe</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=ahexec Named Pipe Detection,Risk=100" condition="contains">\ahexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=cachedump detected,Risk=100" condition="contains">\cachedumppipe</PipeName><!-- Credits @9f81f59bc58452127884ce513865ed20Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=csexec Named Pipe Detection,Risk=100" condition="contains">\csexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100" condition="contains">\isapi_dg</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsadump detected,Risk=100" condition="contains">\lsadump</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10" condition="contains">\lsassw</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=paexec Named Pipe Detection,Risk=100" condition="contains">\paexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=pcheap_reuse Named Pipe Detection" condition="contains">\pcheap_reuse</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Covanant C2 Named Pipe Detection" condition="contains">\gruntsvc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=remcom Named Pipe Detection,Risk=100" condition="contains">\remcom</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100" condition="contains">\rpchlp_3</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
-				<PipeName condition="contains any">\pipe\</PipeName>
-				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
-			</Rule>
-			<!-- Noisy
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\srvsvc</PipeName>
-			-->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
-			<!--Include Everything else to mark above rules-->
-			<!-- Disabled for now
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\</PipeName>
-			-->
-		</PipeEvent>
-	</RuleGroup>
-	<RuleGroup name="RG=PipeEvent Exclude Group" groupRelation="or">
-		<PipeEvent onmatch="exclude">
-		<EventType name="Exclude ConnectPipe for noise reduction" condition="is">ConnectPipe</EventType>
-		<!--COMMENT: Exclude known-good pipe users-->
-				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
-				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
-			<!--SECTION: Microsoft-->
-			<PipeName condition="contains">lsass</PipeName>
-			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
-			<PipeName condition="is">\spoolss</PipeName>
-			<Image condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Rediculous amount of spam, likely spikes cpu if logged -->
-			<Image condition="image">C:\Windows\System32\LxRun.exe</Image> <!--WSL-->
-			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="image">C:\Windows\System32\smss.exe</Image>
-			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
-			<Image condition="image">C:\Windows\System32\wininit.exe</Image>
-			<Image condition="image">C:\Windows\system32\DFSRs.exe</Image>
-			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
-			<Rule name="ngen excludes" groupRelation="and">
-				<Image condition="begin with">C:\Windows\Microsoft.NET\Framework</Image>
-				<Image condition="end with">\ngen.exe</Image>
-			</Rule>
-			<Rule name="ShellExperienceHost excludes" groupRelation="and">
-				<Image condition="begin with">C:\Windows\SystemApps\ShellExperienceHost_</Image>
-				<Image condition="end with">\ShellExperienceHost.exe</Image>
-			</Rule>
-			<Image condition="image">C:\Windows\system32\SearchProtocolHost.exe</Image>
-			<Image condition="image">\System</Image>
-			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
-			<!--SECTION: Microsoft Exchange Server -->
-			<Image condition="contains">Exchange Server</Image>
-			<!--SECTION: Microsoft IIS -->
-			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
-			<Image condition="image">C:\Windows\syswow64\snmp.exe</Image>
-			<Image condition="image">c:\windows\system32\inetsrv\w3wp.exe</Image>
-			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
-			<!--SECTION: Microsoft DNS Server -->
-			<Image condition="image">C:\Windows\system32\dns.exe</Image>
-			<!--SECTION: Microsoft SQL Server -->
-			<PipeName condition="is">\sql\query</PipeName>
-			<Image condition="image">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
-			<PipeName condition="contains">\TDLN-</PipeName>
-			<PipeName condition="contains">vmware-</PipeName>
-			<PipeName condition="is">\InitShutdown</PipeName>
-			<PipeName condition="is">\MsFteWds</PipeName>
-			<PipeName condition="is">\W32TIME_ALT</PipeName>
-			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
-			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
-			<PipeName condition="is">\browser</PipeName>
-			<PipeName condition="is">\epmapper</PipeName>
-			<PipeName condition="is">\eventlog</PipeName>
-			<PipeName condition="is">\scerpc</PipeName>
-			<PipeName condition="is">\wkssvc</PipeName>
-			<PipeName condition="is">\ntapvsrq</PipeName>
-			<PipeName condition="contains">Anonymous Pipe</PipeName>
-		</PipeEvent>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
-	<!--EVENT 19: "WmiEventFilter activity detected"-->
-	<!--EVENT 20: "WmiEventConsumer activity detected"-->
-	<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
-	<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
-	<RuleGroup name="RG=WmiEvent Include Group" groupRelation="or">
-		<WmiEvent onmatch="include">
-			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="is">Created</Operation>
-		</WmiEvent>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 22 : DNS Queries-->
-	<RuleGroup name="RG=DNS Query Includes" groupRelation="or">
-		<DnsQuery onmatch="include">
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Powershell TXT Record exfiltration" groupRelation="and">
-				<QueryResults condition="contains any">type: 16;type:  16</QueryResults>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Powershell,Tactic=Execution,Level=4,Alert=Powershell Connection to github" groupRelation="and">
-				<QueryName condition="contains">github</QueryName>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
-				<QueryName condition="contains">.</QueryName>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="end with">dropboxapi.com</QueryName>
-				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains">1drv</QueryName>
-				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains all">.box.com;upload</QueryName>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains any">mega.nz;mega.co.nz</QueryName>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains any">privatlab.com</QueryName>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
-				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
-			</Rule>
-			<!--Crypto Currency Mining pools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
-				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
-			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">graph.microsoft.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">dl.dropboxusercontent.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">api.onedrive.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">zoom.us</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">teamviewer</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Screenconnect</QueryName>
-			<!--Public Port Scan Detection-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
-			<!--Domain TLD's to log-->
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.download</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.kp</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.su</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ss</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sy</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ve</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xxx</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.click</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.club</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ir</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ru</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.host</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.icu</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pw</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.website</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ninja</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rocks</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.top</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ua</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xyz</QueryName>
-			<!--Malware Domains-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
-			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">githubusercontent.com;github.com</QueryName> 
-			<!--Common Suspicious destinations-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
-			<!-- Malicious/Suspicious hosting domains-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
-			<!--Dynamic DNS Lookups-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
-			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
-			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">wpad</QueryName>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
-				<QueryName condition="begin with">_ldap.</QueryName>
-				<Image condition="excludes">C:\Windows\</Image>
-				<Image condition="excludes">unknown process</Image>
-				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</Image>
-			</Rule>
-			<!--
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  28</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  5</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  15</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  2</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  12</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  6</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  99</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  33</QueryResults>
-			-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
-		</DnsQuery>
-	</RuleGroup>
-	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
-		<DnsQuery onmatch="exclude">
-			<!-- Image Exclusions -->
-			<Image condition="begin with">C:\Program Files (x86)\Admin Arsenal\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\CheckPoint\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Fortinet\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\OpenDNS\OpenDNS Connector</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Razer\Razer Services\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\VMware</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Veeam\</Image>
-			<Image condition="begin with">C:\Program Files\CheckPoint\</Image>
-			<Image condition="begin with">C:\Program Files\Trend Micro\</Image>
-			<Image condition="end with">Slack.exe</Image>
-			<Image condition="end with">\controls\cef\ConnectWise.exe</Image>
-			<Image condition="end with">git-remote-https.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe</Image>
-			<Image condition="image">C:\Program Files\VMware\vCenter Server\jre\bin\java.exe</Image>
-			<Image condition="image">C:\Program Files\VMware\vCenter Server\python\python.exe</Image>
-			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\dsregcmd.exe</Image>
-			<Image condition="image">C:\Windows\sysmon64.exe</Image>
-			<Image condition="image">C:\Windows\sysmon.exe</Image>
-			<QueryName condition="begin with">brave-sync.s3.dualstack.</QueryName>
-			<QueryName condition="end with">.salesforceliveagent.com</QueryName>
-			<QueryName condition="is">ads-serve.brave.com</QueryName>
-			<!--Network noise-->
-			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
-			<QueryName condition="is">..localmachine</QueryName>
-			<!--Microsoft-->
-			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
-			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
-			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
-			<!--Microsoft:Office365/AzureAD-->
-			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
-			<QueryName condition="end with">.msauth.net</QueryName>
-			<QueryName condition="end with">.msftauth.net</QueryName>
-			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
-			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
-			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
-			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
-			<!--3rd-party applications-->
-			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
-			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
-			<QueryName condition="end with">googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">cloudsearch.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">id.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">www.googleapis.com</QueryName> <!--Google-->
-			<!--Goodlist CDN-->
-			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.netflix.com</QueryName>
-			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
-			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
-			<QueryName condition="is">ajax.googleapis.com</QueryName>
-			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
-			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
-			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
-			<!--Personal-->
-			<QueryName condition="end with">.steamcontent.com</QueryName> <!--If you seriously host malware C2 in game binaries in Steam, I give up-->
-			<!--Web resources-->
-			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
-			<QueryName condition="end with">.fontawesome.com</QueryName>
-			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
-			<!--Ads-->
-			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
-			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
-			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
-			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
-			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
-			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
-			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
-			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
-			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
-			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
-			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
-			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
-			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
-			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
-			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.domdex.com</QueryName> 
-			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
-			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
-			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
-			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
-			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
-			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
-			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
-			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
-			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.quantcount.com</QueryName>
-			<QueryName condition="end with">.quantserve.com</QueryName>
-			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
-			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
-			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
-			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
-			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
-			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.simpli.fi</QueryName>
-			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">.tapad.com</QueryName>
-			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
-			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
-			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
-			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
-			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">ads.yahoo.com</QueryName> <!--Ads: Yahoo-->
-			<QueryName condition="is">1rx.io</QueryName>
-			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
-			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
-			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
-			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">www.googletagservices.com</QueryName>
-			<!--SocialNet-->
-			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
-			<!--OSCP/CRL Common-->
-			<QueryName condition="contains">adsniper.ru</QueryName>
-			<QueryName condition="contains">cdnvideo.ru</QueryName>
-			<QueryName condition="contains">chat.minergate.com</QueryName>
-			<QueryName condition="contains">cwsa.minergate.com</QueryName>
-			<QueryName condition="contains">forum.minergate.com</QueryName>
-			<QueryName condition="contains">leadlab.click</QueryName>
-			<QueryName condition="contains">mc.yandex.ru</QueryName>
-			<QueryName condition="contains">pool.ntp.org</QueryName>
-			<QueryName condition="contains">vmg.host</QueryName>
-			<QueryName condition="contains">yandex.ru</QueryName>
-			<QueryName condition="end with">.adobe.com</QueryName>
-			<QueryName condition="end with">.autodesk.com</QueryName>
-			<QueryName condition="end with">.avast.com</QueryName>
-			<QueryName condition="end with">.avcdn.net</QueryName>
-			<QueryName condition="end with">.cdn.bitdefender.net</QueryName>
-			<QueryName condition="end with">.digicert.com</QueryName>
-			<QueryName condition="end with">.eset.com</QueryName>
-			<QueryName condition="end with">.globalsign.com</QueryName>
-			<QueryName condition="end with">.globalsign.net</QueryName>
-			<QueryName condition="end with">.intuit.com</QueryName>
-			<QueryName condition="end with">.java.com</QueryName>
-			<QueryName condition="end with">.macromedia.com</QueryName>
-			<QueryName condition="end with">.oracle.com</QueryName>
-			<QueryName condition="end with">.quickbooks.com</QueryName>
-			<QueryName condition="end with">.usertrust.com</QueryName>
-			<QueryName condition="end with">amazontrust.com</QueryName>
-			<QueryName condition="end with">ocsp.identrust.com</QueryName>
-			<QueryName condition="end with">pki.goog</QueryName>
-			<QueryName condition="is">ads.playground.xyz</QueryName>
-			<QueryName condition="is">citrixupdates.cloud.com</QueryName>
-			<QueryName condition="is">forticlient.fortinet.net</QueryName>
-			<QueryName condition="is">mft10.onbaseonline.com</QueryName>
-			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
-			<QueryName condition="is">ocsp.comodoca.com</QueryName>
-			<QueryName condition="is">ocsp.cybertrust.ne.jp</QueryName>
-			<QueryName condition="is">ocsp.entrust.net</QueryName>
-			<QueryName condition="is">ocsp.entrust.net</QueryName>
-			<QueryName condition="is">ocsp.godaddy.com</QueryName>
-			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
-			<QueryName condition="is">ocsp.intel.com</QueryName>
-			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
-			<QueryName condition="is">ocsp.quovadisglobal.com</QueryName>
-			<QueryName condition="is">ocsp.quovadisoffshore.com</QueryName>
-			<QueryName condition="is">ocsp.sectigo.com</QueryName>
-			<QueryName condition="is">ocsp.starfieldtech.com</QueryName>
-			<QueryName condition="is">ocsp.thawte.com</QueryName>
-			<QueryName condition="is">ocsp.trustwave.com</QueryName>
-			<QueryName condition="is">ocsp.verisign.com</QueryName>
-			<QueryName condition="is">pki-goog.l.google.com</QueryName>
-			<QueryName condition="is">pki.intel.com</QueryName>
-			<QueryName condition="is">scrootca1.ocsp.secomtrust.net</QueryName>
-			<QueryName condition="is">scrootca2.ocsp.secomtrust.net</QueryName>
-			<QueryName condition="is">stats.anchor.host</QueryName>
-			<QueryName condition="is">status.rapidssl.com</QueryName>
-			<QueryName condition="is">status.thawte.com</QueryName>
-			<QueryName condition="is">ts-ocsp.ws.symantec.com</QueryName>
-			<QueryName condition="is">upgrade.bitdefender.com</QueryName>
-		</DnsQuery>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 23 : File Delete and overwrite events which saves a copy to the archivedir: Includes -->
-	<!-- Default set to disabled due to disk space implications, enable with care!-->
-	<RuleGroup groupRelation="or">
-	  <FileDelete onmatch="include" />
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 24 : Clipboard change events, only captures text, not files: Includes -->
-	<!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
-	<RuleGroup groupRelation="or">
-	  <ClipboardChange onmatch="include" />
-	</RuleGroup>
-	<!--SYSMON EVENT ID 25 : Process tampering events-->
-	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
-		<ProcessTampering onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
-				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
-				<Image condition="excludes">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
-				<Image condition="excludes">C:\Program Files\Symantec\</Image>
-			</Rule>
-		</ProcessTampering>
-	</RuleGroup>
-	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
-		<ProcessTampering onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
-			</Rule>
-		</ProcessTampering>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 26 : File Delete and overwrite events, does NOT save the file: Includes -->
-	<RuleGroup groupRelation="or">
-		<FileDeleteDetected onmatch="include">
-		</FileDeleteDetected>
-	</RuleGroup>
-	<RuleGroup groupRelation="or">
-		<FileDeleteDetected onmatch="exclude">
-			<Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-			<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
-		</FileDeleteDetected>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
-	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
-		<FileBlockExecutable onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
-				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
-				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">powershell.exel;powershell_ise.exe</Image>
-				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="contains any">.pdf;.doc;.xls;.doc;.ppt;.txt;.rtf;.htm;.iso;.zip;.rar;.7z</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<Image condition="contains any">psexesvc</Image>
-				<Image condition="contains any">psexec</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<Image condition="is">wmiprvse.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
-				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
-				<Image condition="excludes any">intuit</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth" groupRelation="or">
-				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
-				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
-				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
-				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
-				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=03866661686829D806989E2FC5A72606</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=E57401FBDADCD4571FF385AB82BD5D6D</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
-				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
-				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
-				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
-				<Image condition="image">certutil.exe</Image>
-				<Image condition="image">certoc.exe</Image>
-				<Image condition="image">CertReq.exe</Image>
-				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
-				<Image condition="image">Desktopimgdownldr.exe</Image>
-				<Image condition="image">esentutl.exe</Image>
-				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
-				<Image condition="image">finger.exe</Image>
-				<Image condition="image">presentationhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
-				<Image condition="image">bitsadmin.exe</Image>
-				<TargetFilename condition="excludes any">C:\Windows;$WINDOWS.;\SoftwareDistribution\</TargetFilename>
-				<User condition="is not">System</User>
-				<User condition="excludes any">TrustedInstaller;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</User>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
-				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
-			</Rule>
-		</FileBlockExecutable>
-	</RuleGroup>
-	</EventFiltering>
-</Sysmon>
\ No newline at end of file

From 42fcf2af39cbe82b374a87b9e76422634b30c2f0 Mon Sep 17 00:00:00 2001
From: cyberkryption <cyberkryption@gmail.com>
Date: Sun, 25 Sep 2022 15:37:26 +0100
Subject: [PATCH 366/471] Delete sysmonconfig-cyberkryption.xml

---
 sysmonconfig-cyberkryption.xml | 6208 --------------------------------
 1 file changed, 6208 deletions(-)
 delete mode 100644 sysmonconfig-cyberkryption.xml

diff --git a/sysmonconfig-cyberkryption.xml b/sysmonconfig-cyberkryption.xml
deleted file mode 100644
index 0e7633fa..00000000
--- a/sysmonconfig-cyberkryption.xml
+++ /dev/null
@@ -1,6208 +0,0 @@
-<!--
-	   ____                           ___ ________________    _______ __
-	  / __/_ _____ __ _  ___  ___    / _ /_  __/_  __/ __/___/ ___/ //_/
-	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
-	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
-		/___/                                                           
-	author:	ionstorm
-	project:	https://github.com/ion-storm/sysmon-config
-	license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
-	Methodology: Detect the Most Techniques per Data source in MITRE ATT&CK.
-				 Provide Visibility into Forensic Artifact Events for UEBA.
-				 Detect Exploitation events with wide CVE Coverage.
-				 Risk Scoring of CVE, UEBA, Forensic, MITRE ATT&CK Events.
-				 
-				 Primary Tags:
-				 Attack: Mitre ATT&CK Identifier
-				 Technique: Mitre ATT&CK Technique
-				 Tactic: Mitre ATT&CK Tactic
-				 Alert: Alert Text for SIEM/XDR
-				 Info: Informational Alert Text
-				 Level: The level field contains one of five string values. It describes the criticality of a triggered rule. 
-				 While low and medium level events have an informative character, events with high and critical level should 
-				 lead to immediate reviews by security analysts.
-				 Desc: Description of non-alerting UEBA/Behavioral Based Rules
-				 Forensic: Forensic Artifacts
-				 CVE: CVE Vulnerability Identification
-				 FP: False Positive Rate
-				 Author: Author of rule
-				 
-				 Additional Tag Details:
-				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
-				 kp=y 	Kill process with child processes
-				 kpp=y 	Kill Parent Processes & all Child Processes
-				 kc=y    Kill network connections
-				 ki=y    Kill Injected Thread
-				 sd=y 	Shutdown System
-				 fw=y	Add Windows Firewall Rule to block inbound/outbound network connectivity from process
-				 yara=y  Yara Scan file
-				 ydel=y  Delete on Yara Detection
-				 rf=y    Restore Deleted File
-				 nr=y 	Null route ip
-				 iso=y Isolate Host
-				 SD=y Service Desk Ticket
-				 SOC=y SOC Ticket Creation
-				 
-				 Risk Score ratings: (Risk=??)
-				 Low Risk: 1-39
-				 Medium Risk: 40-69
-				 High Risk: 70-89
-				 Critical Risk: 90-100
-				 
-				 Levels: (from Sigma)
-				 (0) informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered 
-				 by such rules because it is expected that a huge amount of events will match these rules.
-				 (1) low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. 
-				 Immediate reaction shouldn't be necessary, but a regular review is recommended.
-				 (2) medium: Relevant event that should be reviewed manually on a more frequent basis.
-				 (3) high: Relevant event that should trigger an internal alert and requires a prompt review.
-				 (4) critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
-				 
-				 False Positive Rates: (FP=?)
-				 (0) Zero False Positives rate
-				 (1) Some False Positives rate
-				 (2) Medium False Positive rate
-				 (3) High False Positive rate
-				 
-				 Properly Escape in XML:
-				 < &lt;
-				 > &gt;
-				 " &quot;
-				 ' &apos;
-				 & &amp;
-				 
-				 Other Notes:
-				 The Rulename field has a hard limit of 255 characters, make the best of the size available, shorten tags and descriptions as needed.
-				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
--->
-<Sysmon schemaversion="4.82">
-	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
-	<CheckRevocation/>
-	<EventFiltering>
-	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
-	<RuleGroup name="RG=ProcessCreate Include Group" groupRelation="or">
-		<ProcessCreate onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=3,Alert=Nessus Scan Detected,Risk=100" groupRelation="or">
-				<ParentCommandLine condition="contains any">TEMP\nessus_;nessus_task_list</ParentCommandLine>
-				<CommandLine condition="contains any">TEMP\nessus_;nessus_task_list</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe</CommandLine>
-				<OriginalFileName condition="is any">advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</OriginalFileName>
-				<Product condition="contains any">Network Scanner;Advanced IP Scanner</Product>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=ADFind.exe Discovery,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains">adfind</OriginalFileName>
-				<Product condition="contains">adfind</Product>
-				<CommandLine condition="contains any">-gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<Rule name="Attack=T1587,Technique=Develop Capabilities,Tactic=Resource Development,Alert=PurpleSharp Indicator,Risk=40" groupRelation="or">
-				<CommandLine condition="contains any">PurpleSharp;xyz123456</CommandLine> 
-				<OriginalFileName condition="contains any">PurpleSharp</OriginalFileName> 
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
-				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
-			</Rule>
-			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">Content.Outlook</Image>
-			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Arbitrary Shell Command Execution Via Settingcontent-Ms,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
-				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
-				<Image condition="end with">.doc.exe</Image>
-				<Image condition="end with">.docx.exe</Image>
-				<Image condition="end with">.docx.exe</Image>
-				<Image condition="end with">.xls.exe</Image>
-				<Image condition="end with">.xlsx.exe</Image>
-				<Image condition="end with">.ppt.exe</Image>
-				<Image condition="end with">.pptx.exe</Image>
-				<Image condition="end with">.rtf.exe</Image>
-				<Image condition="end with">.pdf.exe</Image>
-				<Image condition="end with">.txt.exe</Image>
-				<Image condition="end with">      .exe</Image>
-				<Image condition="end with">______.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
-				<ParentImage condition="image">Hwp.exe</ParentImage>
-				<Image condition="image">gbb.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
-				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
-				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
-				<ParentImage condition="image">dns.exe</ParentImage>
-				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2019-0708,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
-				<CommandLine condition="excludes any">perfenabled</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2021-26857,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
-				<CommandLine condition="excludes any">perfenabled</CommandLine>
-				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<Image condition="contains any">\wwwroot\</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
-				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
-				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
-				<ParentImage condition="image">\jre\bin\java.exe</ParentImage>
-				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
-				<!--Allow Confluence Rule to fire-->
-				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
-				<ParentImage condition="image">keytool.exe</ParentImage>
-				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Apache Spark Exploit,CVE=CVE-2022-33891,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">bash.exe;cmd.exe;powershell.exe;pwsh.exe</ParentImage>
-				<CommandLine condition="contains any">id -Gn `;id /Gn `;id -Gn ';id /Gn '</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Attack=T1133,Technique=External Remote Services,Tactic=Initial Access,Level=2,Alert=Screenconnect Remote Access,Risk=50" groupRelation="and">
-				<CommandLine condition="contains all">e=Access&amp;;y=Guest&amp;;&amp;p=;&amp;c=;&amp;k=</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=WMI Execution Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">process;call;create</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=Suspicious WMIC Commands,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Execution Locations,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
-				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
-				<Image condition="image">conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
-				<Image condition="image">conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
-				<ParentImage condition="image">conhost.exe</ParentImage>
-				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
-			</Rule>
-			<!-- Disabled for now
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
-				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			-->
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
-				<ParentImage condition="image">cmd.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<CommandLine condition="excludes">Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\</CommandLine>
-				<CommandLine condition="excludes">mysql server</CommandLine>
-				<CommandLine condition="excludes">select-object displayversion,displayname</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from Scripting Utilities,Risk=50" groupRelation="and">
-				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from cscript or wscript,Risk=50" groupRelation="and">
-				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Powershell Launched from mshta,Risk=100" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<ParentImage condition="image">mshta.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,UEBA=Suspicious WSCRIPT Command Line,Risk=50" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<CommandLine condition="excludes any">IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
-				<Image condition="image">wscript.exe</Image>
-				<CommandLine condition="contains">.jse</CommandLine>
-				<CommandLine condition="contains">.js</CommandLine>
-				<CommandLine condition="contains">.vba</CommandLine>
-				<CommandLine condition="contains">.vbe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
-				<Image condition="image">cscript.exe</Image>
-				<CommandLine condition="contains">.js</CommandLine>
-				<CommandLine condition="contains">.jse</CommandLine>
-				<CommandLine condition="contains">.vba</CommandLine>
-				<CommandLine condition="contains">.vbe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine>
-				<CommandLine condition="contains any">.jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059.003,Technique=Scripting,Tactic=Execution,Level=4,Alert=Possible WinNTI Malware,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
-				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
-				<Image condition="image">regedit.exe</Image>
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			<!-- Disabled for now
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			-->
-			<Rule name="UEBA=Unusual Child Process,Risk=30" groupRelation="and">
-				<Image condition="is any">svchost.exe;taskhostw.exe;userinit.exe;smss.exe;csrss.exe;wininit.exe;winlogon.exe;lsass.exe;logonui.exe;services.exe</Image>
-				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
-				<ParentImage condition="excludes any">wininit.exe;winlogon.exe;services.exe;dwm.exe;System;smss.exe;svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>
-				<Image condition="excludes any">C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe</Image>
-				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
-				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
-			</Rule>
-			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ScriptFile</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<ParentImage condition="begin with">C:\users\</ParentImage>
-				<ParentImage condition="excludes">Microsoft VS Code\Code.exe</ParentImage>
-				<ParentImage condition="excludes">\Deployment tool extract\setupodt.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">python.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Browser Exploitation Detected,Risk=90" groupRelation="and">
-				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-				<CommandLine condition="excludes all">.cmd;-</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
-				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
-				<Image condition="begin with">C:\Users\</Image>
-				<Image condition="end with">.exe</Image>
-				<Product condition="excludes">Zoom Video</Product>
-				<Product condition="excludes">Firefox</Product>
-				<Product condition="excludes">Microsoft Edge</Product>
-				<Product condition="excludes">Microsoft Teams</Product>
-				<Image condition="excludes">GrammarlyAddInSetupe</Image>
-				<Image condition="excludes">Teams.exe</Image>
-				<Image condition="excludes">Zoom.exe</Image>
-				<Image condition="excludes">browser_broker.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">edge.exe</Image>
-				<Image condition="excludes">firefox.exe</Image>
-				<Image condition="excludes">iexplore.exe</Image>
-				<Image condition="excludes">vivaldi.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Info=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</ParentImage>
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<Product condition="excludes">Firefox</Product>
-				<Product condition="excludes">Microsoft Edge</Product>
-				<Product condition="excludes">Microsoft Teams</Product>
-				<Product condition="excludes">Zoom Video</Product>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
-				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">apache;w3wp.exe;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>				
-				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
-				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">sqlservr</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
-				<Image condition="is">control.exe</Image>
-				<CommandLine condition="excludes any">input.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
-				<OriginalFileName condition="is">msdt.exe</OriginalFileName>
-				<CommandLine condition="contains all">BrowseForFile=;PCWDiagnostic</CommandLine>
-				<CommandLine condition="contains any">/af;-af</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
-				<ParentImage condition="is not">pcwrun.exe</ParentImage>
-				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
-				<CommandLine condition="contains any">/af;-af</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
-				<CommandLine condition="contains any">/cab;-cab</CommandLine>
-				<CommandLine condition="contains">.diagcab</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
-				<Image condition="is">msdt.exe</Image>
-			</Rule>
-			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
-				<Image condition="is">FLTLDR.EXE</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution" condition="contains any">/dde;-dde</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
-				<Image condition="image">schtasks.exe</Image>
-				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
-			</Rule>
-			<OriginalFileName name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
-				<Image condition="image">schtasks.exe</Image>
-				<CommandLine condition="contains any">/Run;-run</CommandLine>
-				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=Child process from schtasks" groupRelation="and">
-				<ParentImage condition="image">schtasks.exe</ParentImage>
-			</Rule>
-			<Image name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
-			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
-				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
-				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
-				<CommandLine condition="excludes all">netsvcs;-p;-s;Schedule</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=Service Stop detected,Risk=0" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains">stop</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=NET.EXE Service Start detected,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains">start</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 1,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
-				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;/Q /c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 2,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
-				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;-Q -c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PowerSploit/Empire Persistence,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">schtasks;Create;ONLOGON;TN;Updater;TR;powershell</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service added via SC,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains">create</CommandLine>
-				<CurrentDirectory condition="excludes any">\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains all">config;binpath</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
-				<Image condition="contains any">cmd.exe;powershell.exe</Image>
-				<ParentImage condition="image">services.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
-				<Description condition="contains">Execute processes remotely</Description>
-				<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
-				<Description condition="contains">PsExec Service</Description> 
-				<Description condition="contains">PsExec Launched</Description> 
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=Sysinternals Initial Tool Execution,Risk=100" groupRelation="or">
-				<CommandLine condition="contains">accepteula</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec SYSTEM Execution,Risk=100" groupRelation="and">
-				<Description condition="contains">Execute processes remotely</Description>
-				<CommandLine condition="contains any">-s;/s</CommandLine>
-			</Rule>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
-			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
-			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
-				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
-				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
-				<CommandLine condition="contains">&gt;</CommandLine>
-				<CommandLine condition="contains">cmd.exe" /c cd</CommandLine>
-			</Rule>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
-				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s</CommandLine>
-			</Rule>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
-				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
-				<ParentCommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</ParentCommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
-			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
-			<!--Suspicious/Malicious Hash Detection-->
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
-				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
-			</Rule>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
-				<CommandLine condition="contains any">e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 2" groupRelation="and">
-				<CommandLine condition="contains all">FromBase64String</CommandLine>
-				<CommandLine condition="contains any">JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 3" groupRelation="and">
-				<CommandLine condition="contains any">/v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 4" groupRelation="and">
-				<CommandLine condition="contains any">JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Emotet Command Line detection" groupRelation="and">
-				<CommandLine condition="contains any">e^;^en^;^nc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Obfuscation Character" groupRelation="and">
-				<CommandLine condition="contains">^</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
-				<CommandLine condition="contains any">..\;\..</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Formbook detections" groupRelation="and">
-				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
-				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
-				<CommandLine condition="contains any">user;group;localgroup</CommandLine>
-				<CommandLine condition="contains any">remove;delete;active;del</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<Rule name="Attack=T1098,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Created,Risk=80" groupRelation="and">
-				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
-				<CommandLine condition="contains">user</CommandLine>
-				<CommandLine condition="contains any">add</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" condition="image">dsmod.exe</Image>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
-				<ParentImage condition="image">WerFault.exe</ParentImage>
-				<ParentCommandLine condition="contains any">-s;/s</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<CommandLine condition="contains all">echo;\pipe\;&gt;</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<CommandLine condition="contains all">/c;copy;dll;\\;admin$</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Exec DLL Detected" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;StartW</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 1" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;update;appdata;temp;/i:</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 2" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;update;appdata;temp;-i:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass Child Processes" groupRelation="and">
-				<ParentImage condition="image">dllhost.exe</ParentImage>
-				<ParentCommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass" groupRelation="and">
-				<Image condition="image">dllhost.exe</Image>
-				<CommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<Rule name="Attack=T1548,Technique=Abuse Elevation Control Mechanism,Tactic=Privilege Escalation,Level=3,Alert=Abused Debug priviledge by Arbitrary Parent Process,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;pwsh.exe;cmd.exe</Image>
-				<User condition="contains any">AUTHORI;AUTORI</User>
-				<CommandLine condition="excludes any">route ; ADD </CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Risk=20" groupRelation="and">
-				<ParentImage condition="image">eventvwr.exe</ParentImage>
-				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
-			</Rule>
-			<ParentImage name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
-			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
-			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
-			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">computerdefaults.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">dism.exe</OriginalFileName>
-			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">fodhelper.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<Rule name="Attack=T1088,Technique=Access Token Manipulation,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
-				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
-				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
-			</Rule>
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
-			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=Utilman Lock Screen Bypass,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
-				<ParentImage condition="image">winlogon.exe</ParentImage>
-				<Image condition="image">utilman.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=sethc.exe Lock Screen Bypass,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
-				<ParentImage condition="image">winlogon.exe</ParentImage>
-				<Image condition="image">sethc.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=4,Alert=Utilman Priv Escalation" groupRelation="and">
-				<ParentImage condition="image">utilman.exe</ParentImage>
-				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
-			</Rule>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
-			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
-				<Image condition="excludes">C:\Windows\Setup</Image>
-				<Image condition="excludes">C:\Windows\SysWOW64</Image>
-				<Image condition="excludes">C:\Windows\System32</Image>
-				<Image condition="excludes">C:\Windows\WinSxS</Image>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
-				<ParentImage condition="image">consent.exe</ParentImage>
-				<CommandLine condition="contains">http</CommandLine>
-				<Image condition="image">iexplore.exe</Image>
-				<User condition="contains">SYSTEM</User>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
-				<ParentImage condition="image">dwm.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=7zip Priv Escalation Detection,CVE=CVE-2022-29072" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">7zFM.exe</ParentImage>
-				<CommandLine condition="excludes any">;/c;-c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=Possible InstallerFileTakeOver LPE,CVE=CVE-2021-41379" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">elevation_service.exe</ParentImage>
-				<IntegrityLevel condition="contains">System</IntegrityLevel>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<Image condition="contains">unknown process</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</ParentImage>			
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<Rule name="Attack=T1484.001,Technique=Group Policy Modification,Tactic=Defense Evasion,Level=3,Alert=Auditpol System Audit Policy Change - Should be set via group policy instead" groupRelation="and">
-				<OriginalFileName condition="contains">auditpol</OriginalFileName>
-				<CommandLine condition="contains any">/set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Hidden/SuperHidden File or Folder created" groupRelation="and">
-				<CommandLine condition="contains any">+s;+h</CommandLine>
-				<Image condition="image">attrib.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Powershell Hidden File or Folder created" groupRelation="and">
-				<CommandLine condition="contains all">Hidden;Attributes</CommandLine>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
-				<Product condition="is">Sysinternals Sysmon</Product>
-				<CommandLine condition="contains any">/u;/c;-u;-c</CommandLine>
-				<CurrentDirectory condition="excludes">C:\ProgramdData\sysmon\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
-				<Image condition="image">MpCmdRun.exe</Image>
-				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools:  Disable Windows Event Logging-->
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Level=4,Alert=PSTools PSKill,Risk=8">PsKill.exe</Image>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Risk=100,Level=4,Alert=Disabling of Windows Defender Features" groupRelation="and">
-				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
-				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
-			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
-				<Image condition="image">wevtutil.exe</Image>
-				<CommandLine condition="contains"> cl </CommandLine>
-				<CommandLine condition="excludes">wevtutil im</CommandLine>
-				<CommandLine condition="excludes">wevtutil.exe im</CommandLine>
-				<CurrentDirectory condition="excludes">ClickToRun</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,Risk=50" groupRelation="and">
-				<OriginalFileName condition="is">fltMC.exe</OriginalFileName>
-				<CommandLine condition="contains any">detach;unload</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Level=4,Alert=IIS Log disablement,Risk=80" groupRelation="and">
-				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
-				<CommandLine condition="contains all">DontLog;True</CommandLine>
-				<Image condition="excludes">iisetup.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="or">
-				<CommandLine condition="contains all">set;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">New-ItemProperty;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">reg;add;dword;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">$env;NGenAssemblyUsageLog</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="or">
-				<CommandLine condition="contains all">set;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">New-ItemProperty;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">reg;add;dword;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">$env;COMPlus_ETWEnabled</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
-				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp</CommandLine>
-			</Rule>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
-
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
-			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">.com</Image>
-			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
-
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
-				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
-			</Rule>		
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
-				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
-				<CommandLine condition="contains">:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=REG Registry Deletions" groupRelation="and">
-				<Image condition="image">reg.exe</Image>
-				<CommandLine condition="contains">delete </CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Regedit Registry Deletions" groupRelation="and">
-				<Image condition="image">regedit.exe</Image>
-				<CommandLine condition="contains any">/d;-d</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Deletions" groupRelation="and">
-				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
-				<CommandLine condition="contains">remove-item</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Modifications" groupRelation="and">
-				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
-				<CommandLine condition="contains">set-item;new-item</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Code Page Switch,Risk=50" groupRelation="and">
-				<Image condition="image">chcp.exe</Image>
-				<CommandLine condition="contains">936</CommandLine>
-				<CommandLine condition="contains">1256</CommandLine>
-				<CommandLine condition="contains">864</CommandLine>
-				<CommandLine condition="contains">1258</CommandLine>
-				<CommandLine condition="contains">855</CommandLine>
-				<CommandLine condition="contains">866</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Command Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Hidden Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Execution Policy Bypass,Risk=75" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-ex;/ex</CommandLine>
-				<CommandLine condition="contains">bypass</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-noni;/noni</CommandLine>
-				<CommandLine condition="excludes">Import-Module FileServerResourceManager</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\LogicMonitor</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1027,Tactic=Defense Evasion,Technique=Obfuscated Files or Information,Level=4,Alert=Powershell Obfuscation Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
-			<CommandLine name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Common Obfuscated Commands,Risk=100" condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
-			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains any">decode;encode</CommandLine>
-			</Rule>
-			<!--FIX MITRE Mapping-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
-				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
-				<CommandLine condition="contains">0x</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
-				<Image condition="image">csc.exe</Image>
-				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=Suspicious Parent of Csc.exe,Risk=80" groupRelation="and">
-				<Image condition="image">csc.exe</Image>
-				<ParentImage condition="image">wscript.exe</ParentImage>
-				<ParentImage condition="image">cscript.exe</ParentImage>
-				<ParentImage condition="image">mshta.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=MOFComp compilation of .Mof File,Risk=80" groupRelation="and">
-				<Image condition="image">mofcomp.exe</Image>
-				<CommandLine condition="contains">.mof</CommandLine>
-				<CurrentDirectory condition="excludes">C:\WINDOWS\Installer\MSI</CurrentDirectory>
-				<ParentImage condition="excludes">MsMpEng.exe</ParentImage>
-				<ParentImage condition="excludes">aspnet_regiis.exe</ParentImage>
-				<ParentImage condition="excludes">msiexec.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
-				<ParentImage condition="is">csc.exe</ParentImage>
-				<CommandLine condition="contains any">out:;target:library</CommandLine>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of Autochk,Risk=30" groupRelation="and">
-				<Image condition="image">autochk.exe</Image>
-				<ParentImage condition="excludes any">\smss.exe;\fontdrvhost.exe;\dwm.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
-				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
-				<ParentImage condition="excludes">\svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
-				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
-				<ParentImage condition="excludes any">svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
-				<Image condition="image">SearchProtocolHost.exe</Image>
-				<ParentImage condition="excludes any">\SearchIndexer.exe;\dllhost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
-				<Image condition="image">dllhost.exe</Image>
-				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
-				<Image condition="image">smss.exe</Image>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-				<ParentImage condition="is not">System</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
-				<Image condition="image">csrss.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\smss.exe;svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
-				<Image condition="image">wininit.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
-				<Image condition="image">winlogon.exe</Image>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of lsass/LsaIso,Risk=30" groupRelation="and">
-				<Image condition="contains any">\lsass.exe;LsaIso.exe</Image>
-				<ParentImage condition="excludes">\wininit.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of LogonUI,Risk=30" groupRelation="and">
-				<Image condition="image">LogonUI.exe</Image>
-				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of services,Risk=30" groupRelation="and">
-				<Image condition="image">services.exe</Image>
-				<ParentImage condition="excludes">\wininit.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
-				<Image condition="image">svchost.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\MsMpEng.exe;\services.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
-				<Image condition="image">spoolsv.exe</Image>
-				<ParentImage condition="excludes">\services.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of taskhost,Risk=30" groupRelation="and">
-				<Image condition="image">taskhost.exe</Image>
-				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of userinit,Risk=30" groupRelation="and">
-				<Image condition="image">userinit.exe</Image>
-				<ParentImage condition="excludes any">\dwm.exe;\winlogon.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
-				<Image condition="contains any">\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe</ParentImage>
-				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
-				<ParentImage condition="image">autochk.exe</ParentImage>
-				<Image condition="excludes any">\chkdsk.exe;\doskey.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of smss,Risk=30" groupRelation="and">
-				<ParentImage condition="image">smss.exe</ParentImage>
-				<Image condition="excludes any">\autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of wermgr,Risk=30" groupRelation="and">
-				<ParentImage condition="image">wermgr.exe</ParentImage>
-				<Image condition="excludes any">\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
-				<ParentImage condition="image">conhost.exe</ParentImage>
-				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
-			</Rule>
-			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
-				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
-				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName>
-				<CommandLine condition="contains">INJECTRUNNING</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 1,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">/ni;/s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 2,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">/ns;/s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 3,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">-ni;-s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 4,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">-ns;-s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
-				<CommandLine condition="contains all">rundll32.exe;shell32.dll;_RunDLL</CommandLine>
-				<Image condition="is not">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
-				<Image condition="image">odbcconf.exe</Image>
-				<CommandLine condition="contains any">/S /A {REGSVR;-S -A {REGSVR</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">bginfo</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">cbd</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">SyncAppvPublishingServer.exe</Image>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ATBroker.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">Appvlp.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">InfDefaultInstall.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">PresentationHost.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider2.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ScriptRunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">csi.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">extexport.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">msconfig.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">rasdlui.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">tttracer.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">verclsid.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">csi.exe</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">bginfo</ParentCommandLine>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">devtoolslauncher.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wsreset.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
-			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains">DllRegisterServer</CommandLine>
-				<CommandLine condition="excludes any">xapauthenticodesip.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Suspicious Regsvr32 loading in Appdata temp" groupRelation="and">
-				<Image condition="image">regsvr32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine> 
-			</Rule>
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Defense Evasion/Execution,Level=4,Alert=Suspicious Regsvr32 loading in Public User folder" groupRelation="and">
-				<Image condition="image">regsvr32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
-			</Rule>
-			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution" condition="contains">Microsoft(C) Register Server</Description>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<CommandLine condition="contains any">/y;-y</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\DartSock.dll</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\ImageViewer2.OCX</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\SysTray.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg6.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\todg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\todgub7.dll</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\xarraydb.ocx</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=MSIExec Signed Binary Proxy Execution,Risk=70" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<CommandLine condition="contains any">/i;-i</CommandLine>
-				<CommandLine condition="contains any">http</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Rundll32-->
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Rundll32 Suspicious call by Ordinal,Risk=80" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">,;#</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\resources\themes\Aero\AeroLite.msstyles</CommandLine>
-				<CommandLine condition="excludes">uxtheme.dll</CommandLine>
-				<CommandLine condition="excludes">ImageView_Fullscreen</CommandLine>
-				<CommandLine condition="excludes">EDGEHTML.dll</CommandLine>
-				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
-				<CurrentDirectory condition="excludes">\AppData\Local\WebEx\WebEx\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=3,Alert=Rundll32 Single Threaded Apartment Switch - check for com hijacks,Risk=75" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains any">-sta;/sta</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Executing Powershell,Risk=70" groupRelation="and">
-				<ParentImage condition="image">RUNDLL32.EXE</ParentImage>
-				<OriginalFileName condition="contains">powershell</OriginalFileName>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenURL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">url.dll;OpenURL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious FileProtocolHandler Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RouteTheCall Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">zipfldr.dll;RouteTheCall</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious Control_RunDLL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">Shell32.dll;Control_RunDLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious javascript Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains">javascript:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RegisterXLL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains">RegisterXLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Public User folder" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Public</CommandLine>
-				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine> 
-				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage> 
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Appdata Temp" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine>
-				<CommandLine condition="excludes any">ImageView_</CommandLine>
-				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine>
-				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
-			<CommandLine condition="contains">InstallHinfSection</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">infDefaultInstall.exe</Image>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MSHTA-->
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
-				<ParentImage condition="image">mshta.exe</ParentImage>
-				<Image condition="contains any">cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin</Image>
-			</Rule>
-			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Odbcconf-->
-			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
-
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=Powershell Calling MSBuild" groupRelation="and">
-				<ParentImage condition="contains any">powershell.exe;powershell_ise.exe</ParentImage>
-				<Image condition="image">msbuild.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<Image condition="contains">regasm</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<Image condition="image">userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Building from xml - Silent Trinity" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<ParentCommandLine condition="contains">.xml</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=RegAsm Parent process" groupRelation="and">
-				<ParentImage condition="image">regasm.exe</ParentImage>
-				<Image condition="excludes">\conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild building from lnk file" groupRelation="and">
-				<Image condition="image">msbuild.exe</Image>
-				<CommandLine condition="contains">.lnk</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.csproj</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
-			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=Network Sniffing tool Detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">sniff</CommandLine>
-				<CommandLine condition="excludes">C:\Program Files\Adobe\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=PCAP Sniffing tool Detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="is any">tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe</OriginalFileName>
-				<CommandLine condition="contains any">windump;tshark;tcpdump;windump;wireshark</CommandLine>
-				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
-				<Image condition="image">vssadmin.exe</Image>
-				<CommandLine condition="contains any">create;shadow</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">shadowcopy;call;create</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">call;create;esentutl;vss</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">win32_shadowcopy;create;clientaccessible</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">mklink;GLOBALROOT;Shadow</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">copy;NTDS\ntds.dit</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
-				<Image condition="image">ntdsutil.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">copy;System32\config\SYSTEM</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">reg;save;HKLM</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
-			</Rule>
-			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
-				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
-			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
-			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
-			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump.exe</Image>
-			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
-				<CommandLine condition="contains all">list;text;password</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
-				<CommandLine condition="excludes">/domain</CommandLine>
-				<CommandLine condition="excludes">SUService</CommandLine>
-				<CommandLine condition="excludes">\users</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=Domain User or Group Discovery,Risk=50" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
-				<CommandLine condition="contains any">/domain</CommandLine>
-				<CommandLine condition="excludes">SUService</CommandLine>
-				<CommandLine condition="excludes">\users</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=Sharphound Discovery,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus</CommandLine>
-				<Company condition="contains any">sharphound;bloodhound</Company>
-				<Description condition="contains any">sharphound;bloodhound</Description>
-				<Image condition="contains any">sharphound;bloodhound</Image>
-				<OriginalFileName condition="contains any">sharphound;bloodhound</OriginalFileName>
-				<ParentImage condition="contains any">sharphound;bloodhound</ParentImage>
-				<Product condition="contains any">sharphound;bloodhound</Product>
-			</Rule>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
-				<OriginalFileName condition="contains">auditpol</OriginalFileName>
-				<CommandLine condition="contains any">/get;-get;/list;-list;/backup;-backup</CommandLine>
-			</Rule>
-			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
-			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Sysmon Detection with driver altitude " groupRelation="or">
-				<CommandLine condition="contains all">find;385201</CommandLine>
-				<CommandLine condition="contains all">select-string;385201</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Antivirus/edr/siem Discovery" groupRelation="or">
-				<CommandLine condition="contains all">find;virus</CommandLine>
-				<CommandLine condition="contains all">select-string;virus</CommandLine>
-				<CommandLine condition="contains all">process;Description;virus</CommandLine>
-				<CommandLine condition="contains all">find;cb</CommandLine>
-				<CommandLine condition="contains all">select-string;cb</CommandLine>
-				<CommandLine condition="contains all">process;Description;cb</CommandLine>
-				<CommandLine condition="contains all">find;defender</CommandLine>
-				<CommandLine condition="contains all">select-string;defender</CommandLine>
-				<CommandLine condition="contains all">process;Description;defender</CommandLine>
-				<CommandLine condition="contains all">find;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">select-string;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">process;Description;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">find;sentinel</CommandLine>
-				<CommandLine condition="contains all">select-string;sentinel</CommandLine>
-				<CommandLine condition="contains all">process;Description;sentinel</CommandLine>
-				<CommandLine condition="contains all">find;nessusd</CommandLine>
-				<CommandLine condition="contains all">select-string;nessusd</CommandLine>
-				<CommandLine condition="contains all">process;Description;nessusd</CommandLine>
-				<CommandLine condition="contains all">find;td-agent</CommandLine>
-				<CommandLine condition="contains all">select-string;td-agent</CommandLine>
-				<CommandLine condition="contains all">process;Description;td-agent</CommandLine>
-				<CommandLine condition="contains all">find;cbagentd</CommandLine>
-				<CommandLine condition="contains all">select-string;cbagentd</CommandLine>
-				<CommandLine condition="contains all">process;Description;cbagentd</CommandLine>
-				<CommandLine condition="contains all">find;sysmon</CommandLine>
-				<CommandLine condition="contains all">select-string;sysmon</CommandLine>
-				<CommandLine condition="contains all">process;Description;sysmon</CommandLine>
-				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">find;csfalcon</CommandLine>
-				<CommandLine condition="contains all">select-string;csfalcon</CommandLine>
-				<CommandLine condition="contains all">process;Description;csfalcon</CommandLine>
-				<CommandLine condition="contains all">find;splunk</CommandLine>
-				<CommandLine condition="contains all">select-string;splunk</CommandLine>
-				<CommandLine condition="contains all">process;Description;splunk</CommandLine>
-				<CommandLine condition="contains all">find;sidecar</CommandLine>
-				<CommandLine condition="contains all">select-string;sidecar</CommandLine>
-				<CommandLine condition="contains all">process;Description;sidecar</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" groupRelation="or">
-				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="is">fltMC.exe</OriginalFileName>
-				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="contains">misc::mflt</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
-			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="contains any">get;list;show</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Changes with netsh,Risk=60" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="excludes any">get;list;show</CommandLine>
-			</Rule>
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
-				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=WMIC Account Discovery,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">get;useraccount</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="contains any">add;del;set</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=NBTStat DNS Lookup,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">nbtstat</CommandLine> 
-				<CommandLine condition="excludes">nessus</CommandLine> 
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=route.exe discovery,Risk=60" groupRelation="and">
-				<Image condition="image">route.exe</Image>
-				<CommandLine condition="contains">print</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Route Modification,Risk=40" groupRelation="and">
-				<Image condition="image">route.exe</Image>
-				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
-			</Rule>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">rwinsta.exe</Image>
-			
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
-				<Image condition="excludes">Microsoft Office\root\Office</Image>
-				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Tactic=Lateral Movement,Technique=SMB/Windows Admin Shares,Level=3,Alert=Command Ran over Admin Share" groupRelation="and">
-				<CommandLine condition="contains">admin$</CommandLine>
-				<CommandLine condition="excludes any">davclnt.dll</CommandLine>
-				<ParentCommandLine condition="excludes any">WebClientGroup</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
-				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
-				<CommandLine condition="contains">dest:rdp-tcp:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Emotet Executed via WMI,Risk=100" groupRelation="and">
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-				<Image condition="contains">\Users\</Image>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Network Detective System Scan Detected,Risk=100" groupRelation="and">
-				<Image condition="contains">NetworkDetective</Image>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Remote Tenable Malware Scan Detected,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains">tenable</CommandLine>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD.exe Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-				<CommandLine condition="excludes any">do_vbsUpload;Spiceworks</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=regsvr32.exe Executed via WMI,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">regsvr32.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD Executed via WMI,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">cmd.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=RSAT Tool Launch,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">dsa.msc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=HyperV Remote Management Tool Launch,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">virtmgmt.msc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Potential Malicious Remote WMI Execution Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="image">wmiprvse.exe</ParentImage>
-				<Image condition="excludes">CompMgmtLauncher.exe</Image>
-				<Image condition="excludes">DismHost.exe</Image>
-				<Image condition="excludes">Microsoft.NET\Framework</Image>
-				<Image condition="excludes">NetEvtFwdr.exe</Image>
-				<Image condition="excludes">ServerManager.exe</Image>
-				<Image condition="excludes">WerFault.exe</Image>
-				<Image condition="excludes">chcp.com</Image>
-				<Image condition="excludes">g2mupdate.exe</Image>
-				<Image condition="excludes">slack.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,AlertSuspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
-				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
-				<Image condition="image">cmd.exe</Image>
-				<Image condition="image">sh.exe</Image>
-				<Image condition="image">bash.exe</Image>
-				<Image condition="image">wsl.exe</Image>
-				<Image condition="image">powershell.exe</Image>
-				<Image condition="image">powershell_ise.exe</Image>
-				<Image condition="image">schtasks.exe</Image>
-				<Image condition="image">at.exe</Image>
-				<Image condition="image">certutil.exe</Image>
-				<Image condition="image">mshta.exe</Image>
-				<Image condition="image">whoami.exe</Image>
-				<Image condition="image">ping.exe</Image>
-				<Image condition="image">ping.exe</Image>
-				<Image condition="image">bitsadmin.exe</Image>
-			</Rule>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="end with">winrshost.exe</ParentImage>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
-			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
-				<ParentImage condition="image">wmiprvse.exe</ParentImage>
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
-				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
-			</Rule>
-			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
-			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
-				<Image condition="contains any">sftp;psftp</Image><!-- SSH -->
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
-				<CommandLine condition="is">rundll32.exe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">..\;,</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot 2,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,StartW</CommandLine>
-			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
-			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
-			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
-				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
-				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
-			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,Level=4,Alert=Dark Halo Protected zip file creation,Risk=100" groupRelation="and">
-				<Image condition="image">7z.exe</Image>
-				<CommandLine condition="contains any">a -mx9 -r0 -p;a -v500m -mx9 -r0 -p</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data injected into clipboard,Risk=30" condition="is">clip.exe</Image>
-			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">New-MailboxExportRequest</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
-				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
-				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
-				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI</CommandLine>
-				<OriginalFileName condition="excludes any">msedgeupdate.dll</OriginalFileName>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
-				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded powershell" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<CommandLine condition="contains any">AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1105,Technique=Remote File Copy,Tactic=Command and Control,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
-				<Image condition="image">certutil.exe</Image>
-				<CommandLine condition="contains all">urlcache;split;f</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Command Line file transfer,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest</CommandLine>
-				<Image condition="contains any">powershell.exe;cmd.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
-				<OriginalFileName condition="is">bitsadmin.exe</OriginalFileName>
-				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
-				<CommandLine condition="excludes all">util;setieproxy;localsystem;AUTODETECT</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
-				<Description condition="contains">BITS administration utility</Description><!-- to detect renamed ones -->
-				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 1,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains all">split;f</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 2,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains any">verifyctl;URL</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
-			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image><!-- Tor-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
-			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">psexec</OriginalFileName>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Exfiltration,Level=0,Desc=SCP Data exfiltration detected,Risk=100" groupRelation="and">
-				<Image condition="contains any">winscp.exe;winscp.com;scp.exe;pscp</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv &gt;&gt;;rsync -r</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=merlin CnC exfiltration detected 4,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">.exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=DNS Exfil detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">-q=txt;/q=txt</CommandLine>
-				<Image condition="image">nslookup.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration to Cloud Storage,Tactic=Exfiltration,Level=4,Alert=Rclone detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains any">rclone</OriginalFileName>
-				<Description condition="contains any">Rsync for cloud storage</Description>
-				<Product condition="contains any">rclone</Product>
-				<Company condition="contains any">rclone</Company>
-				<Image condition="contains any">\rclone</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=S3browser detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains any">s3browser</OriginalFileName>
-				<Description condition="contains any">s3browser</Description>
-				<Product condition="contains any">s3browser</Product>
-				<Image condition="contains any">s3browser</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=FTP exfiltration detected,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">add-ftp;.UploadFile(</CommandLine>
-				<Image condition="contains any">ftp.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Tactic=Exfiltration,Technique=Exfiltration to Cloud Storage,Level=0,Desc=Webdav Share Mounted" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">davclnt.dll;DavSetCookie</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
-				<Image condition="image">bcdedit.exe</Image>
-				<CommandLine condition="contains">safeboot</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
-				<Image condition="image">bootcfg.exe</Image>
-				<CommandLine condition="contains">safeboot</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Virtual Machine,Risk=60" groupRelation="and">
-				<CommandLine condition="contains any">-startvm;vrun.exe -vm</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with vssadmin Detected,Risk=100" groupRelation="and">
-				<Image condition="image">vssadmin.exe</Image>
-				<CommandLine condition="contains any">delete;resize</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowcopy delete Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">shadowcopy;delete</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wbadmin.exe</OriginalFileName>
-				<CommandLine condition="contains all">SYSTEMSTATEBACKUP;delete</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowstorage Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains">wmic shadowstorage SET MaxSpace=</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Destructive WMIC Commands Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains any">cleareventlog;call disable;nteventlog where filename</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with diskpart" groupRelation="and">
-				<OriginalFileName condition="contains">diskpart.exe</OriginalFileName>
-				<CommandLine condition="contains any">format;clean;delete;remove</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.exe" groupRelation="and">
-				<OriginalFileName condition="contains">manage-bde.exe</OriginalFileName>
-				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.wsf" groupRelation="and">
-				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
-				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">-p -nw</CommandLine><!-- vshadow -->
-			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
-			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all"> del ; /f </CommandLine>
-				<CommandLine condition="contains all"> del ; -f </CommandLine>
-				<CommandLine condition="contains all"> rmdir ; /s ; /q </CommandLine>
-				<CommandLine condition="contains all"> rmdir ; -s ; -q </CommandLine>
-				<CommandLine condition="contains all"> rd ; /s ; /q </CommandLine>
-				<CommandLine condition="contains all"> rd ; -s ; -q </CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
-				<Image condition="image">fsutil.exe</Image>
-				<CommandLine condition="contains">deletejournal</CommandLine>
-				<CommandLine condition="contains">usn</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
-			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
-			<!--Crypto Currency Miner Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
-				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
-				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
-			</Rule>
-			<!--Malware Hashes-->
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
-			</Rule>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
-			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
-			<!--UEBA Activities-->
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="excludes">pwd=</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Video and Audio Session Start" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="contains">zc=0</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Screen Share,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="contains">zc=1</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Microsoft Teams URL clicked" groupRelation="and">
-				<CommandLine condition="contains">msteams:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Webex URL clicked" groupRelation="and">
-				<CommandLine condition="contains">wbx:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files within Downloads,Risk=30" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">\Downloads\</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">\Desktop\</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\awk.exe;\sed.exe</Image>
-			</Rule>
-			<CommandLine condition="contains">listena</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HTML Application host</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Manager Profile Installer</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Application Virtualization Injector</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Application Compatibility Database Installer</Description>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
-			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
-			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
-			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">java.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">javaw.exe</ParentImage>
-			<!--Detect Output Redirection-->
-			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">2></CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&gt;</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">&lt;</CommandLine>
-			-->
-			<!--Detect Multiple Commands-->
-			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-			</Rule>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
-				<CommandLine condition="contains">\pipe\</CommandLine>
-				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
-			</Rule>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">sysnative</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">AutoIt</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=interactive command to slow output" condition="is">more.com</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">acrord32.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="image">gpupdate.exe</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
-			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
-			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
-		</ProcessCreate>
-	</RuleGroup>
-	<RuleGroup name="RG=Process Create Exclude Group" groupRelation="or">
-		<ProcessCreate onmatch="exclude">
-			<Rule name="exclude werfault from wmi" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
-				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
-			</Rule>
-		</ProcessCreate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
-	<RuleGroup name="RG=FileCreateTime Include Group" groupRelation="or">
-		<FileCreateTime onmatch="include">
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\Users</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\ProgramData</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Temp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\tmp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\drivers\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Download</Image>
-		</FileCreateTime>
-	</RuleGroup>
-	<RuleGroup name="RG=FileCreateTime Exclude Group" groupRelation="or">
-		<FileCreateTime onmatch="exclude">
-			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
-			<Image condition="image">TrustedInstaller.exe</Image>
-			<Image condition="image">OneDrive.exe</Image>
-			<Image condition="image">vivaldi.exe</Image>
-			<Image condition="image">chrome.exe</Image>
-			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image>
-			<Image condition="contains">setup</Image>
-			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
-			<Image condition="end with">\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe</Image>
-		</FileCreateTime>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
-	<RuleGroup name="RG=NetworkConnect Include Group" groupRelation="or">
-		<NetworkConnect onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,Level=4,Alert=WSCRIPT Network connection,Risk=80" groupRelation="and">
-				<Image condition="image">wscript.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
-				<Image condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
-				<DestinationIp condition="excludes any">127.0.0.1</DestinationIp>		
-			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
-				<Image condition="contains">\wwwroot\</Image>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Recycle Bin,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Windows\IME\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\ProgramData</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=T1027.004,Tactic=Defense Evasion,Technique=Compile After Delivery,Level=4,Alert=CSC Network Conections" groupRelation="and">
-				<Image condition="image">CSC.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
-			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Installutil-->
-			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Msiexec-->
-			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvcs/regasm-->
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
-				<Image condition="contains any">regasm.exe;regsvcs.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<Rule name="Attack=T1127,Tactic=Defense Evasion,Technique=Signed Binary Proxy Execution,Level=4,Alert=MSBuild Network Conections" groupRelation="and">
-				<Image condition="image">msbuild.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=4,Alert=NBTSTAT Query,Risk=30" condition="contains">nbtstat</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3389,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
-				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
-				<Image condition="excludes">FSAssessment.exe</Image>
-				<Image condition="excludes">FSDiscovery.exe</Image>
-				<Image condition="excludes">MobaRTE.exe</Image>
-				<Image condition="excludes">RDCMan.exe</Image>
-				<Image condition="excludes">RSSensor.exe</Image>
-				<Image condition="excludes">RTS2App.exe</Image>
-				<Image condition="excludes">RTSApp.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager.exe</Image>
-				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
-				<Image condition="excludes">Terminals.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">mRemote.exe</Image>
-				<Image condition="excludes">mRemoteNG.exe</Image>
-				<Image condition="excludes">mstsc.exe</Image>
-				<Image condition="excludes">spiceworks-finder.exe</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<Image condition="excludes">thor64.exe</Image>
-				<Image condition="excludes">thor.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3391</DestinationPort>
-				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
-				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
-				<Image condition="excludes">FSAssessment.exe</Image>
-				<Image condition="excludes">FSDiscovery.exe</Image>
-				<Image condition="excludes">MobaRTE.exe</Image>
-				<Image condition="excludes">RDCMan.exe</Image>
-				<Image condition="excludes">RSSensor.exe</Image>
-				<Image condition="excludes">RTS2App.exe</Image>
-				<Image condition="excludes">RTSApp.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager.exe</Image>
-				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
-				<Image condition="excludes">Terminals.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">mRemote.exe</Image>
-				<Image condition="excludes">mRemoteNG.exe</Image>
-				<Image condition="excludes">mstsc.exe</Image>
-				<Image condition="excludes">spiceworks-finder.exe</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<Image condition="excludes">thor64.exe</Image>
-				<Image condition="excludes">thor.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Localhost RDP Tunneling Detection,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<DestinationIp condition="begin with">fe80:0</DestinationIp>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
-				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
-			</Rule>
-			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
-				<Image condition="image">wsmprovhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
-				<Image condition="image">psftp.exe</Image><!-- SFTP -->
-			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">omniinet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">hpsmhd.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<DestinationPort condition="is">50050</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<DestinationPort condition="is">25</DestinationPort>
-				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
-				<Initiated>true</Initiated>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Powershell Network Connection,Risk=30" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<DestinationIp condition="excludes any">0:0:0:0:0:0:0:;127.0.0.1</DestinationIp>
-			</Rule>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
-			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!-- DNS Over HTTPS-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--UEBA Rules-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-				<DestinationPort condition="is not">3389</DestinationPort>
-				<DestinationPort condition="is not">22</DestinationPort>
-				<DestinationPort condition="is not">21</DestinationPort>
-				<DestinationPort condition="is not">5985</DestinationPort>
-				<Initiated>false</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-				<Initiated>true</Initiated>
-				<SourcePort condition="is not">135</SourcePort>
-				<SourcePort condition="is not">445</SourcePort>
-				<DestinationPort condition="is not">5985</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="is not">System</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<DestinationPort condition="is">445</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="is not">System</Image>
-				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
-				<DestinationPort condition="is">389</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
-				<DestinationPort condition="is">389</DestinationPort>
-				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
-				<SourceHostname condition="excludes any">EXCH</SourceHostname>
-				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
-				<Initiated>false</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Notepad connecting to the internet" groupRelation="and">
-				<Image condition="image">notepad.exe</Image>
-				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is not">80</DestinationPort>
-				<DestinationPort condition="is not">443</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">github</DestinationHostname> 
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">githubusercontent.com</DestinationHostname>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">80</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">443</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">apache.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">java.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">setup</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">tomcat</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">unins</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">unknown process</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">explorer.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">inetinfo.exe</Image>
-			</Rule>
-			<!--3rd Party tools-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">procdump</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">psexe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">vnc;vncs;vncv</Image>
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
-				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
-			</Rule>
-			<!--Destination Ports to Monitor-->
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1293</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1701</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1194</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3540</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3389</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">22</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">3128</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">8080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">1723</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">23</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">4500</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9001</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">9030</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5800</DestinationPort>
-			<!--Source Ports to Monitor-->
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">0</SourcePort>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">443</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">80</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">80</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">636</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">5900</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">443</SourcePort>
-			<!--Suspicious network connections-->
-			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
-		</NetworkConnect>
-	</RuleGroup>
-	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
-		<NetworkConnect onmatch="exclude">
-			<Protocol condition="contains">udp</Protocol>
-			<!--Exclude Inter-process coms over localhost, may be dangerous at expense for noise reduction -->
-			<Rule name="exclude interprocess communications with localhost" groupRelation="and">
-				<Image condition="contains any">System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe</Image>
-				<SourceIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
-				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
-			</Rule>
-			<!--SECTION: Custom -->
-			<Rule name="exclude dest ldap port 88" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
-				<DestinationPort condition="is">88</DestinationPort>
-			</Rule>
-			<!--Disable Monitoring of Protocols-->
-			<DestinationPortName condition="is">epmap</DestinationPortName>
-			<DestinationPortName condition="is">llmnr</DestinationPortName>
-			<DestinationPortName condition="is">microsoft-ds</DestinationPortName>
-			<DestinationPortName condition="is">netbios-dgm</DestinationPortName>
-			<DestinationPortName condition="is">ntp</DestinationPortName>
-			<DestinationPortName condition="is">ssdp</DestinationPortName>
-			<SourcePortName condition="is">epmap</SourcePortName>
-			<SourcePortName condition="is">llmnr</SourcePortName>
-			<SourcePortName condition="is">microsoft-ds</SourcePortName>
-			<SourcePortName condition="is">netbios-dgm</SourcePortName>
-			<SourcePortName condition="is">ntp</SourcePortName>
-			<SourcePortName condition="is">ssdp</SourcePortName>
-			<!--Disable Monitoring on Ports-->
-			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
-			<DestinationPort condition="is">67</DestinationPort>  <!--Bootp Lookups-->
-			<DestinationPort condition="is">68</DestinationPort>  <!--Bootp Lookups-->
-			<DestinationPort condition="is">1434</DestinationPort>  <!--SQL spam.-->
-			<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
-			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
-			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
-			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
-			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
-			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
-			<DestinationPort condition="is">5989</DestinationPort>  <!--Vcenter Secure server for CIM.-->
-			<DestinationPort condition="is">6007</DestinationPort>  <!--Exchange WMI Spam-->
-			<DestinationPort condition="is">49154</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">49209</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">52176</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">59241</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">53</SourcePort>  <!--DNS Lookups-->
-			<SourcePort condition="is">67</SourcePort>  <!--Bootp Lookups-->
-			<SourcePort condition="is">68</SourcePort>  <!--Bootp Lookups-->
-			<SourcePort condition="is">1812</SourcePort> <!--Radius-->
-			<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">6007</SourcePort>  <!--Exchange WMI Spam-->
-			<SourcePort condition="is">49154</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">49209</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">52176</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">59241</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<!--SECTION: Microsoft -->
-			<DestinationHostname condition="end with">.bing.com</DestinationHostname>
-			<DestinationHostname condition="end with">.cloudapp.net</DestinationHostname>
-			<DestinationHostname condition="end with">.lync.com</DestinationHostname>
-			<DestinationHostname condition="end with">.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">.outlook.com</DestinationHostname>
-			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname>
-			<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
-			<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
-			<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
-			<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
-			<DestinationHostname condition="end with">ctldl.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">cy2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">fe3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">fe3.delivery.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">g.akamaiedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">g.live.com</DestinationHostname>
-			<DestinationHostname condition="end with">g.msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">geo-prod.do.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">geo-prod.dodsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">ile-service.weather.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
-			<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
-			<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
-			<DestinationHostname condition="end with">odern.watson.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
-			<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
-			<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">sls.update.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">storecatalogrevocation.storequality.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">storeedgefd.dsx.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">telecommand.telemetry.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">tile-service.weather.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">tlu.dl.delivery.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
-			<DestinationHostname condition="end with">windows.net</DestinationHostname>
-			<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
-			<Image condition="image">EdgeTransport.exe</Image>
-			<Image condition="image">MSExchangeDelivery.exe</Image>
-			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
-			<Image condition="image">MSExchangeHMWorker.exe</Image>
-			<Image condition="image">MSExchangeSubmission.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\</Image>
-		</NetworkConnect>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
-
-		<!--DATA: UtcTime, State, Version, SchemaVersion-->
-		<!--Cannot be filtered.-->
-
-	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
-		<!--COMMENT:	Useful data in building infection timelines.-->
-		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
-		<ProcessTerminate onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\Windows\system32\</Image>
-				<Image condition="excludes">config\systemprofile\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
-				<Image condition="excludes">:\PROGRA~</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\ProgramData\</Image>
-				<Image condition="excludes">:\Users\</Image>
-				<Image condition="excludes">:\Windows\</Image>
-				<Image condition="excludes">:\inetpub\</Image>
-				<Image condition="excludes">:\$SysReset</Image>
-				<Image condition="excludes">:\$WinREAgent</Image>
-				<Image condition="excludes">:\inetpub\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\Users\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\inetpub\</Image>
-			</Rule>
-		<!-- Useful data in building infection timelines.-->
-			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
-			<Image condition="contains">\Temp\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">C:\Users\</Image>
-		</ProcessTerminate>
-	</RuleGroup>
-	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
-			<ProcessTerminate onmatch="exclude">
-			<Image condition="end with">Microsoft\Teams\current\Teams.exe</Image>
-			<Image condition="end with">\git.exe</Image>
-			<Image condition="end with">Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe</Image>
-			<Image condition="begin with">C:\ProgramData\Lenovo\ImController\</Image>
-		</ProcessTerminate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
-	<RuleGroup name="RG=DriverLoad Include Group" groupRelation="or">
-		<DriverLoad onmatch="include">
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst driver hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Temp</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">:\Users</ImageLoaded>
-			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
-			<SignatureStatus condition="contains">?</SignatureStatus>
-			<SignatureStatus condition="contains">Revoked</SignatureStatus>
-			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
-			<SignatureStatus condition="contains">Valid</SignatureStatus>
-			<Signed name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">false</Signed>
-		</DriverLoad>
-	</RuleGroup>
-	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
-		<DriverLoad onmatch="exclude">
-		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
-				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
-		</DriverLoad>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
-		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
-	<RuleGroup name="RG=Image Load Includes" groupRelation="or">
-		<ImageLoad onmatch="include">
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
-				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
-				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\</ImageLoaded>
-				<Image condition="contains any">spoolsv.exe;printisolationhost.exe</Image>
-				<SignatureStatus condition="excludes">Valid</SignatureStatus>
-				<Company condition="excludes any">Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard</Company>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=DLL Image Load by System in Suspicious Locations" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
-				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">EQNEDT32.EXE</Image>
-				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
-				<Image condition="contains any">C:\Users;\Temp\;\ProgramData\</Image>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
-				<Image condition="contains any">wscript.exe;cscript.exe;powershell.exe;rundll32.exe;msbuild.exe;msiexec.exe;csc.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
-				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">wmiprvse.exe</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<ImageLoaded condition="is">msi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">powershell</Image>
-				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="excludes">powershell</Image>
-				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="is">clr.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">installutil.exe</Image>
-				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
-				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
-				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
-				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
-				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="begin with">\\</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
-				<ImageLoaded condition="end with">.wll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
-				<ImageLoaded condition="end with">.xll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
-				<ImageLoaded condition="contains any">.xla</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains">tor-lib.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
-				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<ImageLoaded condition="contains all">vaultcli.dll;wlanapi.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">combase.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">cryptdll.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">imm32.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">logoncli.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">netapi32.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">ntasn1.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">ntdsapi.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">samlib.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\Explorer.EXE</Image>
-				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
-				<ImageLoaded condition="end with">.exe</ImageLoaded>
-				<Company condition="excludes">Adobe</Company>
-				<Image condition="excludes">C:\ProgramData\Lenovo\</Image>
-				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
-				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
-				<ImageLoaded condition="end with">.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
-				<Signed condition="is">false</Signed>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<SignatureStatus condition="is">Revoked</SignatureStatus>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<SignatureStatus condition="is">Expired</SignatureStatus>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
-				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
-			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
-				<ImageLoaded condition="end with">C:\Windows\System32\wlanapi.dll</ImageLoaded>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience</Image>
-				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\AppHostRegistrationVerifier.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\CompatTelRunner.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\DeviceCensus.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</Image>
-				<Image condition="excludes">C:\Windows\System32\LogonUI.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\MoNotificationUx.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\SystemSettingsBroker.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\dxgiadaptercache.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\netsh.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\wlanext.exe</Image>
-				<Image condition="excludes">C:\Windows\UUS\amd64\MoUsoCoreWorker.exe</Image>
-				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
-				<Image condition="excludes">C:\Windows\explorer.exe</Image>
-			</Rule>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
-		</ImageLoad>
-	</RuleGroup>
-	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
-		<ImageLoad onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">\Microsoft Office\</Image>
-				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains">\Microsoft Office\</Image>
-				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
-				<Signed condition="is">true</Signed>
-			</Rule>
-			<!--Universal Exclusions: Be Careful-->
-			<Company condition="contains">Fortinet</Company>
-			<Company condition="contains">Lenovo</Company>
-			<Company condition="contains">Sophos</Company>
-			<Image condition="end with">mscorsvw.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\InstallAgentUserBroker.exe</Image>
-			<Image condition="image">C:\Windows\System32\RuntimeBroker.exe</Image>
-			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="image">C:\Windows\System32\SettingSyncHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\sppsvc.exe</Image>
-			<Image condition="image">C:\Windows\System32\taskhost.exe</Image>
-			<Image condition="image">C:\Windows\System32\taskhostw.exe</Image>
-			<Image condition="image">C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe</Image>
-			<Image condition="image">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
-			<Image condition="image">HxTsr.exe</Image>
-			<Image condition="image">SearchUI.exe</Image>
-			<ImageLoaded condition="contains">C:\Program Files (x86)\Common Files\BIExcelFunctions1.1\32bit\Sage.</ImageLoaded>
-			<ImageLoaded condition="contains">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Pfx.</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Adist64.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\SysWOW64\sppc.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Office.Interop.VisOcx.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Office.Interop.Word.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Vbe.Interop.dll</ImageLoaded>
-			<ImageLoaded condition="is">OFFICE.DLL</ImageLoaded>
-		</ImageLoad>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
-	<RuleGroup name="RG=CreateRemoteThread Include Group" groupRelation="or">
-		<CreateRemoteThread onmatch="include">
-			<!--Custom Rules-->
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
-				<StartAddress condition="is">0x001A0000</StartAddress>
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privledge Escalation,Level=4,Alert=CreateRemoteThread with msiexec,Risk=100" groupRelation="and">
-				<SourceImage condition="contains any">msiexec.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
-				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
-				<StartAddress condition="is">0x001A0000</StartAddress>
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=Rundll32 LSASS Credential dumping,Risk=70" groupRelation="and">
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="image">c:\windows\system32\rundll32.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=4,Alert=Remote Thread Process debugging detected,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">DbgUiRemoteBreakin</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=0,Desc=Remote Query Debug info,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">QueryProcessDebugInformationRemote</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Tactic=Defense Evasion,Level=0,Desc=Query Debug info 2,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">isdebuggerpresent</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Process Debugging Detected,Tactic=Defense Evasion,Level=3,Alert=Process Debug of active Process,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">DebugActiveProcess</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1055.001,Technique=Process Injection: Dynamic-link Library Injection,Tactic=Defense Evasion,Level=3,Alert=LoadLibrary DLL Injection,Risk=70" groupRelation="and">
-				<StartFunction condition="contains">LoadLibrary</StartFunction>
-				<SourceImage condition="excludes">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\igfxEM.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\igfxHK.exe</SourceImage>
-				<SourceImage condition="excludes">Enterprise\Common7\IDE\devenv.exe</SourceImage>
-				<TargetImage condition="excludes">C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe</TargetImage>
-				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
-				<StartFunction condition="contains any">CreateFileMapping;MapViewOfFile</StartFunction>
-			</Rule>			
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=LdrLoadDll DLL Injection,Risk=70" groupRelation="and">
-				<StartFunction condition="contains any">LdrLoadDll</StartFunction>
-			</Rule>
-			<Rule name="Attack=T1106,Technique=Native API,Tactic=Execution,Level=0,Desc=Crypt API Usage" groupRelation="and">
-				<StartFunction condition="contains any">CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey</StartFunction>
-			</Rule>
-			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=0,Desc=Clipboard Usage Detected" groupRelation="and">
-				<SourceImage condition="image">c:\windows\system32\csrss.exe</SourceImage>
-				<StartFunction condition="contains">CrtlRoutine</StartFunction>
-			</Rule>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
-			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
-			<Rule name="Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
-				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
-				<StartFunction condition="contains">EtwEventWrite</StartFunction>
-			</Rule>
-		</CreateRemoteThread>
-	</RuleGroup>
-	<RuleGroup name="RG=CreateRemoteThread Exclude Group" groupRelation="or">
-		<CreateRemoteThread onmatch="exclude">
-			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
-			<SourceImage condition="image">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\audiodg.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\services.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\svchost.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\wininit.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\winlogon.exe</SourceImage>
-		</CreateRemoteThread>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
-	<RuleGroup name="RG=RawAccessRead Include Group" groupRelation="or">
-		<RawAccessRead onmatch="include">
-		</RawAccessRead>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
-	<RuleGroup name="RG=ProcessAccess Include Group" groupRelation="or">
-		<ProcessAccess onmatch="include">
-			<!--Custom Rules-->
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\System32\SHELL32.dll+9b5bd</CallTrace>
-				<TargetImage condition="excludes">\LocalBridge.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
-				<CallTrace condition="contains any">C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2cb3e</CallTrace>
-				<TargetImage condition="excludes any">C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2b496</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\dbgcore.DLL+6cfb</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 2,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">"UNKNOWN(;)|UNKNOWN(</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 3,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">"UNKNOWN</CallTrace>
-				<GrantedAccess condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
-				<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
-				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
-				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1FFFFF</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-				<CallTrace condition="excludes">WmiPerfClass.dll</CallTrace>
-				<SourceImage condition="excludes any">C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="image">C:\Windows\system32\wsmprovhost.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1FFFFF</GrantedAccess>
-				<CallTrace condition="contains all">python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="begin with">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-				<CallTrace condition="contains all">|C:\WINDOWS\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
-				<CallTrace condition="excludes any">wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange</CallTrace>
-				<SourceImage condition="excludes any">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
-				<GrantedAccess>0x1F3FFF</GrantedAccess>
-				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<SourceImage condition="end with">.exe</SourceImage>
-				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
-				<GrantedAccess>0x1C00</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1F1FFF</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1010</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x143A</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1fffff</GrantedAccess>
-				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
-				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
-				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<SourceImage condition="image">powershell.exe</SourceImage>
-				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<CallTrace condition="contains">getasynckeystate</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
-				<CallTrace condition="contains">cmlua.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
-				<CallTrace condition="contains">System.Management.Automation</CallTrace>
-				<CallTrace condition="excludes">C:\ProgramData\Microsoft\Windows Defender\platform\</CallTrace>
-				<CallTrace condition="excludes">ctiuser.dll</CallTrace>
-				<SourceImage condition="is not">C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V16\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\SysWOW64\sdiagnhost.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\Temp\ExchangeSetup\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe</SourceImage>
-				<TargetImage condition="is not">C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\HOSTNAME.EXE</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\ROUTE.exe</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\query.exe</TargetImage>
-				<TargetImage condition="is not">MsMpEng.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="contains">comsvcs.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE7,Risk=80" groupRelation="and">
-				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE6,Risk=80" groupRelation="and">
-				<CallTrace condition="contains any">VBE6.dll;VBEUI.DLL;VBE6INTL.DLL</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=verclsid Office Execution,Risk=80" groupRelation="and">
-				<SourceImage condition="contains">Office</SourceImage>
-				<TargetImage condition="contains">verclsid.exe</TargetImage>
-				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
-				<CallTrace condition="contains any">|UNKNOWN(</CallTrace>
-				<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
-				<SourceImage condition="contains">C:\Program Files\Microsoft Office\Root\Office</SourceImage>
-				<CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
-				<CallTrace condition="contains" >C:\Windows\System32\SHELL32.dll+ae3b9</CallTrace>
-				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
-				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
-			</Rule>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
-				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
-				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
-				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
-				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Potential MalDoc Behavior" groupRelation="and">
-				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
-				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Potential Metasploit Process Migration" groupRelation="and">
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-				<GrantedAccess condition="contains">0x147a</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
-				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
-				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
-				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
-				<GrantedAccess condition="contains">0x1400</GrantedAccess>
-			</Rule>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
-			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">cscript.exe</SourceImage>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">wscript.exe</SourceImage>
-			<SourceImage condition="end with">jjs.exe</SourceImage>
-			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
-			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CorperfmontExt.dll</CallTrace>
-		</ProcessAccess>
-	</RuleGroup>
-	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
-		<ProcessAccess onmatch="exclude">
-			<Rule name="wmi accessing lsass" groupRelation="and">
-				<SourceImage condition="image">wmiprvse.exe</SourceImage>
-				<TargetImage condition="image">lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="lsass accessing winlogon" groupRelation="and">
-				<SourceImage condition="image">lsass.exe</SourceImage>
-				<TargetImage condition="image">winlogon.exe</TargetImage>
-			</Rule>
-			<!-- These binaries appear to access lsass legitimately -->
-			<Rule name="legitimate lsass access" groupRelation="and">
-				<TargetImage condition="contains">lsass.exe</TargetImage>
-				<SourceImage condition="excludes any">C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; <!-- Exchange Process -->\EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe</SourceImage>
-			</Rule>
-			<!-- These binaries get or access processes running .NET -->
-			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
-			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
-			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
-			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
-			</Rule>
-		</ProcessAccess>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
-	<RuleGroup name="RG=FileCreate Include Group" groupRelation="or">
-		<FileCreate onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst suspicious file writes,Risk=100" groupRelation="and">
-				<Image condition="contains any">solarwinds.businesslayerhost</Image>
-				<TargetFilename condition="contains any">.exe;.dll;.ps1;.mz;.jpg;.png</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst malware dll,Risk=100" groupRelation="and">
-				<TargetFilename condition="is">C:\WINDOWS\SysWOW64\netsetupsvc.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
-				<TargetFilename name="Defender AntiMalware Delta Patch" condition="excludes all">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_;.exe</TargetFilename>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
-				<TargetFilename condition="end with">proj</TargetFilename>
-				<TargetFilename condition="end with">.targets</TargetFilename>
-				<TargetFilename condition="end with">.build</TargetFilename>
-				<TargetFilename condition="end with">.props</TargetFilename>
-				<TargetFilename condition="end with">.tasks</TargetFilename>
-				<TargetFilename condition="end with">.sln</TargetFilename>
-				<TargetFilename condition="end with">.cs</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file types,Risk=100" groupRelation="or">
-				<TargetFilename condition="end with">.cdxml</TargetFilename>
-				<TargetFilename condition="end with">.ps1</TargetFilename>
-				<TargetFilename condition="end with">.ps1xml</TargetFilename>
-				<TargetFilename condition="end with">.psc1</TargetFilename>
-				<TargetFilename condition="end with">.psd1</TargetFilename>
-				<TargetFilename condition="end with">.psm1</TargetFilename>
-				<TargetFilename condition="end with">.pssc</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file creations,Risk=10" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=CVE-2019-1315,Risk=70" groupRelation="and">
-				<TargetFilename condition="end with">Report.wer.tmp</TargetFilename>
-				<TargetFilename condition="excludes">\WER\</TargetFilename>
-				<Image condition="image">C:\Windows\system32\wermgr.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
-				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Users</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
-				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
-				<TargetFilename condition="end with">.dll</TargetFilename>
-				<TargetFilename condition="begin with">C:\Users</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
-			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
-				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;==READ==THIS==PLEASE==;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.dotm</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.aspx</TargetFilename>
-				<TargetFilename condition="excludes">\wwwroot\aspnet_client\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating PHP files,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.php</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating AAA files,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.aaa</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM Web Shells Dropped,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">\wwwroot\aspnet_client\</TargetFilename>
-				<TargetFilename condition="contains any">.aspx;.php</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\aspnet_client\;jpg</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASP Files dropped outside wwwroot directory" groupRelation="and">
-				<TargetFilename condition="end with">.asp</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASPX Files dropped outside wwwroot directory" groupRelation="and">
-				<TargetFilename condition="end with">.aspx</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ecp\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\oab\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\owa\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">httpproxy\rpc\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">ClientAccess\ecp\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\htdocs\</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Exploitation Detected,Risk=20" groupRelation="and">
-				<TargetFilename condition="end with">.SPL</TargetFilename>
-				<Image condition="excludes any">spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Spooler Created exe file,Risk=40" groupRelation="and">
-				<Image condition="image">spoolsv.exe</Image>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="excludes">C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=InstallerFileTakeOver,Risk=80,CVE=CVE-2021-41379" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<TargetFilename condition="contains">\Microsoft\Edge\Application</TargetFilename>
-				<TargetFilename condition="end with">elevation_service.exe</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\LocalState\rootfs\</TargetFilename>
-
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
-				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Temp\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
-				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
-				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
-			</Rule>
-			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Files Created from">$Recycle.Bin</Image>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created from System Profile executable" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<Image condition="contains">\config\systemprofile\</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
-			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion" condition="end with">.chm</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">proj</TargetFilename>
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">.sln</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<Rule name="Attack=T1203,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,Level=4,Alert=Exchange Exploitation UM Service File Creation,Risk=80,CVE=CVE-2021-26858" groupRelation="and">
-				<Image condition="contains any">UMWorkerProcess.exe;UMService.exe</Image>
-				<TargetFilename condition="contains any">.</TargetFilename>
-				<TargetFilename condition="excludes any">.log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Rar$</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">RarSFX</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="is">Teamviewer.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">rundll32.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="is">mstsc.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">cmd.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">WScript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="is">cscript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="is">mshta.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="is">python.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="is">wmic.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch Ransomware Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains all">RESTORE_;_FILES.txt</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch2 Ransomware Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains all">DECRYPT_;_FILES.txt</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Nanocore Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">\run.dat;\task.dat;\storage.dat</TargetFilename>
-				<TargetFilename condition="contains">AppData</TargetFilename>
-				<TargetFilename condition="excludes any">Symantec</TargetFilename>
-				<TargetFilename condition="excludes any">BlueJeans</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=RagnarLocker Virtualbox files: susceptible to FP,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">VBoxRT.dll;VboxC.dll</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--UEBA Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
-				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
-				<TargetFilename condition="excludes">\system32\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
-				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
-				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
-				<TargetFilename condition="end with">.wll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
-				<TargetFilename condition="end with">.xll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
-				<TargetFilename condition="contains any">.xla</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.vsto</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.bat</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.dll</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.sys</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.theme</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="image">VirtualboxVM.exe</Image>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">notepad++.exe</Image>
-			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level==0,Desc=URL">.url</TargetFilename>
-			<!--Drivers dropped-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sys</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.inf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Drivers\</TargetFilename>
-			<TargetFilename condition="end with">.drv</TargetFilename> 
-			<!--Microsoft Office File Monitoring-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlam</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xla</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xls</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlsx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlt</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xltm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xlw</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.potm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sldm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Office\Recent</TargetFilename>
-			<TargetFilename name="Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Downloads\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Content.Outlook\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.wbk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ped</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dot</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.dotx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.doc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.docx</TargetFilename>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<TargetFilename condition="end with">.accdb</TargetFilename>
-				<TargetFilename condition="end with">.accde</TargetFilename>
-				<TargetFilename condition="end with">.accdr</TargetFilename>
-				<TargetFilename condition="end with">.accdt</TargetFilename>
-				<TargetFilename condition="end with">.mdb</TargetFilename>
-				<TargetFilename condition="end with">.mde</TargetFilename>
-				<TargetFilename condition="end with">.msc</TargetFilename>
-				<TargetFilename condition="end with">.mst</TargetFilename>
-				<TargetFilename condition="end with">.potx</TargetFilename>
-				<TargetFilename condition="end with">.ppam</TargetFilename>
-				<TargetFilename condition="end with">.ppsm</TargetFilename>
-				<TargetFilename condition="end with">.ppsx</TargetFilename>
-				<TargetFilename condition="end with">.ppt</TargetFilename>
-				<TargetFilename condition="end with">.pptm</TargetFilename>
-				<TargetFilename condition="end with">.pptx</TargetFilename>
-				<TargetFilename condition="end with">.pub</TargetFilename>
-				<TargetFilename condition="end with">.sldm</TargetFilename>
-				<TargetFilename condition="end with">.sldx</TargetFilename>
-				<TargetFilename condition="end with">.xls</TargetFilename>
-				<TargetFilename condition="end with">.xps</TargetFilename>
-			</Rule>
-			<!--SECTION: Certificates -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<TargetFilename condition="end with">.pem</TargetFilename>
-				<TargetFilename condition="end with">.crt</TargetFilename>
-				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
-				<TargetFilename condition="end with">.cer</TargetFilename>
-				<TargetFilename condition="end with">.csr</TargetFilename>
-				<TargetFilename condition="end with">.der</TargetFilename>
-				<TargetFilename condition="end with">.p7b</TargetFilename>
-				<TargetFilename condition="end with">.p7r</TargetFilename>
-				<TargetFilename condition="end with">.p7s</TargetFilename>
-				<TargetFilename condition="end with">.pfx</TargetFilename>
-				<TargetFilename condition="end with">.sto</TargetFilename>
-				<TargetFilename condition="end with">.p12</TargetFilename>
-				<TargetFilename condition="end with">.crl</TargetFilename>
-				<TargetFilename condition="end with">.sst</TargetFilename>
-				<TargetFilename condition="end with">.key</TargetFilename>
-			</Rule>
-			<!-- side loading -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<TargetFilename condition="end with">.hlp</TargetFilename>
-				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
-				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
-				<TargetFilename condition="end with">AFLogVw.exe</TargetFilename>
-				<TargetFilename condition="end with">AShld.exe</TargetFilename>
-				<TargetFilename condition="end with">AShldRes.DLL.asr</TargetFilename>
-				<TargetFilename condition="end with">AShldRes.DLL</TargetFilename>
-				<TargetFilename condition="end with">AhnI2.dll</TargetFilename>
-				<TargetFilename condition="end with">CamMute.exe</TargetFilename>
-				<TargetFilename condition="end with">CommFunc.dll</TargetFilename>
-				<TargetFilename condition="end with">CommFunc.jax</TargetFilename>
-				<TargetFilename condition="end with">DESqmWrapper.dll</TargetFilename>
-				<TargetFilename condition="end with">DESqmWrapper.wrapper</TargetFilename>
-				<TargetFilename condition="end with">FSPMAPI.dll.fsp</TargetFilename>
-				<TargetFilename condition="end with">FSPMAPI.dll</TargetFilename>
-				<TargetFilename condition="end with">Gadget.exe</TargetFilename>
-				<TargetFilename condition="end with">LoLTWLauncher.exe</TargetFilename>
-				<TargetFilename condition="end with">Mc.exe</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll.ping</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll.url</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll</TargetFilename>
-				<TargetFilename condition="end with">MpSvc.dll</TargetFilename>
-				<TargetFilename condition="end with">MsMpEng.exe</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmart.exe</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMaxapp.dll</TargetFilename>
-				<TargetFilename condition="end with">OInfo11.ISO</TargetFilename>
-				<TargetFilename condition="end with">OInfo11.ocx</TargetFilename>
-				<TargetFilename condition="end with">OInfoP11.exe</TargetFilename>
-				<TargetFilename condition="end with">OleView.exe</TargetFilename>
-				<TargetFilename condition="end with">OleView.exe</TargetFilename>
-				<TargetFilename condition="end with">POETWLauncher.exe</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll.config</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll.msc</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll</TargetFilename>
-				<TargetFilename condition="end with">RasTls.exe</TargetFilename>
-				<TargetFilename condition="end with">RunHelp.exe</TargetFilename>
-				<TargetFilename condition="end with">Sidebar.dll.doc</TargetFilename>
-				<TargetFilename condition="end with">Sidebar.dll</TargetFilename>
-				<TargetFilename condition="end with">Ushata.dll</TargetFilename>
-				<TargetFilename condition="end with">Ushata.exe</TargetFilename>
-				<TargetFilename condition="end with">Ushata.fox</TargetFilename>
-				<TargetFilename condition="end with">VeetlePlayer.exe</TargetFilename>
-				<TargetFilename condition="end with">boot.ldr</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.dll.rom</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.dll</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.exe</TargetFilename>
-				<TargetFilename condition="end with">dvcemumanager.exe</TargetFilename>
-				<TargetFilename condition="end with">fsguidll.exe</TargetFilename>
-				<TargetFilename condition="end with">fslapi.dll.gui</TargetFilename>
-				<TargetFilename condition="end with">fslapi.dll</TargetFilename>
-				<TargetFilename condition="end with">fsstm.exe</TargetFilename>
-				<TargetFilename condition="end with">hccutils.dll.res</TargetFilename>
-				<TargetFilename condition="end with">hccutils.dll</TargetFilename>
-				<TargetFilename condition="end with">hha.dll.bak</TargetFilename>
-				<TargetFilename condition="end with">hha.dll</TargetFilename>
-				<TargetFilename condition="end with">hhc.exe</TargetFilename>
-				<TargetFilename condition="end with">hkcmd.exe</TargetFilename>
-				<TargetFilename condition="end with">iviewers.dll</TargetFilename>
-				<TargetFilename condition="end with">jli.dll</TargetFilename>
-				<TargetFilename condition="end with">libvlc.dll</TargetFilename>
-				<TargetFilename condition="end with">mPclient.dll</TargetFilename>
-				<TargetFilename condition="end with">mcf.ep</TargetFilename>
-				<TargetFilename condition="end with">mcf.exe</TargetFilename>
-				<TargetFilename condition="end with">mcupdui.exe</TargetFilename>
-				<TargetFilename condition="end with">mcut.exe</TargetFilename>
-				<TargetFilename condition="end with">mcutil.dll.bbc</TargetFilename>
-				<TargetFilename condition="end with">mcvsmap.exe</TargetFilename>
-				<TargetFilename condition="end with">msi.dll.dat</TargetFilename>
-				<TargetFilename condition="end with">msi.dll</TargetFilename>
-				<TargetFilename condition="end with">msseces.asm</TargetFilename>
-				<TargetFilename condition="end with">msseces.exe</TargetFilename>
-				<TargetFilename condition="end with">mtcReport.ktc</TargetFilename>
-				<TargetFilename condition="end with">rc.dll</TargetFilename>
-				<TargetFilename condition="end with">rc.exe</TargetFilename>
-				<TargetFilename condition="end with">rc.hlp</TargetFilename>
-				<TargetFilename condition="end with">sep_NE.exe</TargetFilename>
-				<TargetFilename condition="end with">sep_NE.slf</TargetFilename>
-				<TargetFilename condition="end with">tplcdclr.exe</TargetFilename>
-				<TargetFilename condition="end with">winmm.dll</TargetFilename>
-				<TargetFilename condition="end with">wts.chm</TargetFilename>
-				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">ssMUIDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
-			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\\tsclient</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
-			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\7z</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.chm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cpl</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.mht</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.crx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.gadget</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.JSE</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.exe</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">.zip\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FON</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.FOT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.iqy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ico</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.isp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.manifest</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">MEMORY.dmp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.msi</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cs</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.customDestinations-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">C:\Windows\Minidump</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.PAF</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rtf</TargetFilename> 
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.reg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHS</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.slk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCR</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.set</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SettingContent-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHD</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SPL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.scr</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">HammerDrillStatus.dll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Microsoft\Windows\WER\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ICL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sdb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SCT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.SHB</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Temp\Temp1_</TargetFilename>
-			<!--Uncategorized-->
-			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
-			<TargetFilename condition="end with">.ade</TargetFilename>
-			<TargetFilename condition="end with">.adp</TargetFilename>
-			<TargetFilename condition="end with">.application</TargetFilename>
-			<TargetFilename condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename condition="end with">.asc</TargetFilename>
-			<TargetFilename condition="end with">.bmf</TargetFilename>
-			<TargetFilename condition="end with">.cer</TargetFilename>
-			<TargetFilename condition="end with">.dmp</TargetFilename>
-			<TargetFilename condition="end with">.gpg</TargetFilename>
-			<TargetFilename condition="end with">.htm</TargetFilename>
-			<TargetFilename condition="end with">.html</TargetFilename>
-			<TargetFilename condition="end with">.json</TargetFilename>
-			<TargetFilename condition="end with">.jsp</TargetFilename>
-			<TargetFilename condition="end with">.key</TargetFilename>
-			<TargetFilename condition="end with">.mof</TargetFilename>
-			<TargetFilename condition="end with">.ocx</TargetFilename>
-			<TargetFilename condition="end with">.p7b</TargetFilename>
-			<TargetFilename condition="end with">.p12</TargetFilename>
-			<TargetFilename condition="end with">.pem</TargetFilename>
-			<TargetFilename condition="end with">.pfx</TargetFilename>
-			<TargetFilename condition="end with">.pgp</TargetFilename>
-			<TargetFilename condition="end with">.php</TargetFilename>
-			<TargetFilename condition="end with">.ppk</TargetFilename>
-			<TargetFilename condition="end with">.war</TargetFilename>
-			<TargetFilename condition="end with">.xml</TargetFilename>
-		</FileCreate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
-	<RuleGroup name="RG=RegistryEvent Include Group" groupRelation="or">
-		<RegistryEvent onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Forensic=RDP Connection History Tracking" groupRelation="and">
-				<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
-				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Mountpoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
-				<TargetObject condition="end with">LoggedOnUser</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnUser</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastLoggedOnProvider</TargetObject>
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Suspicious Set Value of MSDT in Registry: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\ms-msdt\</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Scripted Diagnostics Turn Off Check Enabled: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</TargetObject>
-				<TargetObject condition="excludes">\print\</TargetObject>
-				<TargetObject condition="excludes">\AzureAttestService\CoInitializeSecurityParam</TargetObject>
-				<Image condition="excludes">C:\$WINDOWS.~BT\</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project Object Model Macro Settings,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\AccessVBOM</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
-				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
-				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Potential Office Macro Execution Detected" groupRelation="and">
-				<Image condition="contains any">EXCEL.exe;WINWORD.exe</Image>
-				<TargetObject condition="contains any">{8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B}</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
-			<Rule name="Attack=T0000,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
-				<TargetObject condition="is">HKCU\di</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">HKCU\�</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
-				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
-				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
-				<TargetObject condition="end with">update_url</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Last Password Change</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Account Expiration</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Last Failed Logon</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject> <!-- http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/ -->
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
-				<Image condition="excludes">Add_exclusions_here</Image>
-			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Boot" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: System" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Automatic" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000002)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Manual" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000003)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Disabled" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000004)</Details>
-			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
-			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
-			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Printers\Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\Environments\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Servers\Printers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Print\V4 Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SWD\PRINTENUM</TargetObject>-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=New user created,Risk=40" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<TargetObject condition="excludes">$</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=Hidden New user created,Risk=40" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<TargetObject condition="contains">$</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
-				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint Protocol Handlers" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\</TargetObject>
-				<TargetObject condition="end with">(Default)</TargetObject>
-				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
-				<Details condition="begin with">URL:</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Protocol Handlers" groupRelation="and">
-				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
-				<TargetObject condition="end with">(Default)</TargetObject>
-				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
-				<Details condition="begin with">URL:</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint File Associations" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\</TargetObject>
-				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
-				<Details condition="contains">%1</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Default File Associations" groupRelation="and">
-				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
-				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
-				<Details condition="contains">%1</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor COM Hijacking" groupRelation="and">
-				<TargetObject condition="end with">\shell\open\command\DelegateExecute</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Accessibility Features-->
-			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=sethc.exe Priv Escalation,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Session Manager\KnownDlls</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Outlook Addins" groupRelation="and">
-				<TargetObject condition="contains">Outlook\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Word Addins" groupRelation="and">
-				<TargetObject condition="contains">Word\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Excel Addins" groupRelation="and">
-				<TargetObject condition="contains">Excel\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Powerpoint Addins" groupRelation="and">
-				<TargetObject condition="contains">Powerpoint\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Inclusions" groupRelation="and">
-				<TargetObject condition="contains">Software\Microsoft\VSTO\Security\Inclusion\</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Solution Metadata" groupRelation="and">
-				<TargetObject condition="contains">Software\Microsoft\VSTO\SolutionMetadata\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=0,Desc=CMSTPLUA UAC Bypass" groupRelation="and">
-				<TargetObject condition="contains any">cmmgr32.exe</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
-				<Details condition="contains any">C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\</Details>
-				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
-			</Rule>
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
-				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
-			</Rule>
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=1,Alert=Image File Execution Options,Risk=30" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
-				<TargetObject condition="contains any">Debugger;ReportingMode;MonitorProcess</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=0,Alert=SilentProcessExit Globalflag Set,Risk=75" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
-				<TargetObject condition="contains">GlobalFlag</TargetObject>
-				<Details condition="contains">DWORD (0x00000200)</Details> <!--SilentProcessExit Dword Value-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Execution entry,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
-				<TargetObject condition="contains">MonitorProcess</TargetObject> <!--SilentProcessExit Monitor Process from werfault-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Reporting Mode Enabled - Check for Child processes of werfault.exe,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
-				<TargetObject condition="contains">ReportingMode</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details> <!--SilentProcessExit Reporting Mode Enabled-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Added,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exeption Handler execution on crash,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\</TargetObject>
-				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
-				<TargetObject condition="end with">SD</TargetObject>
-				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
-				<TargetObject condition="end with">ID</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Author</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Path</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Date</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<Rule name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Environment Value Modification" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=ConsentPromptBehaviorAdmin Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
-			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
-			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
-			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
-				<TargetObject condition="end with">$</TargetObject>
- 				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
-				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
-				<!--Customize: Add your configuration dir above-->
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to Per-Process Exploit Protection,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions</TargetObject>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmwp.exe\0\MitigationOptions</TargetObject>
-				<Image condition="excludes">msiexec.exe</Image>
-				<Image condition="excludes">TiWorker.exe</Image>
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Modification to WOW64 Per-Process Exploit Protection Mitigation Options,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-				<Image condition="excludes">C:\Program Files\Microsoft Office 15\root\integration\integrator.exe</Image>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
-				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\</TargetObject>
-				<TargetObject condition="contains all">\Instances\;Altitude</TargetObject>
-				<TargetObject condition="is not">HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=1,Desc=Notifications for all macros,Risk=50" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000002)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Notifications for digitally signed macros - all other macros disabled,Risk=0" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000003)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=All Office Macros Disabled without notification,Risk=0" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000004)</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">\Outlook\Security</TargetObject>
-				<!--Allow Outlook Details rules to fire-->
-				<TargetObject condition="excludes">\Security\Level</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Excel\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Level1Remove</TargetObject>
-			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideSCAHealth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
-			<!--Detect if Windows Defender is Disabled-->
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="end with">\Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="end with">\Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="excludes">\Enabled</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
-				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
-				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
-				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
-				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
-				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
-				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Eventlog Security Descriptor Modification,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
-				<TargetObject condition="end with">\CustomSD</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Eventlog Size Modification,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
-				<TargetObject condition="end with">\MaxSize</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">globallyopenports</TargetObject>
-			</Rule>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
-
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\.NETFramework\ETWEnabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Tampering,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\.NETFramework\NGenAssemblyUsageLog</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\NGenAssemblyUsageLog</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\COMPlus_ETWEnabled</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\LastKey</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
-				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">&#x202e;</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
-
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
-				<EventType condition="is not">CreateKey</EventType>
-				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\Sysmon.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\certsrv.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\CompatTelRunner.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
-				<Image condition="excludes">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-				<Image condition="excludes">C:\Windows\system32\SearchProtocolHost.exe</Image>
-				<Image condition="excludes">C:\Windows\system32\taskhost.exe</Image>
-				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\System32\DriverStore\FileRepository\asus</Image>
-				<Image condition="excludes">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
-				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">fDenyTSConnections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">RDP-tcp\PortNumber</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">&#xfffd;</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials: Credentials in Registry-->
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,Level=1,Desc=User Account Deleted" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<EventType condition="is">DeleteKey</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<Rule name="Attack=T1485,Technique=Inhibit System Recovery,Tactic=Impact,Level=0,Desc=VSS Disablement Detection,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Services\VSS\Diag\(Default)</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!-- UEBA/Uncategorized Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
-			</Rule>
-			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\LastKey</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
-			</Rule>
-			<Rule name="Forensic=IE history Detection" groupRelation="and">
-				<TargetObject condition="end with">\TypedURLs</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
-				<Details condition="excludes">Binary Data</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
-			</Rule>
-			<Rule name="Forensic=Adobe Recent File List History" groupRelation="and">
-				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
-				<TargetObject condition="end with">tDIText</TargetObject>
-			</Rule>
-			<Rule name="Forensic=Office History MRU" groupRelation="and">
-				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
-			</Rule>
-			<!--Common Malware Persistence locations-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
-			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\URL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">NullSessionShares</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">NullSessionPipes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">PasswordExpiryNotification</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisplayVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ModifyPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UninstallString</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
-			<!--CLSID launch commands and file association changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject name="Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
-			<!--Windows shell hijack-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Hidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\HideFileExt</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ShellServiceObjects</TargetObject>
-			<!--AppPaths hijacking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<!--Terminal service boobytraps-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<!--Group Policy interity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
-			<!--Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<!--Credential providers-->
-			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
-			<!--Networking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetObject name="Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
-			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
-			<!--Office-->
-			<!--Microsoft Office-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
-			<!--Removed addins on 11/13/2018 due to high count-->
-			<!--IE-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<!--Magic registry keys-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
-			<!--Infection artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
-			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
-			<!--Group Policy Scripts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
-			<!--Detect Network History-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Security\Trusted Locations</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
-			<TargetObject name="Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
-			<TargetObject name="Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
-			<TargetObject name="Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
-			<TargetObject name="Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\BinProductVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDriverBinary\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
-				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
-			</Rule>			
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
-				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Explorer\MountPoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
-			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,Level=1,Desc=Service Set for Deletion" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\DeleteFlag</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<!--Detect User Activity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
-			<TargetObject name="Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
-			<!--Windows application compatibility shims-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
-			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
-			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
-				<Details condition="contains any">ndis;rndis</Details>
-			</Rule>
-			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
-				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
-				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
-			</Rule>
-			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Client\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">\Server\Enabled</TargetObject>
-			<TargetObject name="Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Terminal Server Client\Servers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">WinSCP 2\Sessions</TargetObject>
-		</RegistryEvent>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
-	<!--EVENT 15: "File stream created"-->
-	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
-		<FileCreateStreamHash onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
-				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
-				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
-				<Contents condition="contains any">blob:;about:internet</Contents>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
-				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
-				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hash>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hash>
-			</Rule>
-		</FileCreateStreamHash>
-	</RuleGroup>
-	<RuleGroup name="RG=ADS Exclude Group" groupRelation="or">
-		<FileCreateStreamHash onmatch="exclude">
-			<Hash condition="contains">IMPHASH=00000000000000000000000000000000</Hash>
-			<TargetFilename condition="contains">AppData\Local\Microsoft\Windows\AppCache\</TargetFilename>
-			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename>
-			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> 
-			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
-			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename>
-			<TargetFilename condition="end with">Microsoft\Windows\Start Menu\Programs\Startup</TargetFilename>
-		</FileCreateStreamHash>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
-	<!--EVENT 16: "Sysmon config state changed"-->
-	<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
-	<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
-	<!--Cannot be filtered.-->
-
-	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
-	<!--EVENT 17: "Pipe Created"-->
-	<!--EVENT 18: "Pipe Connected"-->
-	<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-	<RuleGroup name="RG=PipeEvent Include Group" groupRelation="or">
-		<PipeEvent onmatch="include">
-			<Rule name="Attack=T1071,Technique=Application Layer Protocol,Tactic=Command and Control,Level=4,Alert=Cobalt Strike named pipe detected,Risk=100" groupRelation="and">
-				<PipeName condition="contains any">msagent_;\MSSE-;postex;\status_</PipeName>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=NA,Level=4,Alert=Turla Advanced Persistent Threat Named Pipe Detection,Risk=100" groupRelation="and">
-				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
-			</Rule>
-			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Level=4,Alert=lateral movement: psexec named pipe detected" groupRelation="or">
-				<PipeName condition="contains">\PSEXESVC</PipeName>
-				<PipeName condition="end with">-stdin</PipeName>
-				<PipeName condition="end with">-stdout</PipeName>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
-				<PipeName condition="contains">\svcctl</PipeName>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=NTSVCS Execution" groupRelation="or">
-				<PipeName condition="contains">\ntsvcs</PipeName>
-			</Rule>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100" condition="contains">tssmp_endpoint</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100" condition="contains">\NamePipe_MoreWindows</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=WCEServicePipe detected,Risk=100" condition="contains">\WCEServicePipe</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=ahexec Named Pipe Detection,Risk=100" condition="contains">\ahexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=cachedump detected,Risk=100" condition="contains">\cachedumppipe</PipeName><!-- Credits @9f81f59bc58452127884ce513865ed20Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=csexec Named Pipe Detection,Risk=100" condition="contains">\csexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100" condition="contains">\isapi_dg</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsadump detected,Risk=100" condition="contains">\lsadump</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10" condition="contains">\lsassw</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=paexec Named Pipe Detection,Risk=100" condition="contains">\paexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=pcheap_reuse Named Pipe Detection" condition="contains">\pcheap_reuse</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Covanant C2 Named Pipe Detection" condition="contains">\gruntsvc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=remcom Named Pipe Detection,Risk=100" condition="contains">\remcom</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100" condition="contains">\rpchlp_3</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
-				<PipeName condition="contains any">\pipe\</PipeName>
-				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
-			</Rule>
-			<!-- Noisy
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\srvsvc</PipeName>
-			-->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
-			<!--Include Everything else to mark above rules-->
-			<!-- Disabled for now
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">\</PipeName>
-			-->
-		</PipeEvent>
-	</RuleGroup>
-	<RuleGroup name="RG=PipeEvent Exclude Group" groupRelation="or">
-		<PipeEvent onmatch="exclude">
-		<EventType name="Exclude ConnectPipe for noise reduction" condition="is">ConnectPipe</EventType>
-		<!--COMMENT: Exclude known-good pipe users-->
-				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
-				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
-			<!--SECTION: Microsoft-->
-			<PipeName condition="contains">lsass</PipeName>
-			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
-			<PipeName condition="is">\spoolss</PipeName>
-			<Image condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Rediculous amount of spam, likely spikes cpu if logged -->
-			<Image condition="image">C:\Windows\System32\LxRun.exe</Image> <!--WSL-->
-			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="image">C:\Windows\System32\smss.exe</Image>
-			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
-			<Image condition="image">C:\Windows\System32\wininit.exe</Image>
-			<Image condition="image">C:\Windows\system32\DFSRs.exe</Image>
-			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
-			<Rule name="ngen excludes" groupRelation="and">
-				<Image condition="begin with">C:\Windows\Microsoft.NET\Framework</Image>
-				<Image condition="end with">\ngen.exe</Image>
-			</Rule>
-			<Rule name="ShellExperienceHost excludes" groupRelation="and">
-				<Image condition="begin with">C:\Windows\SystemApps\ShellExperienceHost_</Image>
-				<Image condition="end with">\ShellExperienceHost.exe</Image>
-			</Rule>
-			<Image condition="image">C:\Windows\system32\SearchProtocolHost.exe</Image>
-			<Image condition="image">\System</Image>
-			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
-			<!--SECTION: Microsoft Exchange Server -->
-			<Image condition="contains">Exchange Server</Image>
-			<!--SECTION: Microsoft IIS -->
-			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
-			<Image condition="image">C:\Windows\syswow64\snmp.exe</Image>
-			<Image condition="image">c:\windows\system32\inetsrv\w3wp.exe</Image>
-			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
-			<!--SECTION: Microsoft DNS Server -->
-			<Image condition="image">C:\Windows\system32\dns.exe</Image>
-			<!--SECTION: Microsoft SQL Server -->
-			<PipeName condition="is">\sql\query</PipeName>
-			<Image condition="image">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
-			<PipeName condition="contains">\TDLN-</PipeName>
-			<PipeName condition="contains">vmware-</PipeName>
-			<PipeName condition="is">\InitShutdown</PipeName>
-			<PipeName condition="is">\MsFteWds</PipeName>
-			<PipeName condition="is">\W32TIME_ALT</PipeName>
-			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
-			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
-			<PipeName condition="is">\browser</PipeName>
-			<PipeName condition="is">\epmapper</PipeName>
-			<PipeName condition="is">\eventlog</PipeName>
-			<PipeName condition="is">\scerpc</PipeName>
-			<PipeName condition="is">\wkssvc</PipeName>
-			<PipeName condition="is">\ntapvsrq</PipeName>
-			<PipeName condition="contains">Anonymous Pipe</PipeName>
-		</PipeEvent>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
-	<!--EVENT 19: "WmiEventFilter activity detected"-->
-	<!--EVENT 20: "WmiEventConsumer activity detected"-->
-	<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
-	<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
-	<RuleGroup name="RG=WmiEvent Include Group" groupRelation="or">
-		<WmiEvent onmatch="include">
-			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="is">Created</Operation>
-		</WmiEvent>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 22 : DNS Queries-->
-	<RuleGroup name="RG=DNS Query Includes" groupRelation="or">
-		<DnsQuery onmatch="include">
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Powershell TXT Record exfiltration" groupRelation="and">
-				<QueryResults condition="contains any">type: 16;type:  16</QueryResults>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Powershell,Tactic=Execution,Level=4,Alert=Powershell Connection to github" groupRelation="and">
-				<QueryName condition="contains">github</QueryName>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
-				<QueryName condition="contains">.</QueryName>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="end with">dropboxapi.com</QueryName>
-				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains">1drv</QueryName>
-				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains all">.box.com;upload</QueryName>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains any">mega.nz;mega.co.nz</QueryName>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains any">privatlab.com</QueryName>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
-				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
-			</Rule>
-			<!--Crypto Currency Mining pools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
-				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
-			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">graph.microsoft.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">dl.dropboxusercontent.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="is">api.onedrive.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">zoom.us</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">teamviewer</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains">Screenconnect</QueryName>
-			<!--Public Port Scan Detection-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
-			<!--Domain TLD's to log-->
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.download</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.kp</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.su</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ss</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.sy</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ve</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xxx</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.cn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.click</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.club</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ir</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ru</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.host</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.icu</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.pw</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.website</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ninja</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.rocks</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.top</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.ua</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="end with">.xyz</QueryName>
-			<!--Malware Domains-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
-			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="contains any">githubusercontent.com;github.com</QueryName> 
-			<!--Common Suspicious destinations-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
-			<!-- Malicious/Suspicious hosting domains-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
-			<!--Dynamic DNS Lookups-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
-			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
-			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">wpad</QueryName>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level==3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
-				<QueryName condition="begin with">_ldap.</QueryName>
-				<Image condition="excludes">C:\Windows\</Image>
-				<Image condition="excludes">unknown process</Image>
-				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</Image>
-			</Rule>
-			<!--
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  28</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  5</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  15</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  2</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  12</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  6</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  99</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" condition="begin with">type:  33</QueryResults>
-			-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
-		</DnsQuery>
-	</RuleGroup>
-	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
-		<DnsQuery onmatch="exclude">
-			<!-- Image Exclusions -->
-			<Image condition="begin with">C:\Program Files (x86)\Admin Arsenal\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\CheckPoint\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Fortinet\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\OpenDNS\OpenDNS Connector</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Razer\Razer Services\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\VMware</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Veeam\</Image>
-			<Image condition="begin with">C:\Program Files\CheckPoint\</Image>
-			<Image condition="begin with">C:\Program Files\Trend Micro\</Image>
-			<Image condition="end with">Slack.exe</Image>
-			<Image condition="end with">\controls\cef\ConnectWise.exe</Image>
-			<Image condition="end with">git-remote-https.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe</Image>
-			<Image condition="image">C:\Program Files\VMware\vCenter Server\jre\bin\java.exe</Image>
-			<Image condition="image">C:\Program Files\VMware\vCenter Server\python\python.exe</Image>
-			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\dsregcmd.exe</Image>
-			<Image condition="image">C:\Windows\sysmon64.exe</Image>
-			<Image condition="image">C:\Windows\sysmon.exe</Image>
-			<QueryName condition="begin with">brave-sync.s3.dualstack.</QueryName>
-			<QueryName condition="end with">.salesforceliveagent.com</QueryName>
-			<QueryName condition="is">ads-serve.brave.com</QueryName>
-			<!--Network noise-->
-			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
-			<QueryName condition="is">..localmachine</QueryName>
-			<!--Microsoft-->
-			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
-			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
-			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
-			<!--Microsoft:Office365/AzureAD-->
-			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
-			<QueryName condition="end with">.msauth.net</QueryName>
-			<QueryName condition="end with">.msftauth.net</QueryName>
-			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
-			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
-			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
-			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
-			<!--3rd-party applications-->
-			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
-			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
-			<QueryName condition="end with">googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">cloudsearch.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">id.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">www.googleapis.com</QueryName> <!--Google-->
-			<!--Goodlist CDN-->
-			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.netflix.com</QueryName>
-			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
-			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
-			<QueryName condition="is">ajax.googleapis.com</QueryName>
-			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
-			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
-			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
-			<!--Personal-->
-			<QueryName condition="end with">.steamcontent.com</QueryName> <!--If you seriously host malware C2 in game binaries in Steam, I give up-->
-			<!--Web resources-->
-			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
-			<QueryName condition="end with">.fontawesome.com</QueryName>
-			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
-			<!--Ads-->
-			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
-			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
-			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
-			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
-			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
-			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
-			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
-			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
-			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
-			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
-			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
-			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
-			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
-			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
-			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.domdex.com</QueryName> 
-			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
-			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
-			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
-			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
-			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
-			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
-			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
-			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
-			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.quantcount.com</QueryName>
-			<QueryName condition="end with">.quantserve.com</QueryName>
-			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
-			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
-			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
-			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
-			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
-			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.simpli.fi</QueryName>
-			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">.tapad.com</QueryName>
-			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
-			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
-			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
-			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
-			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">ads.yahoo.com</QueryName> <!--Ads: Yahoo-->
-			<QueryName condition="is">1rx.io</QueryName>
-			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
-			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
-			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
-			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">www.googletagservices.com</QueryName>
-			<!--SocialNet-->
-			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
-			<!--OSCP/CRL Common-->
-			<QueryName condition="contains">adsniper.ru</QueryName>
-			<QueryName condition="contains">cdnvideo.ru</QueryName>
-			<QueryName condition="contains">chat.minergate.com</QueryName>
-			<QueryName condition="contains">cwsa.minergate.com</QueryName>
-			<QueryName condition="contains">forum.minergate.com</QueryName>
-			<QueryName condition="contains">leadlab.click</QueryName>
-			<QueryName condition="contains">mc.yandex.ru</QueryName>
-			<QueryName condition="contains">pool.ntp.org</QueryName>
-			<QueryName condition="contains">vmg.host</QueryName>
-			<QueryName condition="contains">yandex.ru</QueryName>
-			<QueryName condition="end with">.adobe.com</QueryName>
-			<QueryName condition="end with">.autodesk.com</QueryName>
-			<QueryName condition="end with">.avast.com</QueryName>
-			<QueryName condition="end with">.avcdn.net</QueryName>
-			<QueryName condition="end with">.cdn.bitdefender.net</QueryName>
-			<QueryName condition="end with">.digicert.com</QueryName>
-			<QueryName condition="end with">.eset.com</QueryName>
-			<QueryName condition="end with">.globalsign.com</QueryName>
-			<QueryName condition="end with">.globalsign.net</QueryName>
-			<QueryName condition="end with">.intuit.com</QueryName>
-			<QueryName condition="end with">.java.com</QueryName>
-			<QueryName condition="end with">.macromedia.com</QueryName>
-			<QueryName condition="end with">.oracle.com</QueryName>
-			<QueryName condition="end with">.quickbooks.com</QueryName>
-			<QueryName condition="end with">.usertrust.com</QueryName>
-			<QueryName condition="end with">amazontrust.com</QueryName>
-			<QueryName condition="end with">ocsp.identrust.com</QueryName>
-			<QueryName condition="end with">pki.goog</QueryName>
-			<QueryName condition="is">ads.playground.xyz</QueryName>
-			<QueryName condition="is">citrixupdates.cloud.com</QueryName>
-			<QueryName condition="is">forticlient.fortinet.net</QueryName>
-			<QueryName condition="is">mft10.onbaseonline.com</QueryName>
-			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
-			<QueryName condition="is">ocsp.comodoca.com</QueryName>
-			<QueryName condition="is">ocsp.cybertrust.ne.jp</QueryName>
-			<QueryName condition="is">ocsp.entrust.net</QueryName>
-			<QueryName condition="is">ocsp.entrust.net</QueryName>
-			<QueryName condition="is">ocsp.godaddy.com</QueryName>
-			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
-			<QueryName condition="is">ocsp.intel.com</QueryName>
-			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
-			<QueryName condition="is">ocsp.quovadisglobal.com</QueryName>
-			<QueryName condition="is">ocsp.quovadisoffshore.com</QueryName>
-			<QueryName condition="is">ocsp.sectigo.com</QueryName>
-			<QueryName condition="is">ocsp.starfieldtech.com</QueryName>
-			<QueryName condition="is">ocsp.thawte.com</QueryName>
-			<QueryName condition="is">ocsp.trustwave.com</QueryName>
-			<QueryName condition="is">ocsp.verisign.com</QueryName>
-			<QueryName condition="is">pki-goog.l.google.com</QueryName>
-			<QueryName condition="is">pki.intel.com</QueryName>
-			<QueryName condition="is">scrootca1.ocsp.secomtrust.net</QueryName>
-			<QueryName condition="is">scrootca2.ocsp.secomtrust.net</QueryName>
-			<QueryName condition="is">stats.anchor.host</QueryName>
-			<QueryName condition="is">status.rapidssl.com</QueryName>
-			<QueryName condition="is">status.thawte.com</QueryName>
-			<QueryName condition="is">ts-ocsp.ws.symantec.com</QueryName>
-			<QueryName condition="is">upgrade.bitdefender.com</QueryName>
-		</DnsQuery>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 23 : File Delete and overwrite events which saves a copy to the archivedir: Includes -->
-	<!-- Default set to disabled due to disk space implications, enable with care!-->
-	<RuleGroup groupRelation="or">
-	  <FileDelete onmatch="include" />
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 24 : Clipboard change events, only captures text, not files: Includes -->
-	<!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
-	<RuleGroup groupRelation="or">
-	  <ClipboardChange onmatch="include" />
-	</RuleGroup>
-	<!--SYSMON EVENT ID 25 : Process tampering events-->
-	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
-		<ProcessTampering onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
-				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
-				<Image condition="excludes">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
-				<Image condition="excludes">C:\Program Files\Symantec\</Image>
-			</Rule>
-		</ProcessTampering>
-	</RuleGroup>
-	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
-		<ProcessTampering onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
-			</Rule>
-		</ProcessTampering>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 26 : File Delete and overwrite events, does NOT save the file: Includes -->
-	<RuleGroup groupRelation="or">
-		<FileDeleteDetected onmatch="include">
-		</FileDeleteDetected>
-	</RuleGroup>
-	<RuleGroup groupRelation="or">
-		<FileDeleteDetected onmatch="exclude">
-			<Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-			<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
-		</FileDeleteDetected>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
-	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
-		<FileBlockExecutable onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
-				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
-				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">powershell.exel;powershell_ise.exe</Image>
-				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="contains any">.pdf;.doc;.xls;.doc;.ppt;.txt;.rtf;.htm;.iso;.zip;.rar;.7z</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<Image condition="contains any">psexesvc</Image>
-				<Image condition="contains any">psexec</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="or">
-				<Image condition="is">wmiprvse.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
-				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
-				<Image condition="excludes any">intuit</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Background Event" groupRelation="and">
-				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth" groupRelation="or">
-				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
-				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
-				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
-				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
-				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=03866661686829D806989E2FC5A72606</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=E57401FBDADCD4571FF385AB82BD5D6D</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
-				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
-				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
-				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
-				<Image condition="image">certutil.exe</Image>
-				<Image condition="image">certoc.exe</Image>
-				<Image condition="image">CertReq.exe</Image>
-				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
-				<Image condition="image">Desktopimgdownldr.exe</Image>
-				<Image condition="image">esentutl.exe</Image>
-				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
-				<Image condition="image">finger.exe</Image>
-				<Image condition="image">presentationhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
-				<Image condition="image">bitsadmin.exe</Image>
-				<TargetFilename condition="excludes any">C:\Windows;$WINDOWS.;\SoftwareDistribution\</TargetFilename>
-				<User condition="is not">System</User>
-				<User condition="excludes any">TrustedInstaller;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</User>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
-				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
-			</Rule>
-		</FileBlockExecutable>
-	</RuleGroup>
-	</EventFiltering>
-</Sysmon>
\ No newline at end of file

From 56e1b071dde84162bd43a711b8bcaeb791ea78e0 Mon Sep 17 00:00:00 2001
From: cyberkryption <cyberkryption@gmail.com>
Date: Sun, 25 Sep 2022 16:12:28 +0100
Subject: [PATCH 367/471] Update sysmonconfig-export.xml

---
 sysmonconfig-export.xml | 1294 +++++++++++++++++++--------------------
 1 file changed, 647 insertions(+), 647 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 50017341..16064f68 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -287,19 +287,19 @@
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
 			-->
-			<Rule name="UEBA=Unusual Child Process,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,UEBA=Unusual Child Process,Risk=30" groupRelation="and">
 				<Image condition="is any">svchost.exe;taskhostw.exe;userinit.exe;smss.exe;csrss.exe;wininit.exe;winlogon.exe;lsass.exe;logonui.exe;services.exe</Image>
 				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
 				<ParentImage condition="excludes any">wininit.exe;winlogon.exe;services.exe;dwm.exe;System;smss.exe;svchost.exe</ParentImage>
 			</Rule>
-			<Rule name="UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>
 				<Image condition="excludes any">C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe</Image>
 				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
 				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
 			</Rule>
 			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
-			<CommandLine name="Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
@@ -312,8 +312,8 @@
 			</Rule>
 			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
-			<Image name="Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
 			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
 			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
@@ -637,7 +637,7 @@
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
 				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
 			</Rule>
-			<ParentCommandLine name="Level=0,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
 			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
@@ -701,8 +701,8 @@
 
 			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
 			<Image condition="contains">unknown process</Image>
-			<Image name="Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -750,8 +750,8 @@
 				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Level=4,Alert=PSTools PSKill,Risk=8">PsKill.exe</Image>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=T1089,Risk=100,Level=4,Alert=Disabling of Windows Defender Features" groupRelation="and">
+			<Image condition="image" name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=PSTools PSKill,Risk=80">PsKill.exe</Image>
+			<Rule name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Defender Features,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
 				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
 			</Rule>
@@ -772,7 +772,7 @@
 				<CommandLine condition="excludes">wevtutil.exe im</CommandLine>
 				<CurrentDirectory condition="excludes">ClickToRun</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,Level=3,Risk=50" groupRelation="and">
 				<OriginalFileName condition="is">fltMC.exe</OriginalFileName>
 				<CommandLine condition="contains any">detach;unload</CommandLine>
 			</Rule>
@@ -825,7 +825,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
 			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
 			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
-			<ParentCommandLine name="Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
 			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
 				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
 				<CommandLine condition="contains">:</CommandLine>
@@ -904,7 +904,7 @@
 				<CommandLine condition="contains">0x</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+			<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
 				<Image condition="image">csc.exe</Image>
 				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
 			</Rule>
@@ -926,7 +926,7 @@
 				<ParentImage condition="is">csc.exe</ParentImage>
 				<CommandLine condition="contains any">out:;target:library</CommandLine>
 			</Rule>
-			<Image name="Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
@@ -1028,17 +1028,17 @@
 				<ParentImage condition="image">conhost.exe</ParentImage>
 				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
 			</Rule>
-			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
+			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution - Lateral Movement - Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
 			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Rule name="Level=0,Desc=InstallUtil 1" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=InstallUtil 1" groupRelation="and">
 				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
 			</Rule>
-			<Rule name="Level=0,Desc=InstallUtil 2" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=InstallUtil 2" groupRelation="and">
 				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
 			</Rule>
@@ -1214,7 +1214,7 @@
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
 			<CommandLine condition="contains">InstallHinfSection</CommandLine>
-			<Image name="Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
 			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
@@ -1266,7 +1266,7 @@
 				<Image condition="image">msbuild.exe</Image>
 				<CommandLine condition="contains">.lnk</CommandLine>
 			</Rule>
-			<CommandLine name="Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -1442,7 +1442,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
 			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
 			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Level=0,Desc=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
 
 			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
 			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
@@ -1547,14 +1547,14 @@
 				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
 			</Rule>
 			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
-			<Image name="Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
 			
 			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
 
 			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<Rule name="Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
 				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
 				<Image condition="excludes">Microsoft Office\root\Office</Image>
 				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
@@ -1677,9 +1677,9 @@
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
-			<Image name="Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
 			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
 			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
@@ -1928,8 +1928,8 @@
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
-			<CommandLine name="Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-p -nw</CommandLine><!-- vshadow -->
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-p -nw</CommandLine><!-- vshadow -->
 			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
 			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
@@ -1960,7 +1960,7 @@
 			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
 			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
 			<!--Crypto Currency Miner Detections-->
-			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
 				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
 				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
 			</Rule>
@@ -1968,9 +1968,9 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
 			</Rule>
-			<Hashes condition="end with" name="Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
 			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
 			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
 			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
@@ -2024,54 +2024,54 @@
 			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
 			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
 			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
-			<Description name="Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
-			<Description name="Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
-			<Description name="Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
-			<Description name="Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
 			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<ParentCommandLine name="Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
 			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
-			<ParentImage name="Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
 			<!--Detect Output Redirection-->
 			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
-			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
-			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
-			<CommandLine name="Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
 			-->
 			<!--Detect Multiple Commands-->
-			<Rule  name="Level=0,Desc=SVCHost Processes" groupRelation="and">
+			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SVCHost Processes" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 			</Rule>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
 			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<Rule  name="Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
 				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
 			</Rule>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
-			<CommandLine name="Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
-			<CommandLine name="Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
-			<Description name="Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
-			<Description name="Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
-			<Image name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
-			<Image name="Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
-			<Image name="Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
-			<ParentImage name="Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
 			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
 		</ProcessCreate>
@@ -2230,7 +2230,7 @@
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
 				<Image condition="contains">\wwwroot\</Image>
 			</Rule>
-			<Image name="Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
@@ -2247,8 +2247,8 @@
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
 			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
-			<Image name="Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
@@ -2475,11 +2475,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
 
 			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<Rule name="Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
 				<DestinationPort condition="is">50050</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
 				<DestinationPort condition="is">25</DestinationPort>
 				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
 				<Initiated>true</Initiated>
@@ -2543,11 +2543,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Rules-->
-			<Rule name="Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 				<DestinationPort condition="is not">3389</DestinationPort>
 				<DestinationPort condition="is not">22</DestinationPort>
@@ -2555,24 +2555,24 @@
 				<DestinationPort condition="is not">5985</DestinationPort>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 				<Initiated>true</Initiated>
 				<SourcePort condition="is not">135</SourcePort>
 				<SourcePort condition="is not">445</SourcePort>
 				<DestinationPort condition="is not">5985</DestinationPort>
 			</Rule>
-			<Rule name="Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
 				<Image condition="is not">System</Image>
 				<Image condition="excludes">svchost.exe</Image>
 				<DestinationPort condition="is">445</DestinationPort>
 			</Rule>
-			<Rule name="Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
 				<Image condition="is not">System</Image>
 				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
 				<DestinationPort condition="is">389</DestinationPort>
 			</Rule>
-			<Rule name="Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
 				<DestinationPort condition="is">389</DestinationPort>
 				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
@@ -2580,103 +2580,103 @@
 				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
 				<Image condition="image">notepad.exe</Image>
 				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
 			</Rule>
-			<Rule name="Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is not">80</DestinationPort>
 				<DestinationPort condition="is not">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<DestinationHostname name="Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
-			<DestinationHostname name="Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
-			<Rule name="Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Apache Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Apache Webserver" groupRelation="and">
 				<Image condition="image">apache.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=JAVA Network Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=JAVA Network Connections" groupRelation="and">
 				<Image condition="image">java.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=PHP Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=PHP Webserver" groupRelation="and">
 				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Setup Network connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Setup Network connectivity" groupRelation="and">
 				<Image condition="contains">setup</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
 				<Image condition="contains">tomcat</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
 				<Image condition="contains">unins</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
 				<Image condition="contains">unknown process</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
 				<Image condition="contains">explorer.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Windows SMTP Server" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows SMTP Server" groupRelation="and">
 				<Image condition="image">inetinfo.exe</Image>
 			</Rule>
 			<!--3rd Party tools-->
-			<Image name="Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
-			<Image name="Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
-			<Image name="Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
-			<Image name="Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
 			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
 				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
 			</Rule>
 			<!--Destination Ports to Monitor-->
-			<DestinationPort name="Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
 			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
 			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
-			<DestinationPort name="Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
-			<DestinationPort name="Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
-			<DestinationPort name="Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
-			<DestinationPort name="Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
-			<DestinationPort name="Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
-			<DestinationPort name="Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
-			<DestinationPort name="Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
-			<DestinationPort name="Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
 			<!--Source Ports to Monitor-->
-			<SourcePort name="Level=0,Desc=Port: 0" condition="is">0</SourcePort>
-			<Rule name="Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Port: 0" condition="is">0</SourcePort>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<SourcePort name="Level=0,Desc=HTTP" condition="is">80</SourcePort>
-			<SourcePort name="Level=0,Desc=HTTPS" condition="is">443</SourcePort>
-			<SourcePort name="Level=0,Desc=LDAPS" condition="is">636</SourcePort>
-			<SourcePort name="Level=0,Desc=VNC" condition="is">5900</SourcePort>
-			<SourcePort name="Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=HTTP" condition="is">80</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=LDAPS" condition="is">636</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VNC" condition="is">5900</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
 			<!--Suspicious network connections-->
 			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
 		</NetworkConnect>
@@ -2815,7 +2815,7 @@
 			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
 			<Image condition="image">MSExchangeHMWorker.exe</Image>
 			<Image condition="image">MSExchangeSubmission.exe</Image>
-			<Image name="Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
 		</NetworkConnect>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
@@ -2827,18 +2827,18 @@
 		<!--COMMENT:	Useful data in building infection timelines.-->
 		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
 		<ProcessTerminate onmatch="include">
-			<Rule name="Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
 				<Image condition="begin with">C:\Windows\</Image>
 				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in System32" groupRelation="and">
 				<Image condition="begin with">C:\Windows\system32\</Image>
 				<Image condition="excludes">config\systemprofile\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
 				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
 				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
 				<Image condition="excludes">:\PROGRA~</Image>
 				<Image condition="excludes">:\Program Files</Image>
@@ -2852,29 +2852,29 @@
 				<Image condition="excludes">:\$WinREAgent</Image>
 				<Image condition="excludes">:\inetpub\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
 				<Image condition="begin with">\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
 				<Image condition="begin with">C:\Users\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
 				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
 				<Image condition="begin with">C:\inetpub\</Image>
 			</Rule>
 		<!-- Useful data in building infection timelines.-->
 			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
 			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
-			<Image name="Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
 			<Image condition="contains">\Temp\</Image>
-			<Image name="Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
 		</ProcessTerminate>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
@@ -2899,14 +2899,14 @@
 			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
 			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
 			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
-			<ImageLoaded name="Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
-			<ImageLoaded name="Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
 			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
 			<SignatureStatus condition="contains">?</SignatureStatus>
 			<SignatureStatus condition="contains">Revoked</SignatureStatus>
 			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
 			<SignatureStatus condition="contains">Valid</SignatureStatus>
-			<Signed name="Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
+			<Signed name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
 		</DriverLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
@@ -2924,12 +2924,12 @@
 				<Image condition="is">msdt.exe</Image>
 				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
 				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
 				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
@@ -2943,7 +2943,7 @@
 				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
 				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
 				<Image condition="image">EQNEDT32.EXE</Image>
 				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
 			</Rule>
@@ -2955,87 +2955,87 @@
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
 				<Image condition="contains any">wscript.exe;cscript.exe;powershell.exe;rundll32.exe;msbuild.exe;msiexec.exe;csc.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
 				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
 				<Image condition="image">wmiprvse.exe</Image>
 				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
 				<Image condition="image">powershell.exe</Image>
 				<ImageLoaded condition="is">msi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
 				<Image condition="contains">powershell</Image>
 				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
 				<Image condition="excludes">powershell</Image>
 				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Office clr.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office clr.dll Load" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="is">clr.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
 				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
 				<Image condition="contains any">installutil.exe</Image>
 				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Automation DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Automation DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
 				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
 				<ImageLoaded condition="begin with">\\</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
 				<ImageLoaded condition="end with">.wll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
 				<ImageLoaded condition="end with">.xll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
 				<ImageLoaded condition="contains any">.xla</ImageLoaded>
 			</Rule>
@@ -3059,14 +3059,14 @@
 				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
 				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
 				<Image condition="image">C:\Windows\Explorer.EXE</Image>
 				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
@@ -3075,24 +3075,24 @@
 				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
 				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
 			</Rule>
-			<Rule name="Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">false</Signed>
 			</Rule>
-			<Rule name="Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
 				<SignatureStatus condition="is">Revoked</SignatureStatus>
 			</Rule>
-			<Rule name="Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
 				<SignatureStatus condition="is">Expired</SignatureStatus>
 			</Rule>
-			<Rule name="Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
 				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
@@ -3119,20 +3119,20 @@
 				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
 				<Image condition="excludes">C:\Windows\explorer.exe</Image>
 			</Rule>
-			<ImageLoaded name="Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 		</ImageLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
 		<ImageLoad onmatch="exclude">
-			<Rule name="Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
 				<Image condition="contains">\Microsoft Office\</Image>
 				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
 				<Image condition="contains">\Microsoft Office\</Image>
 				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">true</Signed>
 			</Rule>
@@ -3286,10 +3286,10 @@
 			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
 			</Rule>
-			<Rule name="Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
 				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
 			</Rule>
-			<Rule name="Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
 			</Rule>
 			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
@@ -3342,7 +3342,7 @@
 				<GrantedAccess>0x1F3FFF</GrantedAccess>
 				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
 				<SourceImage condition="end with">.exe</SourceImage>
 				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
 				<GrantedAccess>0x1C00</GrantedAccess>
@@ -3372,11 +3372,11 @@
 				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
 				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
 			</Rule>
-			<Rule name="Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
 				<SourceImage condition="image">powershell.exe</SourceImage>
 				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
 			</Rule>
-			<Rule name="Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains">getasynckeystate</CallTrace>
 			</Rule>
 			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
@@ -3426,8 +3426,8 @@
 				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
 				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
 			</Rule>
-			<CallTrace name="Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
 				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
@@ -3435,11 +3435,11 @@
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
 			</Rule>
-			<Rule name="Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
 				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains">0x147a</GrantedAccess>
 			</Rule>
@@ -3460,12 +3460,12 @@
 			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
 			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
-			<SourceImage name="Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
-			<SourceImage name="Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
 			<SourceImage condition="end with">jjs.exe</SourceImage>
 			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
 			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
-			<CallTrace name="Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
 		</ProcessAccess>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
@@ -3488,7 +3488,7 @@
 			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
 			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<Rule name="Level=0,Desc=Direct System Call Events" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Direct System Call Events" groupRelation="and">
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
@@ -3673,7 +3673,7 @@
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
@@ -3704,13 +3704,13 @@
 				<TargetFilename condition="end with">.aspx</TargetFilename>
 				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
 			</Rule>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
@@ -3761,7 +3761,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<TargetFilename name="Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
 
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
@@ -3773,8 +3773,8 @@
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
 				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
 			</Rule>
-			<TargetFilename condition="contains" name="Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
@@ -3899,9 +3899,9 @@
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
-			<TargetFilename name="Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
-			<TargetFilename name="Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
@@ -3941,11 +3941,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="is">Teamviewer.exe</Image>
-			<Image name="Level=0,Desc=File Created by rundll32" condition="is">rundll32.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Created by rundll32" condition="is">rundll32.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="is">mstsc.exe</Image>
-			<Image name="Level=0,Desc=File Created with command shell,Risk=30" condition="is">cmd.exe</Image>
-			<Image name="Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="is">ipy.exe</Image>
-			<Image name="Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="is">WScript.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Created with command shell,Risk=30" condition="is">cmd.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="is">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="is">WScript.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="is">cscript.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="is">mshta.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="is">python.exe</Image>
@@ -4009,88 +4009,88 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Detections-->
-			<Rule name="Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
 				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
 			</Rule>
-			<Rule name="Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">\system32\</TargetFilename> 
 			</Rule>
-			<Rule name="Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
 			</Rule>
-			<Rule name="Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
 			</Rule>
-			<Rule name="Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.wll</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
 				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.xll</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
 				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
 				<TargetFilename condition="contains any">.xla</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
 				<TargetFilename condition="end with">.vsto</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
 				<TargetFilename condition="end with">.bat</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.dll</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.sys</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
 				<TargetFilename condition="end with">.theme</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
 				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
 				<Image condition="image">VirtualboxVM.exe</Image>
 			</Rule>
-			<Image name="Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
 			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
@@ -4102,47 +4102,47 @@
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
 			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Level=0,Desc=URL">.url</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=URL">.url</TargetFilename>
 			<!--Drivers dropped-->
-			<TargetFilename name="Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
 			<TargetFilename condition="end with">.drv</TargetFilename> 
 			<!--Microsoft Office File Monitoring-->
-			<TargetFilename name="Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
-			<TargetFilename name="Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
-			<Rule name="Level=0,Desc=Legacy Office files" groupRelation="or">
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Legacy Office files" groupRelation="or">
 				<TargetFilename condition="end with">.accdb</TargetFilename>
 				<TargetFilename condition="end with">.accde</TargetFilename>
 				<TargetFilename condition="end with">.accdr</TargetFilename>
@@ -4165,7 +4165,7 @@
 				<TargetFilename condition="end with">.xps</TargetFilename>
 			</Rule>
 			<!--SECTION: Certificates -->
-			<Rule name="Level=0,Desc=Certificate" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Certificate" groupRelation="or">
 				<TargetFilename condition="end with">.pem</TargetFilename>
 				<TargetFilename condition="end with">.crt</TargetFilename>
 				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
@@ -4183,7 +4183,7 @@
 				<TargetFilename condition="end with">.key</TargetFilename>
 			</Rule>
 			<!-- side loading -->
-			<Rule name="Level=0,Desc=Sideload Detection" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Sideload Detection" groupRelation="or">
 				<TargetFilename condition="end with">.hlp</TargetFilename>
 				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
 				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
@@ -4272,64 +4272,64 @@
 				<TargetFilename condition="end with">wts.chm</TargetFilename>
 				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
 			</Rule>
-			<TargetFilename name="Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
 			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
-			<TargetFilename name="Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
 			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
-			<TargetFilename name="Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-			<TargetFilename name="Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
-			<TargetFilename name="Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
-			<TargetFilename name="Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
-			<TargetFilename name="Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
-			<TargetFilename name="Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
-			<TargetFilename name="Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
-			<TargetFilename name="Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
-			<TargetFilename name="Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
-			<TargetFilename name="Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
-			<TargetFilename name="Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
-			<TargetFilename name="Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
-			<TargetFilename name="Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
-			<TargetFilename name="Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Set" condition="end with">.set</TargetFilename>
-			<TargetFilename name="Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
-			<TargetFilename name="Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Set" condition="end with">.set</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
 			<!--Uncategorized-->
 			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
 			<TargetFilename condition="end with">.ade</TargetFilename>
@@ -4387,33 +4387,33 @@
 			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Forensic=RDP Connection History Tracking" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=RDP Connection History Tracking" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
 				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<TargetObject name="Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
-			<TargetObject name="Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Keyloggers and new Keyboards" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect USB Input Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Mice" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Composite Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Bluetooth Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Disk Drive" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New WPD Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect New Biometric Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Keyloggers and new Keyboards" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect USB Input Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Mice" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Composite Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Bluetooth Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Disk Drive" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New WPD Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Biometric Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			<Rule name="Level=0,Desc=Interactive Logon Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Interactive Logon Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
 				<TargetObject condition="end with">LoggedOnUser</TargetObject>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
-			<TargetObject name="Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
@@ -4459,10 +4459,10 @@
 			<Rule name="Attack=T0000,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
 				<TargetObject condition="is">HKCU\di</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Lokibot Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lokibot Detection" groupRelation="and">
 				<TargetObject condition="contains">HKCU\�</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
 				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
 				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
@@ -4470,34 +4470,34 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
 				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
 				<TargetObject condition="end with">update_url</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Level=0,Desc=Forced password reset detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Forced password reset detected" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Machine Password Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Machine Password Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=User Last Password Changed" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Last Password Changed" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Last Password Change</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Account Expiration" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Account Expiration" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Account Expiration</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Last Failed Logon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Last Failed Logon" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Last Failed Logon</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -4542,12 +4542,12 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
 			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
-			<!--<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
-			<TargetObject name="Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
+			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
@@ -4563,7 +4563,7 @@
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
@@ -4604,7 +4604,7 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<TargetObject name="Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
@@ -4657,12 +4657,12 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
-			<TargetObject name="Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
@@ -4717,26 +4717,26 @@
 				<TargetObject condition="end with">SD</TargetObject>
 				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
 				<TargetObject condition="end with">ID</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Author</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Path</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Date</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -4760,7 +4760,7 @@
 				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
 			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
 			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
@@ -4775,7 +4775,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
 			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
 				<TargetObject condition="end with">$</TargetObject>
@@ -4809,7 +4809,7 @@
 				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Rule name="Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
 				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
 				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
@@ -4837,45 +4837,45 @@
 				<TargetObject condition="contains">\Security\Level</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
-			<Rule name="Level=0,Desc=Outlook Security Changes" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outlook Security Changes" groupRelation="and">
 				<TargetObject condition="contains">\Outlook\Security</TargetObject>
 				<!--Allow Outlook Details rules to fire-->
 				<TargetObject condition="excludes">\Security\Level</TargetObject>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
-			<TargetObject name="Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
 			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
-			<TargetObject name="Level=0,Desc=Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/" condition="end with">\HideSCAHealth</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject name="Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/" condition="end with">\HideSCAHealth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
 			<!--Detect if Windows Defender is Disabled-->
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
-			<TargetObject name="Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
 			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="excludes">\Enabled</TargetObject>
 			</Rule>
@@ -4908,11 +4908,11 @@
 				<TargetObject condition="end with">\MaxSize</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<Rule name="Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
 				<TargetObject condition="contains">globallyopenports</TargetObject>
 			</Rule>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
-			<TargetObject name="Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
@@ -4935,23 +4935,23 @@
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
 				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
 				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
 				<TargetObject condition="contains">&#x202e;</TargetObject>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<Rule name="Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
 				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
 				<EventType condition="is not">CreateKey</EventType>
 				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
@@ -4968,16 +4968,16 @@
 				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
 			</Rule>
-			<TargetObject name="Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
-			<TargetObject name="Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
-			<TargetObject name="Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
-			<TargetObject name="Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
 				<TargetObject condition="contains">&#xfffd;</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
 				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
@@ -5111,7 +5111,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
@@ -5156,45 +5156,45 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!-- UEBA/Uncategorized Detections-->
-			<Rule name="Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
 			</Rule>
-			<Rule name="Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
 				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
 				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
 			</Rule>
-			<Rule name="Forensic=IE history Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=IE history Detection" groupRelation="and">
 				<TargetObject condition="end with">\TypedURLs</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=IPv6 Changes detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IPv6 Changes detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
 				<Details condition="excludes">Binary Data</Details>
 			</Rule>
-			<Rule name="Level=0,Desc=Network Card Changes detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Network Card Changes detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
 				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
 			</Rule>
-			<Rule name="Forensic=Adobe Recent File List History" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Adobe Recent File List History" groupRelation="and">
 				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
 				<TargetObject condition="end with">tDIText</TargetObject>
 			</Rule>
-			<Rule name="Forensic=Office History MRU" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Office History MRU" groupRelation="and">
 				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
 			</Rule>
 			<!--Common Malware Persistence locations-->
@@ -5212,207 +5212,207 @@
 			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject name="Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject name="Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject name="Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
-			<TargetObject name="Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
-			<TargetObject name="Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject name="Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject name="Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
-			<TargetObject name="Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
-			<TargetObject name="Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
-			<TargetObject name="Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject name="Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject name="Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
-			<TargetObject name="Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
-			<TargetObject name="Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
-			<TargetObject name="Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
-			<TargetObject name="Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject name="Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
 			<!--CLSID launch commands and file association changes-->
-			<TargetObject name="Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject name="Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
 			<!--Windows shell hijack-->
-			<TargetObject name="Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
-			<TargetObject name="Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject name="Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
-			<TargetObject name="Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
-			<TargetObject name="Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject name="Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject name="Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject name="Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
 			<!--AppPaths hijacking-->
-			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
 			<!--Terminal service boobytraps-->
-			<TargetObject name="Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
-			<TargetObject name="Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
 			<!--Winsock and Winsock2-->
-			<TargetObject name="Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<TargetObject name="Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
-			<TargetObject name="Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
-			<TargetObject name="Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
 			<!--Credential providers-->
 			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
-			<TargetObject name="Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
-			<TargetObject name="Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
 			<!--Networking-->
-			<TargetObject name="Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetObject name="Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
 			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject name="Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
 			<!--Office-->
 			<!--Microsoft Office-->
-			<TargetObject name="Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
 			<!--Removed addins on 11/13/2018 due to high count-->
 			<!--IE-->
-			<TargetObject name="Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject name="Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
 			<!--Magic registry keys-->
-			<TargetObject name="Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject name="Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
 			<!--Infection artifacts-->
-			<TargetObject name="Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject name="Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
 			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			<TargetObject name="Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
-			<TargetObject name="Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject name="Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
-			<TargetObject name="Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
 			<!--Group Policy Scripts-->
-			<TargetObject name="Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
 			<!--Detect Network History-->
-			<TargetObject name="Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
-			<TargetObject name="Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
-			<TargetObject name="Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
-			<TargetObject name="Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
-			<TargetObject name="Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
-			<TargetObject name="Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
-			<TargetObject name="Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
-			<TargetObject name="Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
-			<TargetObject name="Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
-			<TargetObject name="Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary\</TargetObject>
-			<TargetObject name="Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
-			<Rule name="Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Office History" condition="contains">\Place MRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
 				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
 			</Rule>			
-			<Rule name="Level=0,Forensic=AmCache Application File Info" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Application File Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
 				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
 			</Rule>
-			<Rule name="Level=0,Forensic=AmCache Office Information" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Office Information" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
-			<TargetObject name="Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
-			<TargetObject name="Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
 			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,Level=1,Desc=Service Set for Deletion" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DeleteFlag</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
 			<!--Detect User Activity-->
-			<TargetObject name="Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
-			<TargetObject name="Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject name="Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
-			<TargetObject name="Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<TargetObject name="Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
 			<!--Windows application compatibility shims-->
-			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
 			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
@@ -5444,33 +5444,33 @@
 			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
 			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
 			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
-			<TargetObject name="Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
-			<TargetObject name="Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
-			<TargetObject name="Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
-			<TargetObject name="Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<TargetObject name="Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
 	<!--EVENT 15: "File stream created"-->
 	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
 		<FileCreateStreamHash onmatch="include">
-			<Rule name="Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
 			</Rule>
-			<Rule name="Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
 				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
 				<Contents condition="contains any">blob:;about:internet</Contents>
 			</Rule>
@@ -5553,7 +5553,7 @@
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
 			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
@@ -5562,13 +5562,13 @@
 				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
 			</Rule>
 			<!-- Noisy
-			<PipeName name="Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
 			-->
-			<PipeName name="Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
-			<PipeName name="Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
 			<!--Include Everything else to mark above rules-->
 			<!-- Disabled for now
-			<PipeName name="Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
 			-->
 		</PipeEvent>
 	</RuleGroup>
@@ -5650,7 +5650,7 @@
 				<QueryName condition="contains">github</QueryName>
 				<Image condition="image">powershell.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
 				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
 				<QueryName condition="contains">.</QueryName>
 			</Rule>
@@ -5674,25 +5674,25 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
 				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
 			</Rule>
-			<Rule name="Level=0,Desc=Social Networking" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Social Networking" groupRelation="or">
 				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
 			</Rule>
-			<Rule name="Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
 				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
 			</Rule>
-			<Rule name="Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
 				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
 			</Rule>
 			<!--Crypto Currency Mining pools-->
-			<Rule name="Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
 				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
 			</Rule>
-			<QueryName name="Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
-			<QueryName name="Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
-			<QueryName name="Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
-			<QueryName name="Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
-			<QueryName name="Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
-			<QueryName name="Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
 			<!--Public Port Scan Detection-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
@@ -5701,33 +5701,33 @@
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
 			<!--Domain TLD's to log-->
-			<QueryName name="Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
-			<QueryName name="Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
-			<QueryName name="Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
-			<QueryName name="Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
-			<QueryName name="Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
-			<QueryName name="Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
-			<QueryName name="Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
-			<QueryName name="Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
-			<QueryName name="Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
-			<QueryName name="Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
-			<QueryName name="Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
-			<QueryName name="Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
-			<QueryName name="Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
-			<QueryName name="Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
-			<QueryName name="Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
-			<QueryName name="Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
 			<!--Malware Domains-->
-			<Rule name="Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
 				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
 			</Rule>
-			<QueryName name="Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
 			<!--Common Suspicious destinations-->
 			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
 			<!-- Malicious/Suspicious hosting domains-->
@@ -5736,26 +5736,26 @@
 			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
 			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
 			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
-			<QueryName name="Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
-			<Rule name="Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
 				<QueryName condition="begin with">_ldap.</QueryName>
 				<Image condition="excludes">C:\Windows\</Image>
 				<Image condition="excludes">unknown process</Image>
 				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</Image>
 			</Rule>
 			<!--
-			<QueryResults name="Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
-			<QueryResults name="Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
-			<QueryResults name="Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
-			<QueryResults name="Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
-			<QueryResults name="Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
-			<QueryResults name="Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
-			<QueryResults name="Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
-			<QueryResults name="Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
 			-->
 			<Image name="Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
 		</DnsQuery>
@@ -6029,7 +6029,7 @@
 	<!--SYSMON EVENT ID 25 : Process tampering events-->
 	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
 		<ProcessTampering onmatch="include">
-			<Rule name="Level=0,Desc=Process Tampering Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Tampering Detected" groupRelation="and">
 				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
@@ -6040,7 +6040,7 @@
 	</RuleGroup>
 	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
 		<ProcessTampering onmatch="exclude">
-			<Rule name="Level=0,Desc=exclude common noise" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=exclude common noise" groupRelation="and">
 				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
 			</Rule>
 		</ProcessTampering>
@@ -6060,35 +6060,35 @@
 	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
 	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
 		<FileBlockExecutable onmatch="include">
-			<Rule name="Level=0,Desc=Block Office from Creating Executables" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block Office from Creating Executables" groupRelation="and">
 				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
 				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Block Web Servers from creating binary files" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block Web Servers from creating binary files" groupRelation="and">
 				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
 				<Image condition="contains any">powershell.exel;powershell_ise.exe</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Block double extensions" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="contains any">.pdf;.doc;.xls;.doc;.ppt;.txt;.rtf;.htm;.iso;.zip;.rar;.7z</TargetFilename>
 			</Rule>
-			<Rule name="Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
 				<Image condition="contains any">psexesvc</Image>
 				<Image condition="contains any">psexec</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
 				<Image condition="is">wmiprvse.exe</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
 				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
 				<Image condition="excludes any">intuit</Image>
 			</Rule>
-			<Rule name="Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
 				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth" groupRelation="or">

From f77cc8b9de2000834c6a54852bbcc35ed594fe51 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 26 Sep 2022 09:34:50 -0400
Subject: [PATCH 368/471] Add Impacket PSExec.py named pipe detection.

---
 sysmonconfig-export.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 16064f68..00f05396 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5525,6 +5525,10 @@
 				<PipeName condition="end with">-stdin</PipeName>
 				<PipeName condition="end with">-stdout</PipeName>
 			</Rule>
+			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Level=4,Alert=Impacket PSExec.py Named Pipe Detected" groupRelation="and">
+				<PipeName condition="contains">RemCom_</PipeName>
+				<PipeName condition="contains any">stdin;stdout;stderr;communication</PipeName>
+			</Rule>
 			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
 				<PipeName condition="contains">\svcctl</PipeName>
 			</Rule>

From 246d73d59f5791ec6991e157560df847a234509e Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 26 Sep 2022 09:51:21 -0400
Subject: [PATCH 369/471] Cobalt Strike detection improvements

---
 sysmonconfig-export.xml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 00f05396..9f1af729 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5560,7 +5560,20 @@
 			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester</PipeName>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Named Pipe Detection 1" groupRelation="and">
+				<PipeName condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester;demoagent_</PipeName>
+				<PipeName condition="is not">\wkssvc</PipeName>
+				<PipeName condition="is not">\spoolss</PipeName>
+				<PipeName condition="is not">\scerpc</PipeName>
+				<PipeName condition="is not">\ntsvcs</PipeName>
+				<PipeName condition="is not">\SearchTextHarvester</PipeName>
+				<PipeName condition="is not">\PGMessagePipe</PipeName>
+				<PipeName condition="is not">\MsFteWds</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Named Pipe Detection 2" groupRelation="and">
+				<PipeName condition="begin with">\Winsock2\CatalogChangeListener-</PipeName>
+				<PipeName condition="end with">-0,</PipeName>
+			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
 				<PipeName condition="contains any">\pipe\</PipeName>
 				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>

From 35bb32807d2841e4cb5333addd44c029715bf4dc Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 26 Sep 2022 10:24:13 -0400
Subject: [PATCH 370/471] remove msdt command line options that are not always
 needed.

---
 sysmonconfig-export.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9f1af729..ba889d48 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -390,7 +390,6 @@
 				<Image condition="is">msdt.exe</Image>
 				<ParentImage condition="is not">pcwrun.exe</ParentImage>
 				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
-				<CommandLine condition="contains any">/af;-af</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<Image condition="is">msdt.exe</Image>

From 3919a29546f5965765809a3a7fc0339085df1675 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 26 Sep 2022 13:35:45 -0400
Subject: [PATCH 371/471] Fixed a few typo's, thanks to VadimKutia and PiRomant

---
 sysmonconfig-export.xml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ba889d48..3b00d8b1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -423,6 +423,8 @@
 			</Rule>
 			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=Child process from schtasks" groupRelation="and">
 				<ParentImage condition="image">schtasks.exe</ParentImage>
+				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
+				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create</ParentCommandLine>
 			</Rule>
 			<Image name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
 			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
@@ -3432,7 +3434,8 @@
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
-				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git\</SourceImage>
+				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe</SourceImage>
+				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
@@ -3446,7 +3449,8 @@
 				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
 				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
 				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
-				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe</SourceImage>
+				<SourceImage condition="excludes any">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
 				<GrantedAccess condition="contains">0x1400</GrantedAccess>
 			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
@@ -3630,6 +3634,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
 			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
 				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
+				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
+				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\</TargetFilename>
 			</Rule>
 			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
 			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
@@ -3770,7 +3776,6 @@
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
-				<Image condition="excludes">C:\WINDOWS\system32\dxgiadaptercache.exe</Image>
 			</Rule>
 			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
 			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
@@ -5761,7 +5766,7 @@
 				<QueryName condition="begin with">_ldap.</QueryName>
 				<Image condition="excludes">C:\Windows\</Image>
 				<Image condition="excludes">unknown process</Image>
-				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</Image>
+				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\Windows Defender\MsMpEng.exe;C:\Windows\</Image>
 			</Rule>
 			<!--
 			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
@@ -6085,7 +6090,7 @@
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
-				<Image condition="contains any">powershell.exel;powershell_ise.exe</Image>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block double extensions" groupRelation="and">

From bcf69ff5948e02c36e27b42df25d6544a57ff6af Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 26 Sep 2022 17:43:11 -0400
Subject: [PATCH 372/471] Add Unsigned GAC Detection and detection of netsh doh
 encryption

---
 sysmonconfig-export.xml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3b00d8b1..b07f9724 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1531,6 +1531,11 @@
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains all">get;useraccount</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=DNS encryption enabled with netsh,Risk=40" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="contains any">add;set</CommandLine>
+				<CommandLine condition="contains any">encryption;dohtemplate</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
 				<Image condition="image">netsh.exe</Image>
 				<CommandLine condition="contains any">add;del;set</CommandLine>
@@ -3120,7 +3125,14 @@
 				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
 				<Image condition="excludes">C:\Windows\explorer.exe</Image>
 			</Rule>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Global Assembly Cache Load" condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=1,Desc=Unsigned Global Assembly Cache Load" groupRelation="and">
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+				<Signed condition="is">false</Signed>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=1,Desc=Signed Global Assembly Cache Load" groupRelation="and">
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+				<Signed condition="is">true</Signed>
+			</Rule>
 		</ImageLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
@@ -3541,7 +3553,7 @@
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
-				<TargetFilename name="Defender AntiMalware Delta Patch" condition="excludes all">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_;.exe</TargetFilename>
+				<TargetFilename condition="excludes all">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_;.exe</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=0,Desc=MSBuild Source Files created" groupRelation="or">

From b544dd61b1f345e51d3791033e58ba7e1e12451e Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 27 Sep 2022 16:42:03 -0400
Subject: [PATCH 373/471] Add some qbot/qakbot detections with experimental
 logoncli.dll monitoring qbot appears to always load the following DLL's on
 injected processes: C:\Windows\System32\Wldap32.dll
 C:\Windows\System32\iertutil.dll C:\Windows\System32\logoncli.dll
 C:\Windows\System32\msasn1.dll C:\Windows\System32\netapi32.dll
 C:\Windows\System32\netutils.dll C:\Windows\System32\normaliz.dll
 C:\Windows\System32\nsi.dll C:\Windows\System32\ntdll.dll
 C:\Windows\System32\ntmarta.dll C:\Windows\System32\samcli.dll
 C:\Windows\System32\srvcli.dll C:\Windows\System32\urlmon.dll
 C:\Windows\System32\userenv.dll C:\Windows\System32\version.dll
 C:\Windows\System32\wininet.dll C:\Windows\System32\wkscli.dll
 C:\Windows\System32\ws2_32.dll

---
 sysmonconfig-export.xml | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b07f9724..3b810a59 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1025,6 +1025,15 @@
 				<ParentImage condition="image">wermgr.exe</ParentImage>
 				<Image condition="excludes any">\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Possible wermgr injection,Risk=30" groupRelation="and">
+				<Image condition="image">wermgr.exe</Image>
+				<CommandLine condition="end with">wermgr.exe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Possible qbot injection,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">\rundll32.exe;\regsvr32.exe</ParentImage>
+				<Image condition="contains any">\explorer.exe;\wermgr.exe;\msra.exe</Image>
+				<CommandLine condition="end with">.exe</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
 				<ParentImage condition="image">conhost.exe</ParentImage>
 				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
@@ -2976,31 +2985,35 @@
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
 				<Image condition="image">wmiprvse.exe</Image>
-				<ImageLoaded condition="is">taskschd.dll</ImageLoaded>
+				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
 				<Image condition="image">powershell.exe</Image>
-				<ImageLoaded condition="is">msi.dll</ImageLoaded>
+				<ImageLoaded condition="end with">msi.dll</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
 				<Image condition="contains">powershell</Image>
-				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
+				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
 				<Image condition="excludes">powershell</Image>
-				<ImageLoaded condition="is">amsi.dll</ImageLoaded>
+				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=1,Desc=Monitor logoncli.dll dll loads for injection - potential qbot activity" groupRelation="and">
+				<ImageLoaded condition="end with">logoncli.dll</ImageLoaded>
+				<Image condition="is not">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office clr.dll Load" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="is">clr.dll</ImageLoaded>
+				<ImageLoaded condition="end with">clr.dll</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
 				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
@@ -3179,10 +3192,10 @@
 			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
 			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
 			<ImageLoaded condition="is">C:\Windows\SysWOW64\sppc.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Office.Interop.VisOcx.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Office.Interop.Word.dll</ImageLoaded>
-			<ImageLoaded condition="is">Microsoft.Vbe.Interop.dll</ImageLoaded>
-			<ImageLoaded condition="is">OFFICE.DLL</ImageLoaded>
+			<ImageLoaded condition="end with">Microsoft.Office.Interop.VisOcx.dll</ImageLoaded>
+			<ImageLoaded condition="end with">Microsoft.Office.Interop.Word.dll</ImageLoaded>
+			<ImageLoaded condition="end with">Microsoft.Vbe.Interop.dll</ImageLoaded>
+			<ImageLoaded condition="end with">OFFICE.DLL</ImageLoaded>
 		</ImageLoad>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->

From 1ca9915e105a4d87b45121f6d9ebdd05dd33a98c Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 29 Sep 2022 14:11:30 -0400
Subject: [PATCH 374/471] FileBlockExecutable was blocking windows updates due
 to an issue with double extension executable rules, re-wrote those and added
 some exploit detection for some network services.

---
 sysmonconfig-export.xml | 71 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 68 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3b810a59..99d2f474 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -263,6 +263,16 @@
 				<CommandLine condition="contains">.vba</CommandLine>
 				<CommandLine condition="contains">.vbe</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Suspicious scripting to dll commands,Risk=70" groupRelation="and">
+				<ParentImage condition="contains any">\wscript.exe;\cscript.exe</ParentImage>
+				<Image condition="contains any">\rundll32.exe;regsvr32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Suspicious rundll32 commands,Risk=70" groupRelation="and">
+				<Image condition="contains any">\rundll32.exe;regsvr32.exe</Image>
+				<CommandLine condition="excludes any">.dll;.cpl;.ocx;localserver;enable-speech-input;auto-scan-plugin;enable-media-stream;CastMediaRouteProvider;-eoim;/eoim</CommandLine><!--Already have localserver com detection-->
+				<CommandLine condition="excludes all">setupapi;InstallHinfSection;DefaultInstall;SplunkUniversalForwarder\bin\spl;rundll32.exe "C:\Windows\Installer\MSI</CommandLine>
+				<CommandLine condition="excludes all">\MSI;.tmp",zzzInvokeManagerCustomActionOutOfProc</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
 				<Image condition="image">cscript.exe</Image>
 				<CommandLine condition="contains">.js</CommandLine>
@@ -488,9 +498,22 @@
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
 			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
+			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k NetworkService -p</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Suspicious LanmanWorkstation Child Processes,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Suspicious Network List Service Child Processes,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k netprofm -p -s netprofm</ParentCommandLine>
+			</Rule>
 			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
 			</Rule>
+			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Crash detected,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
+				<Image condition="image">werfault.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
 				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
@@ -1174,6 +1197,10 @@
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains any">-sta;/sta</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=3,Alert=Rundll32 localserver Switch - check for com hijacks,Risk=75" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains any">-localserver;/localserver</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
@@ -2087,6 +2114,7 @@
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
 			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
 			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
 		</ProcessCreate>
@@ -6118,9 +6146,21 @@
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block double extensions" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="contains any">.pdf;.doc;.xls;.doc;.ppt;.txt;.rtf;.htm;.iso;.zip;.rar;.7z</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block double extensions" groupRelation="or">
+				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+				<TargetFilename condition="end with">.docx.exe</TargetFilename>
+				<TargetFilename condition="end with">.xls.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
+				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
+				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
+				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+				<TargetFilename condition="end with">.zip.exe</TargetFilename>
+				<TargetFilename condition="end with">.rar.exe</TargetFilename>
+				<TargetFilename condition="end with">.7z.exe</TargetFilename>
+				<TargetFilename condition="end with">.ico.exe</TargetFilename>
+				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
 				<Image condition="contains any">psexesvc</Image>
@@ -6250,5 +6290,30 @@
 			</Rule>
 		</FileBlockExecutable>
 	</RuleGroup>
+	<RuleGroup name="RG=FileBlockExecutable Exclude Group" groupRelation="or">
+		<FileBlockExecutable onmatch="exclude">
+			<Rule name="safe executables - be careful" groupRelation="and">
+				<Image condition="is any">C:\WINDOWS\system32\wuauclt.exe;C:\$WINDOWS.~BT\Sources\SetupHost.Exe</Image>
+			</Rule>
+			<Rule name="safe paths - be careful" groupRelation="and">
+				<Image condition="contains any">C:\Windows\SoftwareDistribution\;C:\$WINDOWS.~BT\NewOS\</Image>
+			</Rule>
+			<Rule name="safe users - be careful" groupRelation="or">
+				<!--<User condition="is">SYSTEM</User>
+				<User condition="is">NT AUTHORITY\SYSTEM</User>
+				<User condition="is">TrustedInstaller</User>
+				<User condition="is">NT AUTHORITY\TrustedInstaller</User>
+				<User condition="is">NT AUTHORITY\NETWORK SERVICE</User>
+				<User condition="end with">ERVICE RÉSEAU</User>
+				<User condition="end with">NETZWERKDIENST</User>
+				<User condition="is">NT AUTHORITY\LOCAL SERVICE</User>
+				<User condition="end with">SERVICE LOCAL</User>
+				<User condition="end with">LOKALER DIENST</User>
+				<User condition="end with">СИСТЕМА</User>
+				<User condition="is">NT-AUTORITÄT\SYSTEM</User>
+				<User condition="is">AUTORITE NT\SYSTEM</User>-->
+			</Rule>
+		</FileBlockExecutable>
+	</RuleGroup>
 	</EventFiltering>
 </Sysmon>
\ No newline at end of file

From 553b065aae1a5f5586c162d3b18b31fe5919485b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 29 Sep 2022 14:30:10 -0400
Subject: [PATCH 375/471] Merge in @frack113's Event Log tampering rule from
 the Sigma Project.

---
 sysmonconfig-export.xml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 99d2f474..a119a685 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4927,15 +4927,21 @@
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="excludes">\Enabled</TargetObject>
 			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Change Winevt Event Access Permission Via Registry,Author=frack113" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\</TargetObject>
+				<TargetObject condition="end with">\ChannelAccess</TargetObject>
+				<Details condition="contains any">(A;;0x1;;;SY);(A;;0x5;;;BA);(A;;0x1;;;LA)</Details>
+				<Image condition="excludes any">C:\Windows\servicing\TrustedInstaller.exe;\TiWorker.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
 				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>

From 5bfe473d50ab25886db2ee4afe3f00e4584db071 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 29 Sep 2022 14:35:36 -0400
Subject: [PATCH 376/471] Fix tagging for safe paths

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a119a685..c62e660e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6302,7 +6302,7 @@
 				<Image condition="is any">C:\WINDOWS\system32\wuauclt.exe;C:\$WINDOWS.~BT\Sources\SetupHost.Exe</Image>
 			</Rule>
 			<Rule name="safe paths - be careful" groupRelation="and">
-				<Image condition="contains any">C:\Windows\SoftwareDistribution\;C:\$WINDOWS.~BT\NewOS\</Image>
+				<TargetFilename condition="contains any">C:\Windows\SoftwareDistribution\;C:\$WINDOWS.~BT\NewOS\</TargetFilename>
 			</Rule>
 			<Rule name="safe users - be careful" groupRelation="or">
 				<!--<User condition="is">SYSTEM</User>

From da1e381dc004221cf4cf0c67291f9d411c41dfcd Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 29 Sep 2022 21:43:05 -0400
Subject: [PATCH 377/471] Push Updates to Detect Common IOC's found in
 September 2022 Exchange 0day for more information and updates follow twitter
 thread: https://twitter.com/GossiTheDog/status/1575604144957579264

---
 sysmonconfig-export.xml | 41 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c62e660e..384b6eb0 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2161,6 +2161,12 @@
 			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
 			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
 			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
+			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=4,Alert=Exchange 0day Attackers from September 2022,Risk=100" groupRelation="or">
+				<DestinationIp condition="is any">137.184.67.33;206.188.196.77;125.212.220.48;5.180.61.17;47.242.39.92;61.244.94.85;86.48.6.69;86.48.12.64;94.140.8.48;94.140.8.113;103.9.76.208;103.9.76.211;104.244.79.6;112.118.48.186;122.155.174.188;125.212.241.134;185.220.101.182;194.150.167.88;212.119.34.11</DestinationIp>
+				<DestinationIp condition="begin with">137.184.67.</DestinationIp>
+				<DestinationHostname condition="is any">httpbin.org</DestinationHostname>
+			</Rule>
+			<DestinationHostname condition="contains">shodan</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
@@ -3129,6 +3135,14 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
 			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=October 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
+				<Hashes condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hashes><!--Exchange Zero Day Dropped DLL-->
+			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">false</Signed>
@@ -3733,10 +3747,12 @@
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
 			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=Exchange 0day from September 2022 overwriting legit file,Risk=80" groupRelation="and">
+				<TargetFilename condition="end with">RedirSuiteServiceProxy.aspx</TargetFilename>
+			</Rule>
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 				<TargetFilename condition="end with">.aspx</TargetFilename>
-				<TargetFilename condition="excludes">\wwwroot\aspnet_client\</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating PHP files,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
@@ -3747,8 +3763,8 @@
 				<TargetFilename condition="end with">.aaa</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM Web Shells Dropped,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">\wwwroot\aspnet_client\</TargetFilename>
-				<TargetFilename condition="contains any">.aspx;.php</TargetFilename>
+				<TargetFilename condition="contains any">\wwwroot\aspnet_client\;\FrontEnd\HttpProxy\owa\auth</TargetFilename>
+				<TargetFilename condition="contains any">.aspx;.php;.ashx</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
@@ -5540,6 +5556,14 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
 				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
 			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=October 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
+				<Hash condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hash><!--Exchange Zero Day Dropped DLL-->
+			</Rule>
 			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
 				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
 			</Rule>
@@ -6183,7 +6207,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
 				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth" groupRelation="or">
+			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth/ionstorm" groupRelation="or">
 				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
 				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
 				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
@@ -6270,6 +6294,15 @@
 				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
 				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
 				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
+				<Hashes condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hashes><!--Exchange Zero Day Dropped DLL-->
+			</Rule>
+			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Exchange 0day Malicious File Detection,Author=ionstorm" groupRelation="and">
+				<TargetFilename condition="contains any">\DrSDKCaller.exe;C:\Users\Public\all.exe;C:\Users\Public\dump.dll;C:\Users\Public\ad.exe;C:\PerfLogs\gpg-error.exe;C:\PerfLogs\cm.exe;C:\Program Files\Common Files\system\ado\msado32.tlb</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
 				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>

From 97b60decfc578707d2e8becfc664d9c96c9ea285 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 29 Sep 2022 22:37:23 -0400
Subject: [PATCH 378/471] Living in the future lol, fixed the date

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 384b6eb0..18e94fd5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -3135,7 +3135,7 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=October 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
 				<Hashes condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hashes><!--Exchange Zero Day Dropped DLL-->
 				<Hashes condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hashes><!--Exchange Zero Day Dropped DLL-->
 				<Hashes condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hashes><!--Exchange Zero Day Dropped DLL-->
@@ -5556,7 +5556,7 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
 				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=October 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
 				<Hash condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hash><!--Exchange Zero Day Dropped DLL-->
 				<Hash condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hash><!--Exchange Zero Day Dropped DLL-->
 				<Hash condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hash><!--Exchange Zero Day Dropped DLL-->

From 93cb04e117870e91249f5a852f15049f2e37858b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 08:15:38 -0400
Subject: [PATCH 379/471] Push update to include Certutil.exe for w3wp.exe
 subprocesses

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 18e94fd5..9e8d50d9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -374,7 +374,7 @@
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">apache;w3wp.exe;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe</Image>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>				

From 45430a2f2db5a46b46429da1189e5360bad0cc90 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 08:31:26 -0400
Subject: [PATCH 380/471] Update to Break out IIS Rule from Web Server
 Exploitation rule to be more specific to IIS.  Add appcmd detection
 complements to Florian Roth and Microsoft for the idea.

---
 sysmonconfig-export.xml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9e8d50d9..7605849d 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -373,9 +373,20 @@
 				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">apache;w3wp.exe;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
+				<ParentImage condition="contains any">apache;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
 				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=IIS Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="image">w3wp.exe</ParentImage>
+				<Image condition="excludes any">\csc.exe;\TranscodingService.exe;\werfault.exe;\appcmd.exe</Image>
+				<!--Add wider coverage than specific lolbins, add exclusions above carefully, could be noisy, if too noisy comment above and uncomment below and add more lolbins-->
+				<!--<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>-->
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Suspicious IIS Module Registration,Risk=100,Author=Florian Roth/@ionstorm" groupRelation="and">
+				<ParentImage condition="contains any">\w3wp.exe</ParentImage>
+				<Image condition="contains">\appcmd.exe</Image>
+				<CommandLine condition="contains any">appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>				
 				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				

From 31c69e358d8aed7d91568509e8eaeaec503c8528 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 08:41:25 -0400
Subject: [PATCH 381/471] Improve detection targeting by utilizing image filter
 rather than contains for new IIS detections split from generic Web Server
 exploitation rule.

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7605849d..48125eba 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -383,8 +383,8 @@
 				<!--<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>-->
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Suspicious IIS Module Registration,Risk=100,Author=Florian Roth/@ionstorm" groupRelation="and">
-				<ParentImage condition="contains any">\w3wp.exe</ParentImage>
-				<Image condition="contains">\appcmd.exe</Image>
+				<ParentImage condition="image">w3wp.exe</ParentImage>
+				<Image condition="image">appcmd.exe</Image>
 				<CommandLine condition="contains any">appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">

From 894a4e4be3ace0600f32639ecca3b128bf4678f2 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 09:29:15 -0400
Subject: [PATCH 382/471] Per @VadimKutia kaspersky AV noise reduction
 exclusions added. - Thank you!

---
 sysmonconfig-export.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 48125eba..d89eb4d2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2876,6 +2876,11 @@
 			<Image condition="image">MSExchangeHMWorker.exe</Image>
 			<Image condition="image">MSExchangeSubmission.exe</Image>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
+			<!--SECTION: Antivirus Exclusions -->
+			<Rule name="Antivirus Exclusions" groupRelation="or">
+				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
+				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+			</Rule>
 		</NetworkConnect>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
@@ -3547,6 +3552,10 @@
 			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
 			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
 			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
+			<Rule name="Antivirus Exclusions" groupRelation="or"> 
+				<SourceImage condition="begin with">C:\Program Files (x86)\Kaspersky Lab</SourceImage> 
+				<SourceImage condition="begin with">C:\Program Files\Kaspersky Lab</SourceImage>
+			</Rule>
 		</ProcessAccess>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
@@ -5550,6 +5559,10 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<Rule name="Antivirus" groupRelation="or">
+				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
+				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+			</Rule>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->

From 01b73eab1d6660a9953c481dab3145d6627f1611 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 09:31:03 -0400
Subject: [PATCH 383/471] Per @VadimKutia added Opera to browser based
 detections, thank you for the contribution!

---
 sysmonconfig-export.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d89eb4d2..6a3b1c67 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2653,12 +2653,12 @@
 			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
 			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
@@ -3268,7 +3268,7 @@
 				<SourceImage condition="contains any">msiexec.exe</SourceImage>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
-				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe</TargetImage>
+				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe;opera.exe</TargetImage>
 			</Rule>
 			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
 				<StartAddress condition="is">0x001A0000</StartAddress>

From 4be2ec901b17ddc72dac2a523bb1510ffd022a55 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 09:51:03 -0400
Subject: [PATCH 384/471] Detection accuracy improvement, matching "image"
 instead of "is", "is" must match full path instead of full path or image
 name.

---
 sysmonconfig-export.xml | 48 ++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6a3b1c67..e986b813 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -398,33 +398,33 @@
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
-				<Image condition="is">control.exe</Image>
+				<Image condition="image">control.exe</Image>
 				<CommandLine condition="excludes any">input.dll</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
+				<Image condition="image">msdt.exe</Image>
 				<OriginalFileName condition="is">msdt.exe</OriginalFileName>
 				<CommandLine condition="contains all">BrowseForFile=;PCWDiagnostic</CommandLine>
 				<CommandLine condition="contains any">/af;-af</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
+				<Image condition="image">msdt.exe</Image>
 				<ParentImage condition="is not">pcwrun.exe</ParentImage>
 				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
+				<Image condition="image">msdt.exe</Image>
 				<CommandLine condition="contains any">/cab;-cab</CommandLine>
 				<CommandLine condition="contains">.diagcab</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
-				<Image condition="is">msdt.exe</Image>
+				<Image condition="image">msdt.exe</Image>
 			</Rule>
 			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
-				<Image condition="is">FLTLDR.EXE</Image>
+				<Image condition="image">FLTLDR.EXE</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
 			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution" condition="contains any">/dde;-dde</CommandLine>
@@ -666,7 +666,7 @@
 			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
 			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">computerdefaults.exe</OriginalFileName>
 			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">dism.exe</OriginalFileName>
-			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">fodhelper.exe</ParentImage>
+			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="image">fodhelper.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<Rule name="Attack=T1088,Technique=Access Token Manipulation,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
@@ -958,7 +958,7 @@
 				<ParentImage condition="excludes">msiexec.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
-				<ParentImage condition="is">csc.exe</ParentImage>
+				<ParentImage condition="image">csc.exe</ParentImage>
 				<CommandLine condition="contains any">out:;target:library</CommandLine>
 			</Rule>
 			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
@@ -1145,9 +1145,9 @@
 			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">csi.exe</ParentCommandLine>
 			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
 			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">bginfo</ParentCommandLine>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">devtoolslauncher.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wsreset.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">devtoolslauncher.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">wab.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">wsreset.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
 			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
 			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
@@ -1776,7 +1776,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data injected into clipboard,Risk=30" condition="is">clip.exe</Image>
+			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data injected into clipboard,Risk=30" condition="image">clip.exe</Image>
 			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
 			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
@@ -2986,7 +2986,7 @@
 	<RuleGroup name="RG=Image Load Includes" groupRelation="or">
 		<ImageLoad onmatch="include">
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="is">msdt.exe</Image>
+				<Image condition="image">msdt.exe</Image>
 				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
@@ -4033,16 +4033,16 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="is">Teamviewer.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Created by rundll32" condition="is">rundll32.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="is">mstsc.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Created with command shell,Risk=30" condition="is">cmd.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="is">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="is">WScript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="is">cscript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="is">mshta.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="is">python.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="is">wmic.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="image">Teamviewer.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Created by rundll32" condition="image">rundll32.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="image">mstsc.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Created with command shell,Risk=30" condition="image">cmd.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="image">WScript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="image">cscript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="image">mshta.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="image">python.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="image">wmic.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
@@ -6221,7 +6221,7 @@
 				<Image condition="contains any">psexec</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
-				<Image condition="is">wmiprvse.exe</Image>
+				<Image condition="image">wmiprvse.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>

From b4aeaa9bc19425167b118862b2a3cbd5d1d6df29 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 09:59:32 -0400
Subject: [PATCH 385/471] Target image instead of "contains" round 2

---
 sysmonconfig-export.xml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e986b813..5ce40078 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1296,7 +1296,7 @@
 			</Rule>
 			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
 				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<Image condition="contains">regasm</Image>
+				<Image condition="image">regasm.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
 				<ParentImage condition="image">msbuild.exe</ParentImage>
@@ -1407,7 +1407,7 @@
 			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
 			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
 			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
-			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump.exe</Image>
+			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="image">ProcDump.exe</Image>
 			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
 			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
 			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
@@ -2103,8 +2103,8 @@
 			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SVCHost Processes" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 			</Rule>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="contains">cacls</Image>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="contains">takeown</Image>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="image">cacls.exe</Image>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="image">takeown.exe</Image>
 			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
 			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
@@ -2399,7 +2399,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=4,Alert=NBTSTAT Query,Risk=30" condition="contains">nbtstat</Image>
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=4,Alert=NBTSTAT Query,Risk=30" condition="image">nbtstat.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
 			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
 			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
@@ -2687,7 +2687,7 @@
 				<Image condition="contains">unknown process</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
-				<Image condition="contains">explorer.exe</Image>
+				<Image condition="image">explorer.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows SMTP Server" groupRelation="and">
 				<Image condition="image">inetinfo.exe</Image>
@@ -3570,7 +3570,7 @@
 			</Rule>
 			<!-- These binaries appear to access lsass legitimately -->
 			<Rule name="legitimate lsass access" groupRelation="and">
-				<TargetImage condition="contains">lsass.exe</TargetImage>
+				<TargetImage condition="image">lsass.exe</TargetImage>
 				<SourceImage condition="excludes any">C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; <!-- Exchange Process -->\EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe</SourceImage>
 			</Rule>
 			<!-- These binaries get or access processes running .NET -->

From feabcbcc34ab39c103c6dc2adea3d54cdb97a039 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 10:02:54 -0400
Subject: [PATCH 386/471] "end with" -> "image" where applicable for
 performance/detection improvement.

---
 sysmonconfig-export.xml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5ce40078..4c8b8f1f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1703,7 +1703,7 @@
 			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
 			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
 			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="end with">winrshost.exe</ParentImage>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</ParentImage>
 			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
 			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
 				<ParentImage condition="image">wmiprvse.exe</ParentImage>
@@ -5720,11 +5720,11 @@
 			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
 			<Rule name="ngen excludes" groupRelation="and">
 				<Image condition="begin with">C:\Windows\Microsoft.NET\Framework</Image>
-				<Image condition="end with">\ngen.exe</Image>
+				<Image condition="image">ngen.exe</Image>
 			</Rule>
 			<Rule name="ShellExperienceHost excludes" groupRelation="and">
 				<Image condition="begin with">C:\Windows\SystemApps\ShellExperienceHost_</Image>
-				<Image condition="end with">\ShellExperienceHost.exe</Image>
+				<Image condition="image">ShellExperienceHost.exe</Image>
 			</Rule>
 			<Image condition="image">C:\Windows\system32\SearchProtocolHost.exe</Image>
 			<Image condition="image">\System</Image>
@@ -5901,9 +5901,9 @@
 			<Image condition="begin with">C:\Program Files (x86)\Veeam\</Image>
 			<Image condition="begin with">C:\Program Files\CheckPoint\</Image>
 			<Image condition="begin with">C:\Program Files\Trend Micro\</Image>
-			<Image condition="end with">Slack.exe</Image>
-			<Image condition="end with">\controls\cef\ConnectWise.exe</Image>
-			<Image condition="end with">git-remote-https.exe</Image>
+			<Image condition="image">Slack.exe</Image>
+			<Image condition="image">ConnectWise.exe</Image>
+			<Image condition="image">git-remote-https.exe</Image>
 			<Image condition="image">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
 			<Image condition="image">C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe</Image>
 			<Image condition="image">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>

From 390ec8f67bc4f98a37288c84d8871fa8fdfe7b14 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 10:44:24 -0400
Subject: [PATCH 387/471] Split out System.Management.Automation Command line
 detection to new rule format with exclusion for ngen install of
 System.Management.Automation

---
 sysmonconfig-export.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4c8b8f1f..60c505a9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1072,7 +1072,10 @@
 				<ParentImage condition="image">conhost.exe</ParentImage>
 				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
 			</Rule>
-			<CommandLine name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution - Lateral Movement - Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" condition="contains">System.Management.Automation</CommandLine>
+			<Rule name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution - Lateral Movement - Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" groupRelation="and">
+				<CommandLine condition="contains">System.Management.Automation</CommandLine>
+				<CommandLine condition="excludes all">"C:\Windows\Microsoft.NET\Framework\;\ngen.exe;install</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
 			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->

From 1cd834a587531d3f9799c64ae4da47e555531a84 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 11:31:39 -0400
Subject: [PATCH 388/471] Block binaries from writing to C:\PerfLogs, add
 additional detections specific to original Exchange 0day attackers.

---
 sysmonconfig-export.xml | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 60c505a9..fca00b24 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1824,7 +1824,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1105,Technique=Remote File Copy,Tactic=Command and Control,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
 				<Image condition="image">certutil.exe</Image>
 				<CommandLine condition="contains all">urlcache;split;f</CommandLine>
 			</Rule>
@@ -1855,6 +1855,12 @@
 				<OriginalFileName condition="contains">certutil</OriginalFileName>
 				<CommandLine condition="contains any">verifyctl;URL</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
+				<CurrentDirectory condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
+				<Image condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</Image>
+			</Rule>
 			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
 			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
 			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
@@ -3147,10 +3153,14 @@
 				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
 				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
 			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
+				<ImageLoaded condition="end with">.dll</ImageLoaded>
+			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
 			</Rule>
@@ -4046,6 +4056,14 @@
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="image">mshta.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="image">python.exe</Image>
 			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="image">wmic.exe</Image>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
+				<TargetFilename condition="end with">.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
@@ -6354,6 +6372,9 @@
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
 				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Block Binaries dropped to Perflogs" groupRelation="and">
+				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename>
+			</Rule>
 		</FileBlockExecutable>
 	</RuleGroup>
 	<RuleGroup name="RG=FileBlockExecutable Exclude Group" groupRelation="or">

From 9baf0367595c3629a7e19515d54c46e16498c1cf Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 12:10:24 -0400
Subject: [PATCH 389/471] Per @VadimKutia ESET noise reduction Exclusions added
 - ty!

---
 sysmonconfig-export.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index fca00b24..9179c70f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2889,6 +2889,8 @@
 			<Rule name="Antivirus Exclusions" groupRelation="or">
 				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
 				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
+				<Image condition="begin with">C:\Program Files\ESET</Image>
 			</Rule>
 		</NetworkConnect>
 	</RuleGroup>
@@ -3568,6 +3570,8 @@
 			<Rule name="Antivirus Exclusions" groupRelation="or"> 
 				<SourceImage condition="begin with">C:\Program Files (x86)\Kaspersky Lab</SourceImage> 
 				<SourceImage condition="begin with">C:\Program Files\Kaspersky Lab</SourceImage>
+				<SourceImage condition="begin with">C:\Program Files (x86)\ESET</SourceImage>
+				<SourceImage condition="begin with">C:\Program Files\ESET</SourceImage>
 			</Rule>
 		</ProcessAccess>
 	</RuleGroup>
@@ -5583,6 +5587,8 @@
 			<Rule name="Antivirus" groupRelation="or">
 				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
 				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
+				<Image condition="begin with">C:\Program Files\ESET</Image>
 			</Rule>
 		</RegistryEvent>
 	</RuleGroup>

From 2184f799d6fe1d5640b4fb7b769f8204e80363c0 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 30 Sep 2022 12:25:36 -0400
Subject: [PATCH 390/471] Fix is any->contains any

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9179c70f..bd88e34c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -298,9 +298,9 @@
 			</Rule>
 			-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,UEBA=Unusual Child Process,Risk=30" groupRelation="and">
-				<Image condition="is any">svchost.exe;taskhostw.exe;userinit.exe;smss.exe;csrss.exe;wininit.exe;winlogon.exe;lsass.exe;logonui.exe;services.exe</Image>
+				<Image condition="contains any">\svchost.exe;\taskhostw.exe;\userinit.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\lsass.exe;\logonui.exe;\services.exe</Image>
 				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
-				<ParentImage condition="excludes any">wininit.exe;winlogon.exe;services.exe;dwm.exe;System;smss.exe;svchost.exe</ParentImage>
+				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe;\services.exe;\dwm.exe;System;\smss.exe;\svchost.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>

From 98f9b5e567ba3ccdd8db4136c71c91eddc86b1f8 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 3 Oct 2022 11:57:20 -0400
Subject: [PATCH 391/471] Comment Cleanup, use name= tags and Author=key
 value's for attribution and notes.

---
 sysmonconfig-export.xml | 350 +++++++++++++++++++++-------------------
 1 file changed, 185 insertions(+), 165 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bd88e34c..119828f7 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -76,7 +76,7 @@
 				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
 -->
 <Sysmon schemaversion="4.82">
-	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
+	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms>
 	<CheckRevocation/>
 	<EventFiltering>
 	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
@@ -495,7 +495,7 @@
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
 			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
 				<Description condition="contains">Execute processes remotely</Description>
-				<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
+				<Image condition="contains">psexe</Image>
 				<Description condition="contains">PsExec Service</Description> 
 				<Description condition="contains">PsExec Launched</Description> 
 			</Rule>
@@ -508,7 +508,7 @@
 			</Rule>
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
-			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
+			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image>
 			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k NetworkService -p</ParentCommandLine>
 			</Rule>
@@ -541,7 +541,6 @@
 			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
 			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
 			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
-			<!--Suspicious/Malicious Hash Detection-->
 			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
 				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
 			</Rule>
@@ -672,7 +671,7 @@
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
 				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
 			</Rule>
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine> <!-- can be useful for tokens manip detection -->
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
 			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
@@ -928,12 +927,15 @@
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
-			<CommandLine name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Common Obfuscated Commands,Risk=100" condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Common Obfuscated Commands,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
+				<CommandLine condition="excludes all">ngen.exe;install</CommandLine>
+			</Rule>
+
 			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
 				<OriginalFileName condition="contains">certutil</OriginalFileName>
 				<CommandLine condition="contains any">decode;encode</CommandLine>
 			</Rule>
-			<!--FIX MITRE Mapping-->
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
 				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
 				<CommandLine condition="contains">0x</CommandLine>
@@ -1493,7 +1495,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
 			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
 			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
+			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Driver Querying" condition="image">driverquery.exe</Image>
 
 			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
 			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
@@ -1713,11 +1715,11 @@
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
-				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
+				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image>
 			</Rule>
 			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
 			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
-				<Image condition="contains any">sftp;psftp</Image><!-- SSH -->
+				<Image condition="contains any">sftp;psftp</Image>
 			</Rule>
 			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
 				<CommandLine condition="is">rundll32.exe</CommandLine>
@@ -1745,15 +1747,15 @@
 			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
 			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
 			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine>
 			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine> <!-- -->
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine> <!-- -->
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine>
 			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
 			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
 			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
@@ -1838,7 +1840,7 @@
 				<CommandLine condition="excludes all">util;setieproxy;localsystem;AUTODETECT</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
-				<Description condition="contains">BITS administration utility</Description><!-- to detect renamed ones -->
+				<Description condition="contains">BITS administration utility</Description>
 				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
@@ -1877,7 +1879,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
 			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
-			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image><!-- Tor-->
+			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
 			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
 			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
@@ -1990,8 +1992,8 @@
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
 			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-nw -exec=</CommandLine><!-- vshadow -->
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=vShadow Commands! https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/" condition="contains">-p -nw</CommandLine><!-- vshadow -->
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=2,Alert=vShadow Commands" condition="contains">-nw -exec=</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Alert=vShadow Commands" condition="contains">-p -nw</CommandLine>
 			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
 			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
@@ -2019,14 +2021,12 @@
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
-			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
 			<!--Crypto Currency Miner Detections-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
 				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
 				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
 			</Rule>
-			<!--Malware Hashes-->
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
 			</Rule>
@@ -2102,7 +2102,7 @@
 			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
 			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
 			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
-			<!--Detect Output Redirection-->
+			<!--Detection of Output Redirection-->
 			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
@@ -2117,7 +2117,7 @@
 			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
 			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
-				<CommandLine condition="excludes">&gt;</CommandLine> <!--Excludes piping to pipe for cobalt strike detection-->
+				<CommandLine condition="excludes">&gt;</CommandLine>
 			</Rule>
 			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
 			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
@@ -2293,7 +2293,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
-				<Image condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
+				<Image condition="contains">\temp\</Image>
 				<DestinationIp condition="excludes any">127.0.0.1</DestinationIp>		
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
@@ -2492,13 +2492,13 @@
 				<DestinationIp condition="begin with">fe80:0</DestinationIp>
 			</Rule>
 			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
-				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image><!-- SSH -->
+				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
 				<Image condition="image">wsmprovhost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
-				<Image condition="image">psftp.exe</Image><!-- SFTP -->
+				<Image condition="image">psftp.exe</Image>
 			</Rule>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
@@ -2589,7 +2589,6 @@
 			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!-- DNS Over HTTPS-->
 			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
@@ -2753,7 +2752,6 @@
 	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
 		<NetworkConnect onmatch="exclude">
 			<Protocol condition="contains">udp</Protocol>
-			<!--Exclude Inter-process coms over localhost, may be dangerous at expense for noise reduction -->
 			<Rule name="exclude interprocess communications with localhost" groupRelation="and">
 				<Image condition="contains any">System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe</Image>
 				<SourceIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
@@ -2778,33 +2776,33 @@
 			<SourcePortName condition="is">ntp</SourcePortName>
 			<SourcePortName condition="is">ssdp</SourcePortName>
 			<!--Disable Monitoring on Ports-->
-			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
-			<DestinationPort condition="is">67</DestinationPort>  <!--Bootp Lookups-->
-			<DestinationPort condition="is">68</DestinationPort>  <!--Bootp Lookups-->
-			<DestinationPort condition="is">1434</DestinationPort>  <!--SQL spam.-->
-			<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
-			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
-			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
-			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
-			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
-			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
-			<DestinationPort condition="is">5989</DestinationPort>  <!--Vcenter Secure server for CIM.-->
-			<DestinationPort condition="is">6007</DestinationPort>  <!--Exchange WMI Spam-->
-			<DestinationPort condition="is">49154</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">49209</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">52176</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<DestinationPort condition="is">59241</DestinationPort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">53</SourcePort>  <!--DNS Lookups-->
-			<SourcePort condition="is">67</SourcePort>  <!--Bootp Lookups-->
-			<SourcePort condition="is">68</SourcePort>  <!--Bootp Lookups-->
-			<SourcePort condition="is">1812</SourcePort> <!--Radius-->
-			<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">6007</SourcePort>  <!--Exchange WMI Spam-->
-			<SourcePort condition="is">49154</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">49209</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
-			<SourcePort condition="is">52176</SourcePort>  <!--DFRS/ADFS Replication spam-->
-			<SourcePort condition="is">59241</SourcePort>  <!--DFRS/ADFS Replication spam-->
+			<DestinationPort name="Service=DNS" condition="is">53</DestinationPort>
+			<DestinationPort name="Service=DNS" condition="is">67</DestinationPort>
+			<DestinationPort name="Service=Bootp" condition="is">68</DestinationPort>
+			<DestinationPort name="Service=SQL Noise" condition="is">1434</DestinationPort>
+			<DestinationPort name="Service=Radius" condition="is">1812</DestinationPort>
+			<DestinationPort name="Service=Teredo" condition="is">3544</DestinationPort>
+			<DestinationPort name="Service=WS-Discovery" condition="is">3702</DestinationPort>
+			<DestinationPort name="Service=Google Chrome Safe Search" condition="is">5228</DestinationPort>
+			<DestinationPort name="Service=Bonjour/Avahi" condition="is">5353</DestinationPort>
+			<DestinationPort name="Service=WSD API" condition="is">5357</DestinationPort>
+			<DestinationPort name="Service=Vcenter Secure server for CIM" condition="is">5989</DestinationPort>
+			<DestinationPort name="Service=Exchange WMI" condition="is">6007</DestinationPort>
+			<DestinationPort name="Service=DFRS/ADFS Replication 1" condition="is">49154</DestinationPort>
+			<DestinationPort name="Service=DFRS/ADFS Replication 2" condition="is">49209</DestinationPort>
+			<DestinationPort name="Service=DFRS/ADFS Replication 3" condition="is">52176</DestinationPort>
+			<DestinationPort name="Service=DFRS/ADFS Replication 4" condition="is">59241</DestinationPort>
+			<SourcePort name="Service=DNS" condition="is">53</SourcePort>
+			<SourcePort name="Service=Bootp" condition="is">67</SourcePort>
+			<SourcePort name="Service=Bootp" condition="is">68</SourcePort>
+			<SourcePort name="Service=Radius" condition="is">1812</SourcePort>
+			<SourcePort name="Service=WS-Discovery" condition="is">3702</SourcePort>
+			<SourcePort name="Service=Exchange WMI" condition="is">6007</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">49154</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">49209</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">50646</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">52176</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">59241</SourcePort>
 			<!--SECTION: Microsoft -->
 			<DestinationHostname condition="end with">.bing.com</DestinationHostname>
 			<DestinationHostname condition="end with">.cloudapp.net</DestinationHostname>
@@ -3029,7 +3027,7 @@
 			</Rule>
 			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
-				<Image condition="contains any">wscript.exe;cscript.exe;powershell.exe;rundll32.exe;msbuild.exe;msiexec.exe;csc.exe</Image>
+				<Image condition="contains any">\wscript.exe;\cscript.exe;\powershell.exe;\powershell_ise.exe;\rundll32.exe;\msbuild.exe;\csc.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
@@ -3533,7 +3531,9 @@
 				<CallTrace condition="end with">)</CallTrace>
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe</SourceImage>
+				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
 				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
+				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
@@ -3782,7 +3782,7 @@
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=Exchange 0day from September 2022 overwriting legit file,Risk=80" groupRelation="and">
 				<TargetFilename condition="end with">RedirSuiteServiceProxy.aspx</TargetFilename>
@@ -4620,7 +4620,7 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject> <!-- http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/ -->
+			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject>
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
@@ -4822,9 +4822,13 @@
 				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
-			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exeption Handler execution on crash,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exception Handler execution on crash,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\</TargetObject>
 				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
+				<Image condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image>
+				<Image condition="excludes">C:\Program Files\Microsoft Office\root\integration\integrator.exe</Image>
+				<Image condition="excludes all">C:\Program Files\Google\Chrome Beta\Application\;\Installer\setup.exe</Image>
+				<Image condition="excludes all">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\;\OfficeClickToRun.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
@@ -4833,7 +4837,16 @@
 			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
 				<TargetObject condition="end with">SD</TargetObject>
-				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+				<TargetObject condition="is not">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Per-Machine Standalone Update Task\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates Logon\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
+				<TargetObject condition="excludes">Microsoft\Windows\UpdateOrchestrator</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
@@ -4906,7 +4919,7 @@
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
 				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
-				<!--Customize: Add your configuration dir above-->
+				<!--Customize: Add your configuration directory above-->
 			</Rule>
 			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</TargetObject>
@@ -4963,8 +4976,7 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
-			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/" condition="end with">\HideSCAHealth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft:Windows:Security Center: HideSCAHealth" condition="end with">\HideSCAHealth</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
@@ -4972,7 +4984,6 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
-			<!--Detect if Windows Defender is Disabled-->
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
 			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
@@ -5110,7 +5121,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
 			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
+			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
@@ -5359,26 +5370,26 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject>
 			<!--Windows shell hijack-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
@@ -5386,60 +5397,59 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
 			<!--AppPaths hijacking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject>
 			<!--Terminal service boobytraps-->
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
 			<!--Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride: Threats sometimes change proxy server -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>
 			<!--Credential providers-->
 			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject>
 			<!--Networking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
 			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			<!--Office-->
 			<!--Microsoft Office-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40" condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
-			<!--Removed addins on 11/13/2018 due to high count-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40,Author=Hexacorn" condition="contains">Office Test\</TargetObject>
 			<!--IE-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject>
 			<!--Magic registry keys-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject>
 			<!--Infection artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject>
 			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject> <!--Microsoft:Defender: Detect changes to Defender TamperProtection -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
 			<!--Group Policy Scripts-->
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
@@ -5450,18 +5460,18 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
 			<!--Detect Network History-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject><!--Networking: Detect changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
@@ -5521,22 +5531,21 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
+			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
-			<!--Windows application compatibility shims-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject>
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
 			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
@@ -5577,9 +5586,9 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
@@ -5672,30 +5681,37 @@
 			</Rule>
 			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=NTSVCS Execution" groupRelation="or">
 				<PipeName condition="contains">\ntsvcs</PipeName>
-			</Rule>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100" condition="contains">tssmp_endpoint</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100" condition="contains">\NamePipe_MoreWindows</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=WCEServicePipe detected,Risk=100" condition="contains">\WCEServicePipe</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=ahexec Named Pipe Detection,Risk=100" condition="contains">\ahexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=cachedump detected,Risk=100" condition="contains">\cachedumppipe</PipeName><!-- Credits @9f81f59bc58452127884ce513865ed20Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=csexec Named Pipe Detection,Risk=100" condition="contains">\csexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100" condition="contains">\isapi_dg</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsadump detected,Risk=100" condition="contains">\lsadump</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10" condition="contains">\lsassw</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=paexec Named Pipe Detection,Risk=100" condition="contains">\paexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=pcheap_reuse Named Pipe Detection" condition="contains">\pcheap_reuse</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Covanant C2 Named Pipe Detection" condition="contains">\gruntsvc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=remcom Named Pipe Detection,Risk=100" condition="contains">\remcom</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100" condition="contains">\rpchlp_3</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
+				<EventType condition="is">ConnectPipe</EventType>
+			</Rule>
+			<PipeName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">tssmp_endpoint</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\NamePipe_MoreWindows</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=WCEServicePipe detected,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\WCEServicePipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=ahexec Named Pipe Detection,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\ahexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=cachedump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\cachedumppipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=csexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\csexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_dg</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsadump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\lsadump</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10,Author=@Cyb3rops/@olafhartong" condition="contains">\lsassw</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=paexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\paexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=pcheap_reuse Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\pcheap_reuse</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Covanant C2 Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\gruntsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=remcom Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\remcom</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\rpchlp_3</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\sdlrpc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\winsession</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Turla HyperStack Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\adschemerpc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Hidden Cobra Hoplight Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\AnonymousPipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc367</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc31a7</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Emissary Panda Hyerbri Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\testPipe</PipeName>
 			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName> <!-- useful for lm or exec over atsvc namedpipe -->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Named Pipe Detection 1" groupRelation="and">
@@ -5708,6 +5724,10 @@
 				<PipeName condition="is not">\PGMessagePipe</PipeName>
 				<PipeName condition="is not">\MsFteWds</PipeName>
 			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Forensic=Detect suspicious named pipe connections to an AD FS WID,Author=Florian Roth" groupRelation="and"> 
+				<EventType condition="is">ConnectPipe</EventType>
+				<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName>
+			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Named Pipe Detection 2" groupRelation="and">
 				<PipeName condition="begin with">\Winsock2\CatalogChangeListener-</PipeName>
 				<PipeName condition="end with">-0,</PipeName>
@@ -5719,8 +5739,8 @@
 			<!-- Noisy
 			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
 			-->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName> <!-- useful for lateral movement and users enumeration, psloggedon use this technique -->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName><!--Include Everything else to mark above rules-->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName>
 			<!--Include Everything else to mark above rules-->
 			<!-- Disabled for now
 			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
@@ -5737,8 +5757,8 @@
 			<PipeName condition="contains">lsass</PipeName>
 			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
 			<PipeName condition="is">\spoolss</PipeName>
-			<Image condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Rediculous amount of spam, likely spikes cpu if logged -->
-			<Image condition="image">C:\Windows\System32\LxRun.exe</Image> <!--WSL-->
+			<Image name="This is noisy" condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image>
+			<Image name="WSL" condition="image">C:\Windows\System32\LxRun.exe</Image>
 			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
 			<Image condition="image">C:\Windows\System32\smss.exe</Image>
 			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>

From adb10ce0e05031dcbbd38f512d9d779dfa787ede Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 3 Oct 2022 12:50:57 -0400
Subject: [PATCH 392/471] Update MITRE ATT&CK tagging round 1.

---
 sysmonconfig-export.xml | 178 ++++++++++++++++++++--------------------
 1 file changed, 89 insertions(+), 89 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 119828f7..e3b4db7f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -154,6 +154,24 @@
 				<Image condition="image">gbb.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,Level=4,Alert=Browser Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
+				<Image condition="excludes">C:\Windows\Setup</Image>
+				<Image condition="excludes">C:\Windows\SysWOW64</Image>
+				<Image condition="excludes">C:\Windows\System32</Image>
+				<Image condition="excludes">C:\Windows\WinSxS</Image>
+			</Rule>
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
+				<ParentImage condition="image">consent.exe</ParentImage>
+				<CommandLine condition="contains">http</CommandLine>
+				<Image condition="image">iexplore.exe</Image>
+				<User condition="contains">SYSTEM</User>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
 			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
 				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
@@ -330,11 +348,6 @@
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Browser Exploitation Detected,Risk=90" groupRelation="and">
-				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
-			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
 				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
@@ -430,26 +443,26 @@
 			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution" condition="contains any">/dde;-dde</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Native API-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
 				<Image condition="image">schtasks.exe</Image>
 				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
 				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
 			</Rule>
-			<OriginalFileName name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
+			<OriginalFileName name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
 				<Image condition="image">schtasks.exe</Image>
 				<CommandLine condition="contains any">/Run;-run</CommandLine>
 				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
 				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=Child process from schtasks" groupRelation="and">
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,Level=2,Alert=Child process from schtasks" groupRelation="and">
 				<ParentImage condition="image">schtasks.exe</ParentImage>
 				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
 				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create</ParentCommandLine>
 			</Rule>
-			<Image name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
-			<ParentImage name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
+			<Image name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
+			<ParentImage name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
 				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
 				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
 				<CommandLine condition="excludes all">netsvcs;-p;-s;Schedule</CommandLine>
@@ -509,19 +522,19 @@
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
 			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
 			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image>
-			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k NetworkService -p</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Suspicious LanmanWorkstation Child Processes,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Suspicious LanmanWorkstation Child Processes,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Suspicious Network List Service Child Processes,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Suspicious Network List Service Child Processes,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k netprofm -p -s netprofm</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Crash detected,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Crash detected,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
 				<Image condition="image">werfault.exe</Image>
 			</Rule>
@@ -654,24 +667,24 @@
 				<CommandLine condition="excludes any">route ; ADD </CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Risk=20" groupRelation="and">
 				<ParentImage condition="image">eventvwr.exe</ParentImage>
 				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
 			</Rule>
-			<ParentImage name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
+			<ParentImage name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
 			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
-			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
-			<CommandLine name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
+			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
+			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
 			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">computerdefaults.exe</OriginalFileName>
 			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">dism.exe</OriginalFileName>
 			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="image">fodhelper.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<Rule name="Attack=T1088,Technique=Access Token Manipulation,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
+			<Rule name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
 				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
 			</Rule>
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Level=1,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
 			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
@@ -702,19 +715,6 @@
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
 			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
-				<Image condition="excludes">C:\Windows\Setup</Image>
-				<Image condition="excludes">C:\Windows\SysWOW64</Image>
-				<Image condition="excludes">C:\Windows\System32</Image>
-				<Image condition="excludes">C:\Windows\WinSxS</Image>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
-				<ParentImage condition="image">consent.exe</ParentImage>
-				<CommandLine condition="contains">http</CommandLine>
-				<Image condition="image">iexplore.exe</Image>
-				<User condition="contains">SYSTEM</User>
-			</Rule>
 			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
 				<ParentImage condition="image">dwm.exe</ParentImage>
 			</Rule>
@@ -1355,65 +1355,65 @@
 				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
 				<Image condition="image">vssadmin.exe</Image>
 				<CommandLine condition="contains any">create;shadow</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains all">shadowcopy;call;create</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains all">call;create;esentutl;vss</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
 				<CommandLine condition="contains all">win32_shadowcopy;create;clientaccessible</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
 				<CommandLine condition="contains all">mklink;GLOBALROOT;Shadow</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all">copy;NTDS\ntds.dit</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
 				<Image condition="image">ntdsutil.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all">copy;System32\config\SYSTEM</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all">reg;save;HKLM</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
 				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
 			</Rule>
-			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
+			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
 				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
 			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
 			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
 			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
 			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
-			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
-			<Image name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="image">ProcDump.exe</Image>
-			<OriginalFileName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
+			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
+			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="image">ProcDump.exe</Image>
+			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
 			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
 			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
 			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
@@ -3120,10 +3120,10 @@
 			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains">tor-lib.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
 				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<ImageLoaded condition="contains all">vaultcli.dll;wlanapi.dll</ImageLoaded>
 				<ImageLoaded condition="excludes">combase.dll</ImageLoaded>
@@ -3188,7 +3188,7 @@
 			</Rule>
 			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
 			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
 				<ImageLoaded condition="end with">C:\Windows\System32\wlanapi.dll</ImageLoaded>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
@@ -3273,7 +3273,7 @@
 	<RuleGroup name="RG=CreateRemoteThread Include Group" groupRelation="or">
 		<CreateRemoteThread onmatch="include">
 			<!--Custom Rules-->
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
 				<StartAddress condition="is">0x001A0000</StartAddress>
 				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
 			</Rule>
@@ -3406,27 +3406,27 @@
 				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
 				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1FFFFF</GrantedAccess>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<CallTrace condition="excludes">WmiPerfClass.dll</CallTrace>
 				<SourceImage condition="excludes any">C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<SourceImage condition="image">C:\Windows\system32\wsmprovhost.exe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1FFFFF</GrantedAccess>
 				<CallTrace condition="contains all">python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<CallTrace condition="begin with">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
@@ -3434,7 +3434,7 @@
 				<CallTrace condition="excludes any">wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange</CallTrace>
 				<SourceImage condition="excludes any">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
 				<GrantedAccess>0x1F3FFF</GrantedAccess>
 				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
@@ -3444,27 +3444,27 @@
 				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
 				<GrantedAccess>0x1C00</GrantedAccess>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1F1FFF</GrantedAccess>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1010</GrantedAccess>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x143A</GrantedAccess>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1fffff</GrantedAccess>
 				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
 				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
 				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
 				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
@@ -3476,7 +3476,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains">getasynckeystate</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
 				<CallTrace condition="contains">cmlua.dll</CallTrace>
 			</Rule>
 			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
@@ -3497,7 +3497,7 @@
 				<TargetImage condition="is not">C:\Windows\system32\query.exe</TargetImage>
 				<TargetImage condition="is not">MsMpEng.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<CallTrace condition="contains">comsvcs.dll</CallTrace>
 			</Rule>
@@ -3554,18 +3554,18 @@
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
 			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
+			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
 			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
+			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
 			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
 			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
 			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
 			<SourceImage condition="end with">jjs.exe</SourceImage>
-			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
-			<CallTrace name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
+			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
+			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
 			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
 			<Rule name="Antivirus Exclusions" groupRelation="or"> 
 				<SourceImage condition="begin with">C:\Program Files (x86)\Kaspersky Lab</SourceImage> 
@@ -4892,8 +4892,8 @@
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
-			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
-			<TargetObject name="Attack=T1088,Technique=Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
+			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
+			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
@@ -5683,7 +5683,7 @@
 				<PipeName condition="contains">\ntsvcs</PipeName>
 				<EventType condition="is">ConnectPipe</EventType>
 			</Rule>
-			<PipeName name="Attack=T1003,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
+			<PipeName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">tssmp_endpoint</PipeName>

From cfb24e6b4cd1ba333cf936ca2ee0fd2e951d6596 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 3 Oct 2022 13:17:36 -0400
Subject: [PATCH 393/471] Correct MITRE Tagging for Exploit Public-Facing
 Applications

---
 sysmonconfig-export.xml | 48 ++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e3b4db7f..18212d09 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -173,6 +173,26 @@
 				<User condition="contains">SYSTEM</User>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=IIS Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="image">w3wp.exe</ParentImage>
+				<Image condition="excludes any">\csc.exe;\TranscodingService.exe;\werfault.exe;\appcmd.exe</Image>
+				<!--Add wider coverage than specific lolbins, add exclusions above carefully, could be noisy, if too noisy comment above and uncomment below and add more lolbins-->
+				<!--<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>-->
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Suspicious IIS Module Registration,Risk=100,Author=Florian Roth/@ionstorm" groupRelation="and">
+				<ParentImage condition="image">w3wp.exe</ParentImage>
+				<Image condition="image">appcmd.exe</Image>
+				<CommandLine condition="contains any">appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">apache;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>				
+				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
+				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
+			</Rule>
 			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
 				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
 				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
@@ -203,6 +223,10 @@
 				<!--Allow Confluence Rule to fire-->
 				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
 			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=3,Alert=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">sqlservr</ParentImage>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
 				<ParentImage condition="image">keytool.exe</ParentImage>
 				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
@@ -385,30 +409,6 @@
 				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
 				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">apache;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=IIS Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="image">w3wp.exe</ParentImage>
-				<Image condition="excludes any">\csc.exe;\TranscodingService.exe;\werfault.exe;\appcmd.exe</Image>
-				<!--Add wider coverage than specific lolbins, add exclusions above carefully, could be noisy, if too noisy comment above and uncomment below and add more lolbins-->
-				<!--<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>-->
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Suspicious IIS Module Registration,Risk=100,Author=Florian Roth/@ionstorm" groupRelation="and">
-				<ParentImage condition="image">w3wp.exe</ParentImage>
-				<Image condition="image">appcmd.exe</Image>
-				<CommandLine condition="contains any">appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>				
-				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
-				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">sqlservr</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
-			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
 				<Image condition="image">control.exe</Image>

From e8898f77bc51d79a92bc851b9d289af2340910f5 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 3 Oct 2022 13:24:34 -0400
Subject: [PATCH 394/471] Merge in Sigma Desktop Central CVE from Florian Roth.

---
 sysmonconfig-export.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 18212d09..1e3195aa 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -217,6 +217,10 @@
 				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
 				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Desktop Central Remote Exploit,Risk=100,CVE=CVE-2020-10189,Author=Florian Roth" groupRelation="and">
+				<ParentImage condition="end with">DesktopCentral_Server\jre\bin\java.exe</ParentImage>
+				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
 				<ParentImage condition="image">\jre\bin\java.exe</ParentImage>
 				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
@@ -1686,7 +1690,7 @@
 				<Image condition="excludes">g2mupdate.exe</Image>
 				<Image condition="excludes">slack.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,AlertSuspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Suspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
 				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
 				<Image condition="image">cmd.exe</Image>
 				<Image condition="image">sh.exe</Image>

From a28488f20432d031cd7e099fdd57e9330ddcc796 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 3 Oct 2022 16:38:10 -0400
Subject: [PATCH 395/471] Added MITRE ATT&CK Datasource Tag: DS= and tagged
 most rules to identify Datasource Coverage.

---
 sysmonconfig-export.xml | 3391 ++++++++++++++++++++-------------------
 1 file changed, 1697 insertions(+), 1694 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1e3195aa..5bc351b3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -16,6 +16,7 @@
 				 Attack: Mitre ATT&CK Identifier
 				 Technique: Mitre ATT&CK Technique
 				 Tactic: Mitre ATT&CK Tactic
+				 DS: Mitre ATT&CK Datasource
 				 Alert: Alert Text for SIEM/XDR
 				 Info: Informational Alert Text
 				 Level: The level field contains one of five string values. It describes the criticality of a triggered rule. 
@@ -84,16 +85,16 @@
 		<ProcessCreate onmatch="include">
 			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=3,Alert=Nessus Scan Detected,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Process: Process Creation,Level=3,Alert=Nessus Scan Detected,Risk=100" groupRelation="or">
 				<ParentCommandLine condition="contains any">TEMP\nessus_;nessus_task_list</ParentCommandLine>
 				<CommandLine condition="contains any">TEMP\nessus_;nessus_task_list</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Process: Process Creation,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
 				<CommandLine condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe</CommandLine>
 				<OriginalFileName condition="is any">advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</OriginalFileName>
 				<Product condition="contains any">Network Scanner;Advanced IP Scanner</Product>
 			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=ADFind.exe Discovery,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=4,Alert=ADFind.exe Discovery,Risk=100" groupRelation="or">
 				<OriginalFileName condition="contains">adfind</OriginalFileName>
 				<Product condition="contains">adfind</Product>
 				<CommandLine condition="contains any">-gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp</CommandLine>
@@ -116,26 +117,26 @@
 			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
+			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,DS=Process: Process Creation,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
 			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
 				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
 			</Rule>
-			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
+			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
 			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
 			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
 
 			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
 				<Image condition="contains">C:\Users\</Image>
 				<Image condition="contains">Content.Outlook</Image>
 			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Arbitrary Shell Command Execution Via Settingcontent-Ms,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Arbitrary Shell Command Execution Via Settingcontent-Ms,Risk=30" groupRelation="and">
 				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
 				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
 				<Image condition="end with">.doc.exe</Image>
 				<Image condition="end with">.docx.exe</Image>
 				<Image condition="end with">.docx.exe</Image>
@@ -149,98 +150,98 @@
 				<Image condition="end with">      .exe</Image>
 				<Image condition="end with">______.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
 				<ParentImage condition="image">Hwp.exe</ParentImage>
 				<Image condition="image">gbb.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,Level=4,Alert=Browser Exploitation Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Browser Exploitation Detected,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
 				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
 				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
 				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
 				<Image condition="excludes">C:\Windows\Setup</Image>
 				<Image condition="excludes">C:\Windows\SysWOW64</Image>
 				<Image condition="excludes">C:\Windows\System32</Image>
 				<Image condition="excludes">C:\Windows\WinSxS</Image>
 			</Rule>
-			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
 				<ParentImage condition="image">consent.exe</ParentImage>
 				<CommandLine condition="contains">http</CommandLine>
 				<Image condition="image">iexplore.exe</Image>
 				<User condition="contains">SYSTEM</User>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=IIS Web Server Exploitation Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=IIS Web Server Exploitation Detected,Risk=100" groupRelation="and">
 				<ParentImage condition="image">w3wp.exe</ParentImage>
 				<Image condition="excludes any">\csc.exe;\TranscodingService.exe;\werfault.exe;\appcmd.exe</Image>
 				<!--Add wider coverage than specific lolbins, add exclusions above carefully, could be noisy, if too noisy comment above and uncomment below and add more lolbins-->
 				<!--<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>-->
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Suspicious IIS Module Registration,Risk=100,Author=Florian Roth/@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Suspicious IIS Module Registration,Risk=100,Author=Florian Roth/@ionstorm" groupRelation="and">
 				<ParentImage condition="image">w3wp.exe</ParentImage>
 				<Image condition="image">appcmd.exe</Image>
 				<CommandLine condition="contains any">appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">apache;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
 				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>				
 				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
 				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,DS=Process: Process Creation,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
 				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
 				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,DS=Process: Process Creation,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
 				<ParentImage condition="image">dns.exe</ParentImage>
 				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2019-0708,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2019-0708,DS=Process: Process Creation,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
 				<CommandLine condition="excludes any">perfenabled</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2021-26857,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2021-26857,DS=Process: Process Creation,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
 				<CommandLine condition="excludes any">perfenabled</CommandLine>
 				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
 				<Image condition="contains any">\wwwroot\</Image>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
 				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
 				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Desktop Central Remote Exploit,Risk=100,CVE=CVE-2020-10189,Author=Florian Roth" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Desktop Central Remote Exploit,Risk=100,CVE=CVE-2020-10189,Author=Florian Roth" groupRelation="and">
 				<ParentImage condition="end with">DesktopCentral_Server\jre\bin\java.exe</ParentImage>
 				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
 				<ParentImage condition="image">\jre\bin\java.exe</ParentImage>
 				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
 				<!--Allow Confluence Rule to fire-->
 				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=3,Alert=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">sqlservr</ParentImage>
 				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
 				<ParentImage condition="image">keytool.exe</ParentImage>
 				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,Level=4,Alert=Apache Spark Exploit,CVE=CVE-2022-33891,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Apache Spark Exploit,CVE=CVE-2022-33891,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">bash.exe;cmd.exe;powershell.exe;pwsh.exe</ParentImage>
 				<CommandLine condition="contains any">id -Gn `;id /Gn `;id -Gn ';id /Gn '</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Attack=T1133,Technique=External Remote Services,Tactic=Initial Access,Level=2,Alert=Screenconnect Remote Access,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1133,Technique=External Remote Services,Tactic=Initial Access,DS=Process: Process Creation,Level=2,Alert=Screenconnect Remote Access,Risk=50" groupRelation="and">
 				<CommandLine condition="contains all">e=Access&amp;;y=Guest&amp;;&amp;p=;&amp;c=;&amp;k=</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
@@ -251,25 +252,25 @@
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
 			
 			<!--MITRE ATT&CK TACTIC: Execution-->
-			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=WMI Execution Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=WMI Execution Detected,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains all">process;call;create</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,Level=3,Alert=Suspicious WMIC Commands,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious WMIC Commands,Risk=30" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Execution Locations,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Execution Locations,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
 				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
 				<Image condition="image">conhost.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
 				<Image condition="image">conhost.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
 				<ParentImage condition="image">conhost.exe</ParentImage>
 				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
 			</Rule>
@@ -286,15 +287,15 @@
 				<CommandLine condition="excludes">mysql server</CommandLine>
 				<CommandLine condition="excludes">select-object displayversion,displayname</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from Scripting Utilities,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell ran from Scripting Utilities,Risk=50" groupRelation="and">
 				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,Level=3,Alert=Powershell ran from cscript or wscript,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell ran from cscript or wscript,Risk=50" groupRelation="and">
 				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Powershell Launched from mshta,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Powershell Launched from mshta,Risk=100" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<ParentImage condition="image">mshta.exe</ParentImage>
 			</Rule>
@@ -302,35 +303,35 @@
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<CommandLine condition="excludes any">IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
 				<Image condition="image">wscript.exe</Image>
 				<CommandLine condition="contains">.jse</CommandLine>
 				<CommandLine condition="contains">.js</CommandLine>
 				<CommandLine condition="contains">.vba</CommandLine>
 				<CommandLine condition="contains">.vbe</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Suspicious scripting to dll commands,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious scripting to dll commands,Risk=70" groupRelation="and">
 				<ParentImage condition="contains any">\wscript.exe;\cscript.exe</ParentImage>
 				<Image condition="contains any">\rundll32.exe;regsvr32.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Suspicious rundll32 commands,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious rundll32 commands,Risk=70" groupRelation="and">
 				<Image condition="contains any">\rundll32.exe;regsvr32.exe</Image>
 				<CommandLine condition="excludes any">.dll;.cpl;.ocx;localserver;enable-speech-input;auto-scan-plugin;enable-media-stream;CastMediaRouteProvider;-eoim;/eoim</CommandLine><!--Already have localserver com detection-->
 				<CommandLine condition="excludes all">setupapi;InstallHinfSection;DefaultInstall;SplunkUniversalForwarder\bin\spl;rundll32.exe "C:\Windows\Installer\MSI</CommandLine>
 				<CommandLine condition="excludes all">\MSI;.tmp",zzzInvokeManagerCustomActionOutOfProc</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
 				<Image condition="image">cscript.exe</Image>
 				<CommandLine condition="contains">.js</CommandLine>
 				<CommandLine condition="contains">.jse</CommandLine>
 				<CommandLine condition="contains">.vba</CommandLine>
 				<CommandLine condition="contains">.vbe</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
 				<CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine>
 				<CommandLine condition="contains any">.jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1059.003,Technique=Scripting,Tactic=Execution,Level=4,Alert=Possible WinNTI Malware,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1059.003,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Possible WinNTI Malware,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
 				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
 			</Rule>
@@ -339,7 +340,7 @@
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
 			<!-- Disabled for now
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
 			-->
@@ -354,29 +355,29 @@
 				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
 				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
 			</Rule>
-			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
+			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<ParentImage condition="begin with">C:\users\</ParentImage>
 				<ParentImage condition="excludes">Microsoft VS Code\Code.exe</ParentImage>
 				<ParentImage condition="excludes">\Deployment tool extract\setupodt.exe</ParentImage>
 			</Rule>
-			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
+			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
+			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
+			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
 				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
 				<CommandLine condition="excludes all">.cmd;-</CommandLine>
@@ -409,37 +410,37 @@
 				<Product condition="excludes">Microsoft Teams</Product>
 				<Product condition="excludes">Zoom Video</Product>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
 				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
 				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
 				<Image condition="image">control.exe</Image>
 				<CommandLine condition="excludes any">input.dll</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<Image condition="image">msdt.exe</Image>
 				<OriginalFileName condition="is">msdt.exe</OriginalFileName>
 				<CommandLine condition="contains all">BrowseForFile=;PCWDiagnostic</CommandLine>
 				<CommandLine condition="contains any">/af;-af</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<Image condition="image">msdt.exe</Image>
 				<ParentImage condition="is not">pcwrun.exe</ParentImage>
 				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<Image condition="image">msdt.exe</Image>
 				<CommandLine condition="contains any">/cab;-cab</CommandLine>
 				<CommandLine condition="contains">.diagcab</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
 				<Image condition="image">msdt.exe</Image>
 			</Rule>
-			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
+			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
 				<Image condition="image">FLTLDR.EXE</Image>
 			</Rule>
@@ -447,26 +448,26 @@
 			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution" condition="contains any">/dde;-dde</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Native API-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
 				<Image condition="image">schtasks.exe</Image>
 				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
 				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
 			</Rule>
-			<OriginalFileName name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
-			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
+			<OriginalFileName name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
 				<Image condition="image">schtasks.exe</Image>
 				<CommandLine condition="contains any">/Run;-run</CommandLine>
 				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
 				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,Level=2,Alert=Child process from schtasks" groupRelation="and">
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
 				<ParentImage condition="image">schtasks.exe</ParentImage>
 				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
 				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create</ParentCommandLine>
 			</Rule>
-			<Image name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
-			<ParentImage name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Execution/Persistence/Privledge Escalation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
-			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
+			<Image name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
+			<ParentImage name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Execution/Persistence/Privledge Escalation,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
 				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
 				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
 				<CommandLine condition="excludes all">netsvcs;-p;-s;Schedule</CommandLine>
@@ -474,130 +475,130 @@
 			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=Service Stop detected,Risk=0" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Service Stop detected,Risk=0" groupRelation="and">
 				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
 				<CommandLine condition="contains">stop</CommandLine>
 				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,Level=0,Desc=NET.EXE Service Start detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=NET.EXE Service Start detected,Risk=30" groupRelation="and">
 				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
 				<CommandLine condition="contains">start</CommandLine>
 				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 1,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Impacket Detection 1,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
 				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;/Q /c</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=3,Alert=Impacket Detection 2,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Impacket Detection 2,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
 				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;-Q -c</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PowerSploit/Empire Persistence,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PowerSploit/Empire Persistence,Risk=100" groupRelation="and">
 				<CommandLine condition="contains all">schtasks;Create;ONLOGON;TN;Updater;TR;powershell</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service added via SC,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=2,Alert=Service added via SC,Risk=100" groupRelation="and">
 				<Image condition="image">sc.exe</Image>
 				<CommandLine condition="contains">create</CommandLine>
 				<CurrentDirectory condition="excludes any">\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
 				<Image condition="image">sc.exe</Image>
 				<CommandLine condition="contains all">config;binpath</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
 				<Image condition="contains any">cmd.exe;powershell.exe</Image>
 				<ParentImage condition="image">services.exe</ParentImage>
 			</Rule>
-			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
+			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
 				<Description condition="contains">Execute processes remotely</Description>
 				<Image condition="contains">psexe</Image>
 				<Description condition="contains">PsExec Service</Description> 
 				<Description condition="contains">PsExec Launched</Description> 
 			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=Sysinternals Initial Tool Execution,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals Initial Tool Execution,Risk=100" groupRelation="or">
 				<CommandLine condition="contains">accepteula</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec SYSTEM Execution,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec SYSTEM Execution,Risk=100" groupRelation="and">
 				<Description condition="contains">Execute processes remotely</Description>
 				<CommandLine condition="contains any">-s;/s</CommandLine>
 			</Rule>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
-			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,Level=2,Alert=PsKill Command" condition="contains">pskill</Image>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
+			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=PsKill Command" condition="contains">pskill</Image>
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k NetworkService -p</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Suspicious LanmanWorkstation Child Processes,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious LanmanWorkstation Child Processes,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Suspicious Network List Service Child Processes,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Network List Service Child Processes,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k netprofm -p -s netprofm</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,Level=3,Alert=Remote Procedure Call Service Crash detected,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Remote Procedure Call Service Crash detected,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
 				<Image condition="image">werfault.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
 				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
 				<CommandLine condition="contains">&gt;</CommandLine>
 				<CommandLine condition="contains">cmd.exe" /c cd</CommandLine>
 			</Rule>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
 				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s</CommandLine>
 			</Rule>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
 				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
 				<ParentCommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</ParentCommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
-			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
+			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
+			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
+			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
 				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
 			</Rule>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
 				<CommandLine condition="contains any">e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 2" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 2" groupRelation="and">
 				<CommandLine condition="contains all">FromBase64String</CommandLine>
 				<CommandLine condition="contains any">JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 3" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 3" groupRelation="and">
 				<CommandLine condition="contains any">/v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Emotet Command Line detection 4" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 4" groupRelation="and">
 				<CommandLine condition="contains any">JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Emotet Command Line detection" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Obfuscated Emotet Command Line detection" groupRelation="and">
 				<CommandLine condition="contains any">e^;^en^;^nc</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Obfuscation Character" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Obfuscation Character" groupRelation="and">
 				<CommandLine condition="contains">^</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
 				<CommandLine condition="contains any">..\;\..</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Formbook detections" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
 				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
+			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,DS=Process: Process Creation,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
 				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
 				<CommandLine condition="contains any">user;group;localgroup</CommandLine>
 				<CommandLine condition="contains any">remove;delete;active;del</CommandLine>
@@ -609,17 +610,17 @@
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
 			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<Rule name="Attack=T1098,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Created,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1098,Technique=Create Account,Tactic=Persistence,DS=Process: Process Creation,Level=3,Alert=Account Created,Risk=80" groupRelation="and">
 				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
 				<CommandLine condition="contains">user</CommandLine>
 				<CommandLine condition="contains any">add</CommandLine>
 				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
 			</Rule>
 			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" condition="image">dsmod.exe</Image>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
+			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Process: Process Creation,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,DS=Process: Process Creation,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
 				<ParentImage condition="image">WerFault.exe</ParentImage>
 				<ParentCommandLine condition="contains any">-s;/s</ParentCommandLine>
 			</Rule>
@@ -635,36 +636,36 @@
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
 			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>
 				<CommandLine condition="contains all">echo;\pipe\;&gt;</CommandLine>
 			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>
 				<CommandLine condition="contains all">/c;copy;dll;\\;admin$</CommandLine>
 			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Exec DLL Detected" groupRelation="and">
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Exec DLL Detected" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains all">,;StartW</CommandLine>
 			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 1" groupRelation="and">
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Susp activity 1" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains all">,;update;appdata;temp;/i:</CommandLine>
 			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,Level=4,Alert=Cobalt Strike Susp activity 2" groupRelation="and">
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Susp activity 2" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains all">,;update;appdata;temp;-i:</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass Child Processes" groupRelation="and">
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Process: Process Creation,Level=3,Alert=CMSTPLUA UAC Bypass Child Processes" groupRelation="and">
 				<ParentImage condition="image">dllhost.exe</ParentImage>
 				<ParentCommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=3,Alert=CMSTPLUA UAC Bypass" groupRelation="and">
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Process: Process Creation,Level=3,Alert=CMSTPLUA UAC Bypass" groupRelation="and">
 				<Image condition="image">dllhost.exe</Image>
 				<CommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<Rule name="Attack=T1548,Technique=Abuse Elevation Control Mechanism,Tactic=Privilege Escalation,Level=3,Alert=Abused Debug priviledge by Arbitrary Parent Process,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1548,Technique=Abuse Elevation Control Mechanism,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Abused Debug priviledge by Arbitrary Parent Process,Risk=100" groupRelation="and">
 				<ParentImage condition="contains any">winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe</ParentImage>
 				<Image condition="contains any">powershell.exe;pwsh.exe;cmd.exe</Image>
 				<User condition="contains any">AUTHORI;AUTORI</User>
@@ -676,58 +677,58 @@
 				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
 			</Rule>
 			<ParentImage name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
-			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
-			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
-			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
+			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
+			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
+			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
 			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">computerdefaults.exe</OriginalFileName>
 			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">dism.exe</OriginalFileName>
 			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="image">fodhelper.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<Rule name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Risk=90,Level=3,Alert=Priv Escalation to System" groupRelation="and">
+			<Rule name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Risk=90,DS=Process: Process Creation,Level=3,Alert=Priv Escalation to System" groupRelation="and">
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
 				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
 			</Rule>
-			<ParentCommandLine name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Level=1,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
-			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
+			<ParentCommandLine name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=1,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
+			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,DS=Process: Process Creation,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=Utilman Lock Screen Bypass,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Utilman Lock Screen Bypass,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
 				<ParentImage condition="image">winlogon.exe</ParentImage>
 				<Image condition="image">utilman.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,Level=4,Alert=sethc.exe Lock Screen Bypass,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=sethc.exe Lock Screen Bypass,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
 				<ParentImage condition="image">winlogon.exe</ParentImage>
 				<Image condition="image">sethc.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=4,Alert=Utilman Priv Escalation" groupRelation="and">
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=Utilman Priv Escalation" groupRelation="and">
 				<ParentImage condition="image">utilman.exe</ParentImage>
 				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
 			</Rule>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
 			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
 			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
 			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
 			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
 			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
-			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
+			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
 				<ParentImage condition="image">dwm.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=7zip Priv Escalation Detection,CVE=CVE-2022-29072" groupRelation="and">
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=7zip Priv Escalation Detection,CVE=CVE-2022-29072" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>
 				<ParentImage condition="image">7zFM.exe</ParentImage>
 				<CommandLine condition="excludes any">;/c;-c</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=4,Alert=Possible InstallerFileTakeOver LPE,CVE=CVE-2021-41379" groupRelation="and">
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=Possible InstallerFileTakeOver LPE,CVE=CVE-2021-41379" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>
 				<ParentImage condition="image">elevation_service.exe</ParentImage>
 				<IntegrityLevel condition="contains">System</IntegrityLevel>
@@ -739,8 +740,8 @@
 
 			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
 			<Image condition="contains">unknown process</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -750,7 +751,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<Rule name="Attack=T1484.001,Technique=Group Policy Modification,Tactic=Defense Evasion,Level=3,Alert=Auditpol System Audit Policy Change - Should be set via group policy instead" groupRelation="and">
+			<Rule name="Attack=T1484.001,Technique=Group Policy Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Auditpol System Audit Policy Change - Should be set via group policy instead" groupRelation="and">
 				<OriginalFileName condition="contains">auditpol</OriginalFileName>
 				<CommandLine condition="contains any">/set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL</CommandLine>
 			</Rule>
@@ -758,136 +759,136 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Hidden/SuperHidden File or Folder created" groupRelation="and">
+			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Hidden/SuperHidden File or Folder created" groupRelation="and">
 				<CommandLine condition="contains any">+s;+h</CommandLine>
 				<Image condition="image">attrib.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,Level=3,Alert=Powershell Hidden File or Folder created" groupRelation="and">
+			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Powershell Hidden File or Folder created" groupRelation="and">
 				<CommandLine condition="contains all">Hidden;Attributes</CommandLine>
 				<Image condition="image">powershell.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
 				<Product condition="is">Sysinternals Sysmon</Product>
 				<CommandLine condition="contains any">/u;/c;-u;-c</CommandLine>
 				<CurrentDirectory condition="excludes">C:\ProgramdData\sysmon\</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
 				<Image condition="image">MpCmdRun.exe</Image>
 				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools:  Disable Windows Event Logging-->
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SysmonEnte Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
 				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SysmonQuiet Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
 				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SharpEvtMute Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
 				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Image condition="image" name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=PSTools PSKill,Risk=80">PsKill.exe</Image>
-			<Rule name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Defender Features,Risk=100" groupRelation="and">
+			<Image condition="image" name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=PSTools PSKill,Risk=80">PsKill.exe</Image>
+			<Rule name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Disabling of Windows Defender Features,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
 				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
-			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
+			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
+			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
+			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
 				<Image condition="image">wevtutil.exe</Image>
 				<CommandLine condition="contains"> cl </CommandLine>
 				<CommandLine condition="excludes">wevtutil im</CommandLine>
 				<CommandLine condition="excludes">wevtutil.exe im</CommandLine>
 				<CurrentDirectory condition="excludes">ClickToRun</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,Level=3,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Risk=50" groupRelation="and">
 				<OriginalFileName condition="is">fltMC.exe</OriginalFileName>
 				<CommandLine condition="contains any">detach;unload</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Level=4,Alert=IIS Log disablement,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=IIS Log disablement,Risk=80" groupRelation="and">
 				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
 				<CommandLine condition="contains all">DontLog;True</CommandLine>
 				<Image condition="excludes">iisetup.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="or">
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="or">
 				<CommandLine condition="contains all">set;NGenAssemblyUsageLog</CommandLine>
 				<CommandLine condition="contains all">New-ItemProperty;NGenAssemblyUsageLog</CommandLine>
 				<CommandLine condition="contains all">reg;add;dword;NGenAssemblyUsageLog</CommandLine>
 				<CommandLine condition="contains all">$env;NGenAssemblyUsageLog</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="or">
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="or">
 				<CommandLine condition="contains all">set;COMPlus_ETWEnabled</CommandLine>
 				<CommandLine condition="contains all">New-ItemProperty;COMPlus_ETWEnabled</CommandLine>
 				<CommandLine condition="contains all">reg;add;dword;COMPlus_ETWEnabled</CommandLine>
 				<CommandLine condition="contains all">$env;COMPlus_ETWEnabled</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
 				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp</CommandLine>
 			</Rule>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
 
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
 			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">.com</Image>
-			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
+			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
 
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
 				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
 			</Rule>		
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
+			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
+			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
 				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
 				<CommandLine condition="contains">:</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=REG Registry Deletions" groupRelation="and">
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=REG Registry Deletions" groupRelation="and">
 				<Image condition="image">reg.exe</Image>
 				<CommandLine condition="contains">delete </CommandLine>
 			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Regedit Registry Deletions" groupRelation="and">
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Regedit Registry Deletions" groupRelation="and">
 				<Image condition="image">regedit.exe</Image>
 				<CommandLine condition="contains any">/d;-d</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Deletions" groupRelation="and">
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Powershell Registry Deletions" groupRelation="and">
 				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
 				<CommandLine condition="contains">remove-item</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=0,Desc=Powershell Registry Modifications" groupRelation="and">
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Powershell Registry Modifications" groupRelation="and">
 				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
 				<CommandLine condition="contains">set-item;new-item</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Suspicious Code Page Switch,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Code Page Switch,Risk=50" groupRelation="and">
 				<Image condition="image">chcp.exe</Image>
 				<CommandLine condition="contains">936</CommandLine>
 				<CommandLine condition="contains">1256</CommandLine>
@@ -896,66 +897,66 @@
 				<CommandLine condition="contains">855</CommandLine>
 				<CommandLine condition="contains">866</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Command Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Encoded Command Detected,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">-e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Hidden Command,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Hidden Command,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Execution Policy Bypass,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Execution Policy Bypass,Risk=75" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">-ex;/ex</CommandLine>
 				<CommandLine condition="contains">bypass</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">-noni;/noni</CommandLine>
 				<CommandLine condition="excludes">Import-Module FileServerResourceManager</CommandLine>
 				<CurrentDirectory condition="excludes">C:\Program Files\LogicMonitor</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1027,Tactic=Defense Evasion,Technique=Obfuscated Files or Information,Level=4,Alert=Powershell Obfuscation Command,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1027,Tactic=Defense Evasion,Technique=Obfuscated Files or Information,DS=Process: Process Creation,Level=4,Alert=Powershell Obfuscation Command,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
 				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Common Obfuscated Commands,Risk=100" groupRelation="and">
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Obfuscated Commands,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
 				<CommandLine condition="excludes all">ngen.exe;install</CommandLine>
 			</Rule>
 
-			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
 				<OriginalFileName condition="contains">certutil</OriginalFileName>
 				<CommandLine condition="contains any">decode;encode</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
-				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
+				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
 				<CommandLine condition="contains">0x</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+			<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,DS=Process: Process Creation,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
 				<Image condition="image">csc.exe</Image>
 				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=Suspicious Parent of Csc.exe,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent of Csc.exe,Risk=80" groupRelation="and">
 				<Image condition="image">csc.exe</Image>
 				<ParentImage condition="image">wscript.exe</ParentImage>
 				<ParentImage condition="image">cscript.exe</ParentImage>
 				<ParentImage condition="image">mshta.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=MOFComp compilation of .Mof File,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=MOFComp compilation of .Mof File,Risk=80" groupRelation="and">
 				<Image condition="image">mofcomp.exe</Image>
 				<CommandLine condition="contains">.mof</CommandLine>
 				<CurrentDirectory condition="excludes">C:\WINDOWS\Installer\MSI</CurrentDirectory>
@@ -963,122 +964,122 @@
 				<ParentImage condition="excludes">aspnet_regiis.exe</ParentImage>
 				<ParentImage condition="excludes">msiexec.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
 				<ParentImage condition="image">csc.exe</ParentImage>
 				<CommandLine condition="contains any">out:;target:library</CommandLine>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of Autochk,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of Autochk,Risk=30" groupRelation="and">
 				<Image condition="image">autochk.exe</Image>
 				<ParentImage condition="excludes any">\smss.exe;\fontdrvhost.exe;\dwm.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
 				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
 				<ParentImage condition="excludes">\svchost.exe</ParentImage>
 				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
 				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
 				<ParentImage condition="excludes any">svchost.exe</ParentImage>
 				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
 				<Image condition="image">SearchProtocolHost.exe</Image>
 				<ParentImage condition="excludes any">\SearchIndexer.exe;\dllhost.exe</ParentImage>
 				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
 				<Image condition="image">dllhost.exe</Image>
 				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
 				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
 				<Image condition="image">smss.exe</Image>
 				<ParentImage condition="excludes">\smss.exe</ParentImage>
 				<ParentImage condition="is not">System</ParentImage>
 				<ParentImage condition="is not">-</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
 				<Image condition="image">csrss.exe</Image>
 				<ParentImage condition="is not">-</ParentImage>
 				<ParentImage condition="excludes any">\smss.exe;svchost.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
 				<Image condition="image">wininit.exe</Image>
 				<ParentImage condition="is not">-</ParentImage>
 				<ParentImage condition="excludes">\smss.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
 				<Image condition="image">winlogon.exe</Image>
 				<ParentImage condition="excludes">\smss.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of lsass/LsaIso,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of lsass/LsaIso,Risk=30" groupRelation="and">
 				<Image condition="contains any">\lsass.exe;LsaIso.exe</Image>
 				<ParentImage condition="excludes">\wininit.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of LogonUI,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of LogonUI,Risk=30" groupRelation="and">
 				<Image condition="image">LogonUI.exe</Image>
 				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of services,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of services,Risk=30" groupRelation="and">
 				<Image condition="image">services.exe</Image>
 				<ParentImage condition="excludes">\wininit.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
 				<Image condition="image">svchost.exe</Image>
 				<ParentImage condition="is not">-</ParentImage>
 				<ParentImage condition="excludes any">\MsMpEng.exe;\services.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
 				<Image condition="image">spoolsv.exe</Image>
 				<ParentImage condition="excludes">\services.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of taskhost,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of taskhost,Risk=30" groupRelation="and">
 				<Image condition="image">taskhost.exe</Image>
 				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of userinit,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of userinit,Risk=30" groupRelation="and">
 				<Image condition="image">userinit.exe</Image>
 				<ParentImage condition="excludes any">\dwm.exe;\winlogon.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
 				<Image condition="contains any">\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe</Image>
 				<ParentImage condition="is not">-</ParentImage>
 				<ParentImage condition="excludes any">\svchost.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe</ParentImage>
 				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
 				<ParentImage condition="image">autochk.exe</ParentImage>
 				<Image condition="excludes any">\chkdsk.exe;\doskey.exe;\WerFault.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of smss,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of smss,Risk=30" groupRelation="and">
 				<ParentImage condition="image">smss.exe</ParentImage>
 				<Image condition="excludes any">\autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of wermgr,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of wermgr,Risk=30" groupRelation="and">
 				<ParentImage condition="image">wermgr.exe</ParentImage>
 				<Image condition="excludes any">\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Possible wermgr injection,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Possible wermgr injection,Risk=30" groupRelation="and">
 				<Image condition="image">wermgr.exe</Image>
 				<CommandLine condition="end with">wermgr.exe</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Possible qbot injection,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Possible qbot injection,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">\rundll32.exe;\regsvr32.exe</ParentImage>
 				<Image condition="contains any">\explorer.exe;\wermgr.exe;\msra.exe</Image>
 				<CommandLine condition="end with">.exe</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
 				<ParentImage condition="image">conhost.exe</ParentImage>
 				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution - Lateral Movement - Tactic=Defense Evasion,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution - Lateral Movement - Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" groupRelation="and">
 				<CommandLine condition="contains">System.Management.Automation</CommandLine>
 				<CommandLine condition="excludes all">"C:\Windows\Microsoft.NET\Framework\;\ngen.exe;install</CommandLine>
 			</Rule>
@@ -1087,53 +1088,53 @@
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=InstallUtil 1" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=InstallUtil 1" groupRelation="and">
 				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=InstallUtil 2" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=InstallUtil 2" groupRelation="and">
 				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName>
 				<CommandLine condition="contains">INJECTRUNNING</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 1,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 1,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
 				<CommandLine condition="contains all">/ni;/s</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 2,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 2,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
 				<CommandLine condition="contains all">/ns;/s</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 3,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 3,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
 				<CommandLine condition="contains all">-ni;-s</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,Level=3,Alert=CMSTP UAC Bypass Detected 4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 4,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
 				<CommandLine condition="contains all">-ns;-s</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
 				<CommandLine condition="contains all">rundll32.exe;shell32.dll;_RunDLL</CommandLine>
 				<Image condition="is not">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
 				<Image condition="image">odbcconf.exe</Image>
 				<CommandLine condition="contains any">/S /A {REGSVR;-S -A {REGSVR</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
 			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
 			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">bginfo</CommandLine>
 			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">cbd</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
+			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
 			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">SyncAppvPublishingServer.exe</Image>
 			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe</OriginalFileName>
 			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ATBroker.exe</OriginalFileName>
@@ -1150,7 +1151,7 @@
 			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">tttracer.exe</OriginalFileName>
 			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">verclsid.exe</OriginalFileName>
 			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
 			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">csi.exe</ParentCommandLine>
 			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
 			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">bginfo</ParentCommandLine>
@@ -1159,32 +1160,32 @@
 			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">wsreset.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
 			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
+			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
-			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
+			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
+			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains">DllRegisterServer</CommandLine>
 				<CommandLine condition="excludes any">xapauthenticodesip.dll</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,Level=3,Alert=Suspicious Regsvr32 loading in Appdata temp" groupRelation="and">
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Regsvr32 loading in Appdata temp" groupRelation="and">
 				<Image condition="image">regsvr32.exe</Image> 
 				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine> 
 			</Rule>
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Defense Evasion/Execution,Level=4,Alert=Suspicious Regsvr32 loading in Public User folder" groupRelation="and">
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Defense Evasion/Execution,DS=Process: Process Creation,Level=4,Alert=Suspicious Regsvr32 loading in Public User folder" groupRelation="and">
 				<Image condition="image">regsvr32.exe</Image> 
 				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
 			</Rule>
 			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution" condition="contains">Microsoft(C) Register Server</Description>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
+			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
 				<Image condition="image">msiexec.exe</Image>
 				<CommandLine condition="contains any">/y;-y</CommandLine>
 				<CommandLine condition="excludes">C:\Windows\SysWOW64\DartSock.dll</CommandLine>
@@ -1197,13 +1198,13 @@
 				<CommandLine condition="excludes">C:\Windows\SysWOW64\todgub7.dll</CommandLine>
 				<CommandLine condition="excludes">C:\Windows\SysWOW64\xarraydb.ocx</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=MSIExec Signed Binary Proxy Execution,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSIExec Signed Binary Proxy Execution,Risk=70" groupRelation="and">
 				<Image condition="image">msiexec.exe</Image>
 				<CommandLine condition="contains any">/i;-i</CommandLine>
 				<CommandLine condition="contains any">http</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Rundll32-->
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Rundll32 Suspicious call by Ordinal,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Rundll32 Suspicious call by Ordinal,Risk=80" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains all">,;#</CommandLine>
 				<CommandLine condition="excludes">C:\Windows\resources\themes\Aero\AeroLite.msstyles</CommandLine>
@@ -1213,125 +1214,125 @@
 				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
 				<CurrentDirectory condition="excludes">\AppData\Local\WebEx\WebEx\</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=3,Alert=Rundll32 Single Threaded Apartment Switch - check for com hijacks,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Rundll32 Single Threaded Apartment Switch - check for com hijacks,Risk=75" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains any">-sta;/sta</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=3,Alert=Rundll32 localserver Switch - check for com hijacks,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Rundll32 localserver Switch - check for com hijacks,Risk=75" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains any">-localserver;/localserver</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Executing Powershell,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Executing Powershell,Risk=70" groupRelation="and">
 				<ParentImage condition="image">RUNDLL32.EXE</ParentImage>
 				<OriginalFileName condition="contains">powershell</OriginalFileName>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious OpenURL Commands" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious OpenURL Commands" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains all">url.dll;OpenURL</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious FileProtocolHandler Commands" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious FileProtocolHandler Commands" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RouteTheCall Commands" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious RouteTheCall Commands" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains all">zipfldr.dll;RouteTheCall</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious Control_RunDLL Commands" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious Control_RunDLL Commands" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains all">Shell32.dll;Control_RunDLL</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious javascript Commands" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious javascript Commands" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains">javascript:</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=Suspicious RegisterXLL Commands" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious RegisterXLL Commands" groupRelation="and">
 				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
 				<CommandLine condition="contains">RegisterXLL</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Public User folder" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious Rundll32 loading in Public User folder" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image> 
 				<CommandLine condition="contains all">C:\Users;Public</CommandLine>
 				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine> 
 				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage> 
 			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Suspicious Rundll32 loading in Appdata Temp" groupRelation="and">
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious Rundll32 loading in Appdata Temp" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine>
 				<CommandLine condition="excludes any">ImageView_</CommandLine>
 				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine>
 				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage>
 			</Rule>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
 			<CommandLine condition="contains">InstallHinfSection</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MSHTA-->
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
 				<ParentImage condition="image">mshta.exe</ParentImage>
 				<Image condition="contains any">cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin</Image>
 			</Rule>
-			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Odbcconf-->
-			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
+			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
 
 			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
+			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=Powershell Calling MSBuild" groupRelation="and">
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Calling MSBuild" groupRelation="and">
 				<ParentImage condition="contains any">powershell.exe;powershell_ise.exe</ParentImage>
 				<Image condition="image">msbuild.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
 				<ParentImage condition="image">msbuild.exe</ParentImage>
 				<Image condition="image">regasm.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
 				<ParentImage condition="image">msbuild.exe</ParentImage>
 				<Image condition="image">userinit.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild Building from xml - Silent Trinity" groupRelation="and">
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Building from xml - Silent Trinity" groupRelation="and">
 				<ParentImage condition="image">msbuild.exe</ParentImage>
 				<ParentCommandLine condition="contains">.xml</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=RegAsm Parent process" groupRelation="and">
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=RegAsm Parent process" groupRelation="and">
 				<ParentImage condition="image">regasm.exe</ParentImage>
 				<Image condition="excludes">\conhost.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,Level=4,Alert=MSBuild building from lnk file" groupRelation="and">
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild building from lnk file" groupRelation="and">
 				<Image condition="image">msbuild.exe</Image>
 				<CommandLine condition="contains">.lnk</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
 			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
-			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
+			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
+			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
 			<!--MITRE ATT&CK TACTIC: Credential Access-->
 			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
 			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
@@ -1340,107 +1341,107 @@
 			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
 			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
 			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=Network Sniffing tool Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,DS=Process: Process Creation,Level=4,Alert=Network Sniffing tool Detected,Risk=100" groupRelation="and">
 				<CommandLine condition="contains">sniff</CommandLine>
 				<CommandLine condition="excludes">C:\Program Files\Adobe\</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,Level=4,Alert=PCAP Sniffing tool Detected,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,DS=Process: Process Creation,Level=4,Alert=PCAP Sniffing tool Detected,Risk=100" groupRelation="or">
 				<OriginalFileName condition="is any">tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe</OriginalFileName>
 				<CommandLine condition="contains any">windump;tshark;tcpdump;windump;wireshark</CommandLine>
 				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
 				<Image condition="image">vssadmin.exe</Image>
 				<CommandLine condition="contains any">create;shadow</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains all">shadowcopy;call;create</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains all">call;create;esentutl;vss</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
 				<CommandLine condition="contains all">win32_shadowcopy;create;clientaccessible</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
 				<CommandLine condition="contains all">mklink;GLOBALROOT;Shadow</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all">copy;NTDS\ntds.dit</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
 				<Image condition="image">ntdsutil.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all">copy;System32\config\SYSTEM</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all">reg;save;HKLM</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
 				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
 			</Rule>
-			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
+			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
 				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
-			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
-			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
-			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="image">ProcDump.exe</Image>
-			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,DS=Process: Process Creation,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
+			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
+			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
+			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
+			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
+			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" condition="image">ProcDump.exe</Image>
+			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
 			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
 			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
+			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
+			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
 			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
 				<CommandLine condition="contains all">list;text;password</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TACTIC: Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
 				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
 				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
 				<CommandLine condition="excludes">/domain</CommandLine>
@@ -1448,7 +1449,7 @@
 				<CommandLine condition="excludes">\users</CommandLine>
 				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=2,Alert=Domain User or Group Discovery,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Domain User or Group Discovery,Risk=50" groupRelation="and">
 				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
 				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
 				<CommandLine condition="contains any">/domain</CommandLine>
@@ -1456,7 +1457,7 @@
 				<CommandLine condition="excludes">\users</CommandLine>
 				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=Sharphound Discovery,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=4,Alert=Sharphound Discovery,Risk=100" groupRelation="or">
 				<CommandLine condition="contains any">sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus</CommandLine>
 				<Company condition="contains any">sharphound;bloodhound</Company>
 				<Description condition="contains any">sharphound;bloodhound</Description>
@@ -1465,10 +1466,10 @@
 				<ParentImage condition="contains any">sharphound;bloodhound</ParentImage>
 				<Product condition="contains any">sharphound;bloodhound</Product>
 			</Rule>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
+			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
+			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
@@ -1479,14 +1480,14 @@
 			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
+			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
+			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
 				<OriginalFileName condition="contains">auditpol</OriginalFileName>
 				<CommandLine condition="contains any">/get;-get;/list;-list;/backup;-backup</CommandLine>
 			</Rule>
-			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
-			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
+			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
+			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
@@ -1494,16 +1495,16 @@
 			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
+			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
+			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Driver Querying" condition="image">driverquery.exe</Image>
+			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
+			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Driver Querying" condition="image">driverquery.exe</Image>
 
 			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
+			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
+			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
 			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Sysmon Detection with driver altitude " groupRelation="or">
@@ -1558,70 +1559,70 @@
 				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="is">fltMC.exe</OriginalFileName>
 				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="contains">misc::mflt</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
+			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
+			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
-			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
+			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
+			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
 				<Image condition="image">netsh.exe</Image>
 				<CommandLine condition="contains any">get;list;show</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Network Connection Changes with netsh,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection Changes with netsh,Risk=60" groupRelation="and">
 				<Image condition="image">netsh.exe</Image>
 				<CommandLine condition="excludes any">get;list;show</CommandLine>
 			</Rule>
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
+			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
 				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=WMIC Account Discovery,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=WMIC Account Discovery,Risk=30" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains all">get;useraccount</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=DNS encryption enabled with netsh,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=DNS encryption enabled with netsh,Risk=40" groupRelation="and">
 				<Image condition="image">netsh.exe</Image>
 				<CommandLine condition="contains any">add;set</CommandLine>
 				<CommandLine condition="contains any">encryption;dohtemplate</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
 				<Image condition="image">netsh.exe</Image>
 				<CommandLine condition="contains any">add;del;set</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Level=2,Alert=NBTStat DNS Lookup,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=NBTStat DNS Lookup,Risk=30" groupRelation="and">
 				<CommandLine condition="contains">nbtstat</CommandLine> 
 				<CommandLine condition="excludes">nessus</CommandLine> 
 			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=route.exe discovery,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=route.exe discovery,Risk=60" groupRelation="and">
 				<Image condition="image">route.exe</Image>
 				<CommandLine condition="contains">print</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=Route Modification,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Route Modification,Risk=40" groupRelation="and">
 				<Image condition="image">route.exe</Image>
 				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
 			</Rule>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
 			
 			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
 
 			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
 				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
 				<Image condition="excludes">Microsoft Office\root\Office</Image>
 				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
 			</Rule>
-			<Rule name="Attack=T1021.002,Tactic=Lateral Movement,Technique=SMB/Windows Admin Shares,Level=3,Alert=Command Ran over Admin Share" groupRelation="and">
+			<Rule name="Attack=T1021.002,Tactic=Lateral Movement,Technique=SMB/Windows Admin Shares,DS=Process: Process Creation,Level=3,Alert=Command Ran over Admin Share" groupRelation="and">
 				<CommandLine condition="contains">admin$</CommandLine>
 				<CommandLine condition="excludes any">davclnt.dll</CommandLine>
 				<ParentCommandLine condition="excludes any">WebClientGroup</ParentCommandLine>
@@ -1631,54 +1632,54 @@
 			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
-				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
+			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
+				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
 				<CommandLine condition="contains">dest:rdp-tcp:</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Emotet Executed via WMI,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Emotet Executed via WMI,Risk=100" groupRelation="and">
 				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
 				<Image condition="contains">\Users\</Image>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Network Detective System Scan Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Network Detective System Scan Detected,Risk=100" groupRelation="and">
 				<Image condition="contains">NetworkDetective</Image>
 				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Remote Tenable Malware Scan Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Remote Tenable Malware Scan Detected,Risk=100" groupRelation="and">
 				<Image condition="image">sc.exe</Image>
 				<CommandLine condition="contains">tenable</CommandLine>
 				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD.exe Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=CMD.exe Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>
 				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
 				<CommandLine condition="excludes any">do_vbsUpload;Spiceworks</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=regsvr32.exe Executed via WMI,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=regsvr32.exe Executed via WMI,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">regsvr32.exe</OriginalFileName>
 				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=CMD Executed via WMI,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=CMD Executed via WMI,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">cmd.exe</OriginalFileName>
 				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=RSAT Tool Launch,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=RSAT Tool Launch,Risk=100" groupRelation="and">
 				<CommandLine condition="contains">dsa.msc</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=HyperV Remote Management Tool Launch,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=HyperV Remote Management Tool Launch,Risk=100" groupRelation="and">
 				<CommandLine condition="contains">virtmgmt.msc</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Potential Malicious Remote WMI Execution Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Potential Malicious Remote WMI Execution Detected,Risk=100" groupRelation="and">
 				<ParentImage condition="image">wmiprvse.exe</ParentImage>
 				<Image condition="excludes">CompMgmtLauncher.exe</Image>
 				<Image condition="excludes">DismHost.exe</Image>
@@ -1690,7 +1691,7 @@
 				<Image condition="excludes">g2mupdate.exe</Image>
 				<Image condition="excludes">slack.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Suspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Suspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
 				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
 				<Image condition="image">cmd.exe</Image>
 				<Image condition="image">sh.exe</Image>
@@ -1707,66 +1708,66 @@
 				<Image condition="image">ping.exe</Image>
 				<Image condition="image">bitsadmin.exe</Image>
 			</Rule>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</ParentImage>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
-			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</ParentImage>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
+			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
 				<ParentImage condition="image">wmiprvse.exe</ParentImage>
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
 				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image>
 			</Rule>
-			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
-			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
+			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
 				<Image condition="contains any">sftp;psftp</Image>
 			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
 				<CommandLine condition="is">rundll32.exe</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Trickbot,Risk=100" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains all">..\;,</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Trickbot 2,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Trickbot 2,Risk=100" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains all">,StartW</CommandLine>
 			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
-			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
 			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
 				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
 				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
 			</Rule>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
-			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
+			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
@@ -1775,18 +1776,18 @@
 			<!--MITRE ATT&CK TACTIC: Collection-->
 			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
 			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,Level=4,Alert=Dark Halo Protected zip file creation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Dark Halo Protected zip file creation,Risk=100" groupRelation="and">
 				<Image condition="image">7z.exe</Image>
 				<CommandLine condition="contains any">a -mx9 -r0 -p;a -v500m -mx9 -r0 -p</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
+			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
+			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data injected into clipboard,Risk=30" condition="image">clip.exe</Image>
-			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
+			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data injected into clipboard,Risk=30" condition="image">clip.exe</Image>
+			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
 			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
 			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
@@ -1795,34 +1796,34 @@
 			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
 			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
 				<CommandLine condition="contains">New-MailboxExportRequest</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
 			<!--MITRE ATT&CK TACTIC: Command and Control-->
 			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
 			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
 				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
 				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
 				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI</CommandLine>
 				<OriginalFileName condition="excludes any">msedgeupdate.dll</OriginalFileName>
 			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
 				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=base64 encoded powershell" groupRelation="and">
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=base64 encoded powershell" groupRelation="and">
 				<Image condition="image">powershell.exe</Image>
 				<CommandLine condition="contains any">AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
@@ -1830,106 +1831,106 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
 				<Image condition="image">certutil.exe</Image>
 				<CommandLine condition="contains all">urlcache;split;f</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Command Line file transfer,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Command Line file transfer,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest</CommandLine>
 				<Image condition="contains any">powershell.exe;cmd.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
 				<OriginalFileName condition="is">bitsadmin.exe</OriginalFileName>
 				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
 				<CommandLine condition="excludes all">util;setieproxy;localsystem;AUTODETECT</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
 				<Description condition="contains">BITS administration utility</Description>
 				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,DS=Process: Process Creation,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
 				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,DS=Process: Process Creation,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
 				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 1,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Certutil file download 1,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">certutil</OriginalFileName>
 				<CommandLine condition="contains all">split;f</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Certutil file download 2,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Certutil file download 2,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">certutil</OriginalFileName>
 				<CommandLine condition="contains any">verifyctl;URL</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
 				<CurrentDirectory condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</CurrentDirectory>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
 				<Image condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</Image>
 			</Rule>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
 			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
-			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image>
+			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
+			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
-			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
+			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains any">psexec</OriginalFileName>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
 
 			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Exfiltration,Level=0,Desc=SCP Data exfiltration detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Exfiltration,DS=Process: Process Creation,Level=0,Desc=SCP Data exfiltration detected,Risk=100" groupRelation="and">
 				<Image condition="contains any">winscp.exe;winscp.com;scp.exe;pscp</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv &gt;&gt;;rsync -r</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,Level=0,Desc=merlin CnC exfiltration detected 4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=merlin CnC exfiltration detected 4,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">.exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=DNS Exfil detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=DNS Exfil detected,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">-q=txt;/q=txt</CommandLine>
 				<Image condition="image">nslookup.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration to Cloud Storage,Tactic=Exfiltration,Level=4,Alert=Rclone detected,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1567.002,Technique=Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=Rclone detected,Risk=100" groupRelation="or">
 				<OriginalFileName condition="contains any">rclone</OriginalFileName>
 				<Description condition="contains any">Rsync for cloud storage</Description>
 				<Product condition="contains any">rclone</Product>
 				<Company condition="contains any">rclone</Company>
 				<Image condition="contains any">\rclone</Image>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=S3browser detected,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=S3browser detected,Risk=100" groupRelation="or">
 				<OriginalFileName condition="contains any">s3browser</OriginalFileName>
 				<Description condition="contains any">s3browser</Description>
 				<Product condition="contains any">s3browser</Product>
 				<Image condition="contains any">s3browser</Image>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=FTP exfiltration detected,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=FTP exfiltration detected,Risk=100" groupRelation="or">
 				<CommandLine condition="contains any">add-ftp;.UploadFile(</CommandLine>
 				<Image condition="contains any">ftp.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1048,Tactic=Exfiltration,Technique=Exfiltration to Cloud Storage,Level=0,Desc=Webdav Share Mounted" groupRelation="and">
+			<Rule name="Attack=T1048,Tactic=Exfiltration,Technique=Exfiltration to Cloud Storage,DS=Process: Process Creation,Level=0,Desc=Webdav Share Mounted" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains all">davclnt.dll;DavSetCookie</CommandLine>
 			</Rule>
@@ -1942,65 +1943,65 @@
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
 
 			<!--MITRE ATT&CK TACTIC: Impact-->
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
 				<Image condition="image">bcdedit.exe</Image>
 				<CommandLine condition="contains">safeboot</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
 				<Image condition="image">bootcfg.exe</Image>
 				<CommandLine condition="contains">safeboot</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Possible Ransomware Virtual Machine,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Virtual Machine,Risk=60" groupRelation="and">
 				<CommandLine condition="contains any">-startvm;vrun.exe -vm</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with vssadmin Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with vssadmin Detected,Risk=100" groupRelation="and">
 				<Image condition="image">vssadmin.exe</Image>
 				<CommandLine condition="contains any">delete;resize</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowcopy delete Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wmic shadowcopy delete Detected,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains all">shadowcopy;delete</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wbadmin.exe</OriginalFileName>
 				<CommandLine condition="contains all">SYSTEMSTATEBACKUP;delete</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wmic shadowstorage Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wmic shadowstorage Detected,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains">wmic shadowstorage SET MaxSpace=</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Destructive WMIC Commands Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Destructive WMIC Commands Detected,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
 				<CommandLine condition="contains any">cleareventlog;call disable;nteventlog where filename</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with diskpart" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with diskpart" groupRelation="and">
 				<OriginalFileName condition="contains">diskpart.exe</OriginalFileName>
 				<CommandLine condition="contains any">format;clean;delete;remove</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.exe" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with manage-bde.exe" groupRelation="and">
 				<OriginalFileName condition="contains">manage-bde.exe</OriginalFileName>
 				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Alert=Data Destruction with manage-bde.wsf" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with manage-bde.wsf" groupRelation="and">
 				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
 				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=2,Alert=vShadow Commands" condition="contains">-nw -exec=</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Alert=vShadow Commands" condition="contains">-p -nw</CommandLine>
-			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
-			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" condition="contains">-nw -exec=</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" condition="contains">-p -nw</CommandLine>
+			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
+			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all"> del ; /f </CommandLine>
 				<CommandLine condition="contains all"> del ; -f </CommandLine>
 				<CommandLine condition="contains all"> rmdir ; /s ; /q </CommandLine>
@@ -2009,11 +2010,11 @@
 				<CommandLine condition="contains all"> rd ; -s ; -q </CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
+			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
 			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
 				<Image condition="image">fsutil.exe</Image>
 				<CommandLine condition="contains">deletejournal</CommandLine>
 				<CommandLine condition="contains">usn</CommandLine>
@@ -2025,120 +2026,120 @@
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
 			<!--Crypto Currency Miner Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
 				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
 				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
 			</Rule>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
-			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
+			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
+			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
 			<!--UEBA Activities-->
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
 				<CommandLine condition="contains">zoommtg</CommandLine>
 				<CommandLine condition="excludes">pwd=</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Video and Audio Session Start" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: Video and Audio Session Start" groupRelation="and">
 				<CommandLine condition="contains">zoommtg</CommandLine>
 				<CommandLine condition="contains">zc=0</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Zoom: Screen Share,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: Screen Share,Risk=70" groupRelation="and">
 				<CommandLine condition="contains">zoommtg</CommandLine>
 				<CommandLine condition="contains">zc=1</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Microsoft Teams URL clicked" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Microsoft Teams URL clicked" groupRelation="and">
 				<CommandLine condition="contains">msteams:</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Webex URL clicked" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Webex URL clicked" groupRelation="and">
 				<CommandLine condition="contains">wbx:</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files within Downloads,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Executed files within Downloads,Risk=30" groupRelation="and">
 				<Image condition="contains">C:\Users\</Image>
 				<Image condition="contains">\Downloads\</Image>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
 				<Image condition="contains">C:\Users\</Image>
 				<Image condition="contains">\Desktop\</Image>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
 				<Image condition="contains any">\awk.exe;\sed.exe</Image>
 			</Rule>
 			<CommandLine condition="contains">listena</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
-			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
-			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
-			<ParentImage name="Attack=T1059,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
+			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
+			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
+			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
+			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
+			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
+			<ParentImage name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
+			<ParentImage name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
 			<!--Detection of Output Redirection-->
 			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
 			-->
 			<!--Detect Multiple Commands-->
-			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SVCHost Processes" groupRelation="and">
+			<Rule  name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SVCHost Processes" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 			</Rule>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Permission Modifications with icacls or cacls" condition="image">cacls.exe</Image>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,Level=0,Desc=Ownership Permission Modifications with takeown" condition="image">takeown.exe</Image>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<Rule  name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Permission Modifications with icacls or cacls" condition="image">cacls.exe</Image>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Ownership Permission Modifications with takeown" condition="image">takeown.exe</Image>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<Rule  name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
 				<CommandLine condition="excludes">&gt;</CommandLine>
 			</Rule>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
 			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
 		</ProcessCreate>
@@ -2180,12 +2181,12 @@
 		<NetworkConnect onmatch="include">
 			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
-			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,Level=4,Alert=Exchange 0day Attackers from September 2022,Risk=100" groupRelation="or">
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
+			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Exchange 0day Attackers from September 2022,Risk=100" groupRelation="or">
 				<DestinationIp condition="is any">137.184.67.33;206.188.196.77;125.212.220.48;5.180.61.17;47.242.39.92;61.244.94.85;86.48.6.69;86.48.12.64;94.140.8.48;94.140.8.113;103.9.76.208;103.9.76.211;104.244.79.6;112.118.48.186;122.155.174.188;125.212.241.134;185.220.101.182;194.150.167.88;212.119.34.11</DestinationIp>
 				<DestinationIp condition="begin with">137.184.67.</DestinationIp>
 				<DestinationHostname condition="is any">httpbin.org</DestinationHostname>
@@ -2223,7 +2224,7 @@
 			
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,Level=4,Alert=WSCRIPT Network connection,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=WSCRIPT Network connection,Risk=80" groupRelation="and">
 				<Image condition="image">wscript.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
@@ -2232,8 +2233,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
 			<!--MITRE ATT&CK TECHNIQUE: Native API-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: System Services-->
@@ -2296,39 +2297,39 @@
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
 				<Image condition="contains">\temp\</Image>
 				<DestinationIp condition="excludes any">127.0.0.1</DestinationIp>		
 			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
 				<Image condition="contains">\wwwroot\</Image>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Recycle Bin,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=T1027.004,Tactic=Defense Evasion,Technique=Compile After Delivery,Level=4,Alert=CSC Network Conections" groupRelation="and">
+			<Rule name="Attack=T1027.004,Tactic=Defense Evasion,Technique=Compile After Delivery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=CSC Network Conections" groupRelation="and">
 				<Image condition="image">CSC.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
@@ -2339,24 +2340,24 @@
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
-			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
+			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
+			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Installutil-->
-			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
+			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Msiexec-->
-			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
+			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvcs/regasm-->
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
 				<Image condition="contains any">regasm.exe;regsvcs.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
+			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<Rule name="Attack=T1127,Tactic=Defense Evasion,Technique=Signed Binary Proxy Execution,Level=4,Alert=MSBuild Network Conections" groupRelation="and">
+			<Rule name="Attack=T1127,Tactic=Defense Evasion,Technique=Signed Binary Proxy Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=MSBuild Network Conections" groupRelation="and">
 				<Image condition="image">msbuild.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
@@ -2395,7 +2396,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
@@ -2408,17 +2409,17 @@
 			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
+			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=4,Alert=NBTSTAT Query,Risk=30" condition="image">nbtstat.exe</Image>
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=NBTSTAT Query,Risk=30" condition="image">nbtstat.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
+			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
+			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
@@ -2429,7 +2430,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3389,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Suspicious RDP Connection 3389,Risk=70" groupRelation="and">
 				<Initiated>true</Initiated>
 				<DestinationPort condition="is">3389</DestinationPort>
 				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
@@ -2457,7 +2458,7 @@
 				<Image condition="excludes">thor64.exe</Image>
 				<Image condition="excludes">thor.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
 				<Initiated>true</Initiated>
 				<DestinationPort condition="is">3391</DestinationPort>
 				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
@@ -2485,42 +2486,42 @@
 				<Image condition="excludes">thor64.exe</Image>
 				<Image condition="excludes">thor.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Localhost RDP Tunneling Detection,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Localhost RDP Tunneling Detection,Risk=70" groupRelation="and">
 				<Initiated>true</Initiated>
 				<DestinationPort condition="is">3389</DestinationPort>
 				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
 			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
 				<Initiated>true</Initiated>
 				<DestinationPort condition="is">3389</DestinationPort>
 				<DestinationIp condition="begin with">fe80:0</DestinationIp>
 			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
 				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
+			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
 				<Image condition="image">wsmprovhost.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
 				<Image condition="image">psftp.exe</Image>
 			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">omniinet.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">hpsmhd.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
@@ -2548,11 +2549,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
 
 			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
 				<DestinationPort condition="is">50050</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
 				<DestinationPort condition="is">25</DestinationPort>
 				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
 				<Initiated>true</Initiated>
@@ -2565,26 +2566,26 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Powershell Network Connection,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Network Connection,Risk=30" groupRelation="and">
 				<Image condition="image">powershell.exe</Image>
 				<DestinationIp condition="excludes any">0:0:0:0:0:0:0:;127.0.0.1</DestinationIp>
 			</Rule>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
 			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
-			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
+			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
+			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
@@ -2593,16 +2594,16 @@
 			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
 			<!--MITRE ATT&CK TACTIC: Impact-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
@@ -2615,11 +2616,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Rules-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 				<DestinationPort condition="is not">3389</DestinationPort>
 				<DestinationPort condition="is not">22</DestinationPort>
@@ -2627,24 +2628,24 @@
 				<DestinationPort condition="is not">5985</DestinationPort>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 				<Initiated>true</Initiated>
 				<SourcePort condition="is not">135</SourcePort>
 				<SourcePort condition="is not">445</SourcePort>
 				<DestinationPort condition="is not">5985</DestinationPort>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
 				<Image condition="is not">System</Image>
 				<Image condition="excludes">svchost.exe</Image>
 				<DestinationPort condition="is">445</DestinationPort>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
 				<Image condition="is not">System</Image>
 				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
 				<DestinationPort condition="is">389</DestinationPort>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
 				<DestinationPort condition="is">389</DestinationPort>
 				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
@@ -2652,105 +2653,105 @@
 				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
 				<Initiated>false</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
 				<Image condition="image">notepad.exe</Image>
 				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is not">80</DestinationPort>
 				<DestinationPort condition="is not">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Apache Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Apache Webserver" groupRelation="and">
 				<Image condition="image">apache.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=JAVA Network Connections" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=JAVA Network Connections" groupRelation="and">
 				<Image condition="image">java.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=PHP Webserver" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=PHP Webserver" groupRelation="and">
 				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Setup Network connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Setup Network connectivity" groupRelation="and">
 				<Image condition="contains">setup</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
 				<Image condition="contains">tomcat</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
 				<Image condition="contains">unins</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
 				<Image condition="contains">unknown process</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
 				<Image condition="image">explorer.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows SMTP Server" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows SMTP Server" groupRelation="and">
 				<Image condition="image">inetinfo.exe</Image>
 			</Rule>
 			<!--3rd Party tools-->
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
 				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
 			</Rule>
 			<!--Destination Ports to Monitor-->
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
+			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
+			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
 			<!--Source Ports to Monitor-->
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Port: 0" condition="is">0</SourcePort>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</SourcePort>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=HTTP" condition="is">80</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=LDAPS" condition="is">636</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VNC" condition="is">5900</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTP" condition="is">80</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=LDAPS" condition="is">636</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC" condition="is">5900</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
 			<!--Suspicious network connections-->
-			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
+			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
 		</NetworkConnect>
 	</RuleGroup>
 	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
@@ -2886,7 +2887,7 @@
 			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
 			<Image condition="image">MSExchangeHMWorker.exe</Image>
 			<Image condition="image">MSExchangeSubmission.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
 			<!--SECTION: Antivirus Exclusions -->
 			<Rule name="Antivirus Exclusions" groupRelation="or">
 				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
@@ -2905,18 +2906,18 @@
 		<!--COMMENT:	Useful data in building infection timelines.-->
 		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
 		<ProcessTerminate onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
 				<Image condition="begin with">C:\Windows\</Image>
 				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in System32" groupRelation="and">
 				<Image condition="begin with">C:\Windows\system32\</Image>
 				<Image condition="excludes">config\systemprofile\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
 				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
 				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
 				<Image condition="excludes">:\PROGRA~</Image>
 				<Image condition="excludes">:\Program Files</Image>
@@ -2930,29 +2931,29 @@
 				<Image condition="excludes">:\$WinREAgent</Image>
 				<Image condition="excludes">:\inetpub\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
 				<Image condition="begin with">\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
 				<Image condition="begin with">C:\Users\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
 				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
 				<Image condition="begin with">C:\inetpub\</Image>
 			</Rule>
 		<!-- Useful data in building infection timelines.-->
-			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
+			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,DS=Process: Process Termination,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
+			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Termination,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
 			<Image condition="contains">\Temp\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
 		</ProcessTerminate>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
@@ -2966,25 +2967,25 @@
 	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
 	<RuleGroup name="RG=DriverLoad Include Group" groupRelation="or">
 		<DriverLoad onmatch="include">
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst driver hashes,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Driver: Driver Load,Level=4,Alert=Solarwinds/FireEye sunburst driver hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244</Hashes><!-- exclude non executable files -->
 			</Rule>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
-			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,DS=Driver: Driver Load,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
+			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
 			<SignatureStatus condition="contains">?</SignatureStatus>
 			<SignatureStatus condition="contains">Revoked</SignatureStatus>
 			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
 			<SignatureStatus condition="contains">Valid</SignatureStatus>
-			<Signed name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
+			<Signed name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
 		</DriverLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
@@ -2998,136 +2999,136 @@
 		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
 	<RuleGroup name="RG=Image Load Includes" groupRelation="or">
 		<ImageLoad onmatch="include">
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Module: Module Load,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<Image condition="image">msdt.exe</Image>
 				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
 				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
 				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,DS=Module: Module Load,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains any">\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\</ImageLoaded>
 				<Image condition="contains any">spoolsv.exe;printisolationhost.exe</Image>
 				<SignatureStatus condition="excludes">Valid</SignatureStatus>
 				<Company condition="excludes any">Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard</Company>
 			</Rule>
-			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,Level=0,Desc=DLL Image Load by System in Suspicious Locations" groupRelation="and">
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Module: Module Load,Level=0,Desc=DLL Image Load by System in Suspicious Locations" groupRelation="and">
 				<Image condition="begin with">C:\Windows\</Image>
 				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
 				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
 				<Image condition="image">EQNEDT32.EXE</Image>
 				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Module: Module Load,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
 				<Image condition="contains any">C:\Users;\Temp\;\ProgramData\</Image>
 			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Module: Module Load,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
 				<Image condition="contains any">\wscript.exe;\cscript.exe;\powershell.exe;\powershell_ise.exe;\rundll32.exe;\msbuild.exe;\csc.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
 				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
 				<Image condition="image">wmiprvse.exe</Image>
 				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
 				<Image condition="image">powershell.exe</Image>
 				<ImageLoaded condition="end with">msi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
 				<Image condition="contains">powershell</Image>
 				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
 				<Image condition="excludes">powershell</Image>
 				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=1,Desc=Monitor logoncli.dll dll loads for injection - potential qbot activity" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Monitor logoncli.dll dll loads for injection - potential qbot activity" groupRelation="and">
 				<ImageLoaded condition="end with">logoncli.dll</ImageLoaded>
 				<Image condition="is not">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office clr.dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office clr.dll Load" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
 				<ImageLoaded condition="end with">clr.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
 				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
 				<Image condition="contains any">installutil.exe</Image>
 				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Automation DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Automation DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
 				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
 				<ImageLoaded condition="begin with">\\</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
 				<ImageLoaded condition="end with">.wll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
 				<ImageLoaded condition="end with">.xll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
 				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
 				<ImageLoaded condition="contains any">.xla</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,DS=Module: Module Load,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains">tor-lib.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
 				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
 				<ImageLoaded condition="contains all">vaultcli.dll;wlanapi.dll</ImageLoaded>
 				<ImageLoaded condition="excludes">combase.dll</ImageLoaded>
@@ -3141,14 +3142,14 @@
 				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
 				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
 				<Image condition="image">C:\Windows\Explorer.EXE</Image>
 				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
@@ -3157,18 +3158,18 @@
 				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
 				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Module: Module Load,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Module: Module Load,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
 				<ImageLoaded condition="end with">.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Module: Module Load,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Module: Module Load,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
 				<Hashes condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hashes><!--Exchange Zero Day Dropped DLL-->
 				<Hashes condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hashes><!--Exchange Zero Day Dropped DLL-->
 				<Hashes condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hashes><!--Exchange Zero Day Dropped DLL-->
@@ -3176,23 +3177,23 @@
 				<Hashes condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hashes><!--Exchange Zero Day Dropped DLL-->
 				<Hashes condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hashes><!--Exchange Zero Day Dropped DLL-->
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">false</Signed>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
 				<SignatureStatus condition="is">Revoked</SignatureStatus>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
 				<SignatureStatus condition="is">Expired</SignatureStatus>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
 				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
 			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
 			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
 				<ImageLoaded condition="end with">C:\Windows\System32\wlanapi.dll</ImageLoaded>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
@@ -3213,11 +3214,11 @@
 				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
 				<Image condition="excludes">C:\Windows\explorer.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=1,Desc=Unsigned Global Assembly Cache Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Unsigned Global Assembly Cache Load" groupRelation="and">
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 				<Signed condition="is">false</Signed>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=1,Desc=Signed Global Assembly Cache Load" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Signed Global Assembly Cache Load" groupRelation="and">
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 				<Signed condition="is">true</Signed>
 			</Rule>
@@ -3225,15 +3226,15 @@
 	</RuleGroup>
 	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
 		<ImageLoad onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
 				<Image condition="contains">\Microsoft Office\</Image>
 				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
 				<Image condition="contains">\Microsoft Office\</Image>
 				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
 				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
 				<Signed condition="is">true</Signed>
 			</Rule>
@@ -3277,41 +3278,41 @@
 	<RuleGroup name="RG=CreateRemoteThread Include Group" groupRelation="or">
 		<CreateRemoteThread onmatch="include">
 			<!--Custom Rules-->
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Modification,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
 				<StartAddress condition="is">0x001A0000</StartAddress>
 				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privledge Escalation,Level=4,Alert=CreateRemoteThread with msiexec,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privledge Escalation,DS=Process: Process Modification,Level=4,Alert=CreateRemoteThread with msiexec,Risk=100" groupRelation="and">
 				<SourceImage condition="contains any">msiexec.exe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
 				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe;opera.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Process: Process Modification,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
 				<StartAddress condition="is">0x001A0000</StartAddress>
 				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,Level=0,Desc=Rundll32 LSASS Credential dumping,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Process: Process Modification,Level=0,Desc=Rundll32 LSASS Credential dumping,Risk=70" groupRelation="and">
 				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
 				<SourceImage condition="image">c:\windows\system32\rundll32.exe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=4,Alert=Remote Thread Process debugging detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,DS=Process: Process Modification,Level=4,Alert=Remote Thread Process debugging detected,Risk=30" groupRelation="and">
 				<StartFunction condition="contains">DbgUiRemoteBreakin</StartFunction>
 				<TargetImage condition="excludes">nacl64.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Level=0,Desc=Remote Query Debug info,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,DS=Process: Process Modification,Level=0,Desc=Remote Query Debug info,Risk=30" groupRelation="and">
 				<StartFunction condition="contains">QueryProcessDebugInformationRemote</StartFunction>
 				<TargetImage condition="excludes">nacl64.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Tactic=Defense Evasion,Level=0,Desc=Query Debug info 2,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Query Debug info 2,Risk=30" groupRelation="and">
 				<StartFunction condition="contains">isdebuggerpresent</StartFunction>
 				<TargetImage condition="excludes">nacl64.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Process Debugging Detected,Tactic=Defense Evasion,Level=3,Alert=Process Debug of active Process,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1546.012,Technique=Process Debugging Detected,Tactic=Defense Evasion,DS=Process: Process Modification,Level=3,Alert=Process Debug of active Process,Risk=30" groupRelation="and">
 				<StartFunction condition="contains">DebugActiveProcess</StartFunction>
 				<TargetImage condition="excludes">nacl64.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1055.001,Technique=Process Injection: Dynamic-link Library Injection,Tactic=Defense Evasion,Level=3,Alert=LoadLibrary DLL Injection,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1055.001,Technique=Process Injection: Dynamic-link Library Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=3,Alert=LoadLibrary DLL Injection,Risk=70" groupRelation="and">
 				<StartFunction condition="contains">LoadLibrary</StartFunction>
 				<SourceImage condition="excludes">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe</SourceImage>
 				<SourceImage condition="excludes">C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe</SourceImage>
@@ -3323,22 +3324,22 @@
 				<TargetImage condition="excludes">C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe</TargetImage>
 				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
 				<StartFunction condition="contains any">CreateFileMapping;MapViewOfFile</StartFunction>
 			</Rule>			
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=LdrLoadDll DLL Injection,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=LdrLoadDll DLL Injection,Risk=70" groupRelation="and">
 				<StartFunction condition="contains any">LdrLoadDll</StartFunction>
 			</Rule>
-			<Rule name="Attack=T1106,Technique=Native API,Tactic=Execution,Level=0,Desc=Crypt API Usage" groupRelation="and">
+			<Rule name="Attack=T1106,Technique=Native API,Tactic=Execution,DS=Process: Process Modification,Level=0,Desc=Crypt API Usage" groupRelation="and">
 				<StartFunction condition="contains any">CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey</StartFunction>
 			</Rule>
-			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,Level=0,Desc=Clipboard Usage Detected" groupRelation="and">
+			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Modification,Level=0,Desc=Clipboard Usage Detected" groupRelation="and">
 				<SourceImage condition="image">c:\windows\system32\csrss.exe</SourceImage>
 				<StartFunction condition="contains">CrtlRoutine</StartFunction>
 			</Rule>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
 			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
 			<Rule name="Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
 				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
@@ -3367,70 +3368,70 @@
 	<RuleGroup name="RG=ProcessAccess Include Group" groupRelation="or">
 		<ProcessAccess onmatch="include">
 			<!--Custom Rules-->
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\System32\SHELL32.dll+9b5bd</CallTrace>
 				<TargetImage condition="excludes">\LocalBridge.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
 				<CallTrace condition="contains any">C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2cb3e</CallTrace>
 				<TargetImage condition="excludes any">C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2b496</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\SYSTEM32\dbgcore.DLL+6cfb</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
 				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
 				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
 				<CallTrace condition="contains all">C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 2,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 2,Risk=30" groupRelation="and">
 				<CallTrace condition="contains all">"UNKNOWN(;)|UNKNOWN(</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,Level=0,Desc=Suspicious In-Memory Module Execution 3,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 3,Risk=30" groupRelation="and">
 				<CallTrace condition="contains all">"UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF</GrantedAccess>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Access,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
 				<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
 				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
 				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1FFFFF</GrantedAccess>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<CallTrace condition="excludes">WmiPerfClass.dll</CallTrace>
 				<SourceImage condition="excludes any">C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<SourceImage condition="image">C:\Windows\system32\wsmprovhost.exe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1FFFFF</GrantedAccess>
 				<CallTrace condition="contains all">python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<CallTrace condition="begin with">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
@@ -3438,52 +3439,52 @@
 				<CallTrace condition="excludes any">wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange</CallTrace>
 				<SourceImage condition="excludes any">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
 				<GrantedAccess>0x1F3FFF</GrantedAccess>
 				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
 				<SourceImage condition="end with">.exe</SourceImage>
 				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
 				<GrantedAccess>0x1C00</GrantedAccess>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1F1FFF</GrantedAccess>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1010</GrantedAccess>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x143A</GrantedAccess>
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<GrantedAccess>0x1fffff</GrantedAccess>
 				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
 				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
 				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
 				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
 				<SourceImage condition="image">powershell.exe</SourceImage>
 				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains">getasynckeystate</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Access,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
 				<CallTrace condition="contains">cmlua.dll</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
 				<CallTrace condition="contains">System.Management.Automation</CallTrace>
 				<CallTrace condition="excludes">C:\ProgramData\Microsoft\Windows Defender\platform\</CallTrace>
 				<CallTrace condition="excludes">ctiuser.dll</CallTrace>
@@ -3501,34 +3502,34 @@
 				<TargetImage condition="is not">C:\Windows\system32\query.exe</TargetImage>
 				<TargetImage condition="is not">MsMpEng.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
 				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
 				<CallTrace condition="contains">comsvcs.dll</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE7,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Office Macro Execution VBE7,Risk=80" groupRelation="and">
 				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=Office Macro Execution VBE6,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Office Macro Execution VBE6,Risk=80" groupRelation="and">
 				<CallTrace condition="contains any">VBE6.dll;VBEUI.DLL;VBE6INTL.DLL</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,Level=3,Alert=verclsid Office Execution,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=verclsid Office Execution,Risk=80" groupRelation="and">
 				<SourceImage condition="contains">Office</SourceImage>
 				<TargetImage condition="contains">verclsid.exe</TargetImage>
 				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
 				<CallTrace condition="contains any">|UNKNOWN(</CallTrace>
 				<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
 			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
 				<SourceImage condition="contains">C:\Program Files\Microsoft Office\Root\Office</SourceImage>
 				<CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
 			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
 				<CallTrace condition="contains" >C:\Windows\System32\SHELL32.dll+ae3b9</CallTrace>
 				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
 				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
 			</Rule>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
 				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
@@ -3539,15 +3540,15 @@
 				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
 				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
 				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
 				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
 				<CallTrace condition="contains">UNKNOWN</CallTrace>
 				<GrantedAccess condition="contains">0x147a</GrantedAccess>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Access,Level=4,Alert=SysmonEnte Detection,DS=Process: Process Access,Level=4,Risk=100" groupRelation="and">
 				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
 				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
 				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
@@ -3556,21 +3557,21 @@
 				<GrantedAccess condition="contains">0x1400</GrantedAccess>
 			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
-			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
+			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,DS=Process: Process Access,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
+			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
+			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Access,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
+			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
 			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
 			<SourceImage condition="end with">jjs.exe</SourceImage>
-			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
-			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
+			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
+			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
 			<Rule name="Antivirus Exclusions" groupRelation="or"> 
 				<SourceImage condition="begin with">C:\Program Files (x86)\Kaspersky Lab</SourceImage> 
 				<SourceImage condition="begin with">C:\Program Files\Kaspersky Lab</SourceImage>
@@ -3599,7 +3600,7 @@
 			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
 			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
 			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Direct System Call Events" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Direct System Call Events" groupRelation="and">
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
@@ -3612,7 +3613,7 @@
 		<FileCreate onmatch="include">
 			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
+			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=File: File Creation,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
@@ -3640,19 +3641,19 @@
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst suspicious file writes,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Solarwinds sunburst suspicious file writes,Risk=100" groupRelation="and">
 				<Image condition="contains any">solarwinds.businesslayerhost</Image>
 				<TargetFilename condition="contains any">.exe;.dll;.ps1;.mz;.jpg;.png</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds sunburst malware dll,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Solarwinds sunburst malware dll,Risk=100" groupRelation="and">
 				<TargetFilename condition="is">C:\WINDOWS\SysWOW64\netsetupsvc.dll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
-				<TargetFilename condition="excludes all">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_;.exe</TargetFilename>
+				<TargetFilename condition="is not">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
 				<TargetFilename condition="end with">proj</TargetFilename>
 				<TargetFilename condition="end with">.targets</TargetFilename>
 				<TargetFilename condition="end with">.build</TargetFilename>
@@ -3666,29 +3667,29 @@
 			
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file types,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Alert=Powershell file types,Risk=100" groupRelation="or">
 				<TargetFilename condition="end with">.cdxml</TargetFilename>
 				<TargetFilename condition="end with">.ps1</TargetFilename>
 				<TargetFilename condition="end with">.ps1xml</TargetFilename>
@@ -3697,37 +3698,38 @@
 				<TargetFilename condition="end with">.psm1</TargetFilename>
 				<TargetFilename condition="end with">.pssc</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=2,Alert=Powershell file creations,Risk=10" groupRelation="and">
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Alert=Powershell file creations,Risk=10" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
+				<TargetFilename condition="excludes">\Recent\CustomDestinations\</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=CVE-2019-1315,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=CVE-2019-1315,Risk=70" groupRelation="and">
 				<TargetFilename condition="end with">Report.wer.tmp</TargetFilename>
 				<TargetFilename condition="excludes">\WER\</TargetFilename>
 				<Image condition="image">C:\Windows\system32\wermgr.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
 				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
 				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
 				<TargetFilename condition="end with">.dll</TargetFilename>
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
@@ -3740,24 +3742,24 @@
 			<!--MITRE ATT&CK TECHNIQUE: System Services-->
 			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
-			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
 				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
 				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
 			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
@@ -3766,8 +3768,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
@@ -3779,53 +3781,53 @@
 			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.dotm</TargetFilename>
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=Exchange 0day from September 2022 overwriting legit file,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Exchange 0day from September 2022 overwriting legit file,Risk=80" groupRelation="and">
 				<TargetFilename condition="end with">RedirSuiteServiceProxy.aspx</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 				<TargetFilename condition="end with">.aspx</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating PHP files,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=HAFNIUM APT: IIS Creating PHP files,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 				<TargetFilename condition="end with">.php</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=HAFNIUM APT: IIS Creating AAA files,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=HAFNIUM APT: IIS Creating AAA files,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 				<TargetFilename condition="end with">.aaa</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=3,Alert=HAFNIUM Web Shells Dropped,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=HAFNIUM Web Shells Dropped,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains any">\wwwroot\aspnet_client\;\FrontEnd\HttpProxy\owa\auth</TargetFilename>
 				<TargetFilename condition="contains any">.aspx;.php;.ashx</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
 				<TargetFilename condition="excludes any">\wwwroot\aspnet_client\;jpg</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASP Files dropped outside wwwroot directory" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=ASP Files dropped outside wwwroot directory" groupRelation="and">
 				<TargetFilename condition="end with">.asp</TargetFilename>
 				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,Level=0,Desc=ASPX Files dropped outside wwwroot directory" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=ASPX Files dropped outside wwwroot directory" groupRelation="and">
 				<TargetFilename condition="end with">.aspx</TargetFilename>
 				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
@@ -3839,16 +3841,16 @@
 			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Exploitation Detected,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=Printer Exploitation Detected,Risk=20" groupRelation="and">
 				<TargetFilename condition="end with">.SPL</TargetFilename>
 				<Image condition="excludes any">spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=Printer Spooler Created exe file,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=Printer Spooler Created exe file,Risk=40" groupRelation="and">
 				<Image condition="image">spoolsv.exe</Image>
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="excludes">C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,Level=0,Desc=InstallerFileTakeOver,Risk=80,CVE=CVE-2021-41379" groupRelation="and">
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=InstallerFileTakeOver,Risk=80,CVE=CVE-2021-41379" groupRelation="and">
 				<Image condition="image">msiexec.exe</Image>
 				<TargetFilename condition="contains">\Microsoft\Edge\Application</TargetFilename>
 				<TargetFilename condition="end with">elevation_service.exe</TargetFilename>
@@ -3876,10 +3878,10 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
 
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
 				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Temp\</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename> 
@@ -3887,13 +3889,13 @@
 				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
 			</Rule>
-			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created within System Profile" groupRelation="and">
+			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Files Created within System Profile" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,Level=0,Desc=Files Created from System Profile executable" groupRelation="and">
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Files Created from System Profile executable" groupRelation="and">
 				<Image condition="begin with">C:\Windows\</Image>
 				<Image condition="contains">\config\systemprofile\</Image>
 			</Rule>
@@ -3980,7 +3982,7 @@
 
 			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<Rule name="Attack=T1203,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,Level=4,Alert=Exchange Exploitation UM Service File Creation,Risk=80,CVE=CVE-2021-26858" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,DS=File: File Creation,Level=4,Alert=Exchange Exploitation UM Service File Creation,Risk=80,CVE=CVE-2021-26858" groupRelation="and">
 				<Image condition="contains any">UMWorkerProcess.exe;UMService.exe</Image>
 				<TargetFilename condition="contains any">.</TargetFilename>
 				<TargetFilename condition="excludes any">.log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db</TargetFilename>
@@ -3997,31 +3999,31 @@
 			<!--MITRE ATT&CK TACTIC: Collection-->
 			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
 			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
@@ -4034,10 +4036,10 @@
 			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
 			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
@@ -4046,7 +4048,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
 			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</TargetFilename>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
@@ -4054,21 +4056,21 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created by Teamviewer" condition="image">Teamviewer.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Created by rundll32" condition="image">rundll32.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Created with Remote Desktop Client" condition="image">mstsc.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Created with command shell,Risk=30" condition="image">cmd.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="image">WScript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="image">cscript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="image">mshta.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="image">python.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="image">wmic.exe</Image>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created by Teamviewer" condition="image">Teamviewer.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created by rundll32" condition="image">rundll32.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created with Remote Desktop Client" condition="image">mstsc.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created with command shell,Risk=30" condition="image">cmd.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="image">WScript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="image">cscript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="image">mshta.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="image">python.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="image">wmic.exe</Image>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
 				<TargetFilename condition="end with">.dll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
 			</Rule>
@@ -4078,10 +4080,10 @@
 			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
 			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
@@ -4097,27 +4099,27 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
 			<!--MITRE ATT&CK TACTIC: Impact-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch Ransomware Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Snatch Ransomware Detected,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains all">RESTORE_;_FILES.txt</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Snatch2 Ransomware Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Snatch2 Ransomware Detected,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains all">DECRYPT_;_FILES.txt</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Nanocore Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Nanocore Detected,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains any">\run.dat;\task.dat;\storage.dat</TargetFilename>
 				<TargetFilename condition="contains">AppData</TargetFilename>
 				<TargetFilename condition="excludes any">Symantec</TargetFilename>
 				<TargetFilename condition="excludes any">BlueJeans</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=RagnarLocker Virtualbox files: susceptible to FP,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=RagnarLocker Virtualbox files: susceptible to FP,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">VBoxRT.dll;VboxC.dll</TargetFilename>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
@@ -4131,140 +4133,141 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
 				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">\system32\</TargetFilename> 
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.wll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
 				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
 				<TargetFilename condition="end with">.xll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
 				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
 				<TargetFilename condition="contains any">.xla</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
 				<TargetFilename condition="end with">.vsto</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
 				<TargetFilename condition="end with">.bat</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.dll</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.sys</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
 				<TargetFilename condition="end with">.theme</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
 				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
 				<Image condition="image">VirtualboxVM.exe</Image>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
-			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=URL">.url</TargetFilename>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
+			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,DS=File: File Creation,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=URL">.url</TargetFilename>
 			<!--Drivers dropped-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
 			<TargetFilename condition="end with">.drv</TargetFilename> 
 			<!--Microsoft Office File Monitoring-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Legacy Office files" groupRelation="or">
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Forensic=Recent Jumplist Custom Destinations" condition="contains">\Recent\CustomDestinations\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="or">
 				<TargetFilename condition="end with">.accdb</TargetFilename>
 				<TargetFilename condition="end with">.accde</TargetFilename>
 				<TargetFilename condition="end with">.accdr</TargetFilename>
@@ -4287,7 +4290,7 @@
 				<TargetFilename condition="end with">.xps</TargetFilename>
 			</Rule>
 			<!--SECTION: Certificates -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Certificate" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="or">
 				<TargetFilename condition="end with">.pem</TargetFilename>
 				<TargetFilename condition="end with">.crt</TargetFilename>
 				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
@@ -4305,7 +4308,7 @@
 				<TargetFilename condition="end with">.key</TargetFilename>
 			</Rule>
 			<!-- side loading -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Sideload Detection" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="or">
 				<TargetFilename condition="end with">.hlp</TargetFilename>
 				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
 				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
@@ -4394,63 +4397,63 @@
 				<TargetFilename condition="end with">wts.chm</TargetFilename>
 				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
 			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
-			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Set" condition="end with">.set</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
+			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=File: File Creation,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Set" condition="end with">.set</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
 			<!--Uncategorized-->
 			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
@@ -4514,37 +4517,37 @@
 				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Keyloggers and new Keyboards" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect USB Input Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Mice" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Composite Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Bluetooth Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Disk Drive" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New WPD Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect New Biometric Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Keyloggers and new Keyboards" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect USB Input Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Mice" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Bluetooth Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Interactive Logon Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Interactive Logon Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
 				<TargetObject condition="end with">LoggedOnUser</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Suspicious Set Value of MSDT in Registry: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Suspicious Set Value of MSDT in Registry: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<TargetObject condition="begin with">HKCR\ms-msdt\</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=Scripted Diagnostics Turn Off Check Enabled: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Scripted Diagnostics Turn Off Check Enabled: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
@@ -4554,37 +4557,37 @@
 			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
 				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</TargetObject>
 				<TargetObject condition="excludes">\print\</TargetObject>
 				<TargetObject condition="excludes">\AzureAttestService\CoInitializeSecurityParam</TargetObject>
 				<Image condition="excludes">C:\$WINDOWS.~BT\</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project Object Model Macro Settings,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project Object Model Macro Settings,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\AccessVBOM</TargetObject>
 				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
 				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
 				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
 				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
 				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,Level=0,Desc=Potential Office Macro Execution Detected" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Potential Office Macro Execution Detected" groupRelation="and">
 				<Image condition="contains any">EXCEL.exe;WINWORD.exe</Image>
 				<TargetObject condition="contains any">{8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B}</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
-			<Rule name="Attack=T0000,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
+			<Rule name="Attack=T0000,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
 				<TargetObject condition="is">HKCU\di</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lokibot Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lokibot Detection" groupRelation="and">
 				<TargetObject condition="contains">HKCU\�</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
 				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
 				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
@@ -4592,34 +4595,34 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
 				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
 				<TargetObject condition="end with">update_url</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Forced password reset detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Forced password reset detected" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Machine Password Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Machine Password Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Last Password Changed" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Last Password Changed" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Last Password Change</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Account Expiration" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Account Expiration" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Account Expiration</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Last Failed Logon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Failed Logon" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
 				<TargetObject condition="end with">Last Failed Logon</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -4630,32 +4633,32 @@
 				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
 				<Image condition="excludes">Add_exclusions_here</Image>
 			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Boot" groupRelation="and">
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Start Mode Changed to: Boot" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: System" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Start Mode Changed to: System" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=1,Desc=Service Start Mode Changed to: Automatic" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Start Mode Changed to: Automatic" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000002)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Manual" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Start Mode Changed to: Manual" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000003)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Service Start Mode Changed to: Disabled" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Start Mode Changed to: Disabled" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
@@ -4664,12 +4667,12 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
 			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
-			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
+			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
@@ -4679,73 +4682,73 @@
 				<TargetObject condition="excludes">$</TargetObject>
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
-			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=Hidden New user created,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Creation,Level=0,Desc=Hidden New user created,Risk=40" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
 				<TargetObject condition="contains">$</TargetObject>
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
 				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint Protocol Handlers" groupRelation="and">
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Endpoint Protocol Handlers" groupRelation="and">
 				<TargetObject condition="begin with">HKCR\</TargetObject>
 				<TargetObject condition="end with">(Default)</TargetObject>
 				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
 				<Details condition="begin with">URL:</Details>
 			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Protocol Handlers" groupRelation="and">
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor User Protocol Handlers" groupRelation="and">
 				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
 				<TargetObject condition="end with">(Default)</TargetObject>
 				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
 				<Details condition="begin with">URL:</Details>
 			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor Endpoint File Associations" groupRelation="and">
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Endpoint File Associations" groupRelation="and">
 				<TargetObject condition="begin with">HKCR\</TargetObject>
 				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
 				<Details condition="contains">%1</Details>
 			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor User Default File Associations" groupRelation="and">
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor User Default File Associations" groupRelation="and">
 				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
 				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
 				<Details condition="contains">%1</Details>
 			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,Level=0,Desc=Monitor COM Hijacking" groupRelation="and">
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor COM Hijacking" groupRelation="and">
 				<TargetObject condition="end with">\shell\open\command\DelegateExecute</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Accessibility Features-->
-			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,Level=3,Alert=sethc.exe Priv Escalation,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=sethc.exe Priv Escalation,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Outlook Addins" groupRelation="and">
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Outlook Addins" groupRelation="and">
 				<TargetObject condition="contains">Outlook\Addins</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Word Addins" groupRelation="and">
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Word Addins" groupRelation="and">
 				<TargetObject condition="contains">Word\Addins</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Excel Addins" groupRelation="and">
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Excel Addins" groupRelation="and">
 				<TargetObject condition="contains">Excel\Addins</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft Powerpoint Addins" groupRelation="and">
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Powerpoint Addins" groupRelation="and">
 				<TargetObject condition="contains">Powerpoint\Addins</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Inclusions" groupRelation="and">
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft VSTO Inclusions" groupRelation="and">
 				<TargetObject condition="contains">Software\Microsoft\VSTO\Security\Inclusion\</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=0,Desc=Microsoft VSTO Solution Metadata" groupRelation="and">
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft VSTO Solution Metadata" groupRelation="and">
 				<TargetObject condition="contains">Software\Microsoft\VSTO\SolutionMetadata\</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
@@ -4756,77 +4759,77 @@
 
 			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,Level=0,Desc=CMSTPLUA UAC Bypass" groupRelation="and">
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CMSTPLUA UAC Bypass" groupRelation="and">
 				<TargetObject condition="contains any">cmmgr32.exe</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
 			<!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
 				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
 				<Details condition="contains any">C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\</Details>
 				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
 			</Rule>
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
 				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
 				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
 			</Rule>
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
 				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=1,Alert=Image File Execution Options,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Image File Execution Options,Risk=30" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
 				<TargetObject condition="contains any">Debugger;ReportingMode;MonitorProcess</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,Level=0,Alert=SilentProcessExit Globalflag Set,Risk=75" groupRelation="and">
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Globalflag Set,Risk=75" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
 				<TargetObject condition="contains">GlobalFlag</TargetObject>
 				<Details condition="contains">DWORD (0x00000200)</Details> <!--SilentProcessExit Dword Value-->
 			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Execution entry,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Process Execution entry,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
 				<TargetObject condition="contains">MonitorProcess</TargetObject> <!--SilentProcessExit Monitor Process from werfault-->
 			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Reporting Mode Enabled - Check for Child processes of werfault.exe,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Reporting Mode Enabled,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
 				<TargetObject condition="contains">ReportingMode</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details> <!--SilentProcessExit Reporting Mode Enabled-->
 			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,Level=0,Alert=SilentProcessExit Process Added,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Process Added,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
 				<EventType condition="is">CreateKey</EventType>
 			</Rule>
-			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,Level=3,Alert=Monitor Runtime Exception Handler execution on crash,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Monitor Runtime Exception Handler execution on crash,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\</TargetObject>
 				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
 				<Image condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image>
@@ -4838,7 +4841,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
 				<TargetObject condition="end with">SD</TargetObject>
 				<TargetObject condition="is not">Microsoft\Windows\UpdateOrchestrator</TargetObject>
@@ -4852,52 +4855,52 @@
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
 				<TargetObject condition="excludes">Microsoft\Windows\UpdateOrchestrator</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
 				<TargetObject condition="end with">ID</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Author</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Path</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
 				<TargetObject condition="end with">Date</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
 			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<Rule name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,Level=0,Desc=Environment Value Modification" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Environment Value Modification" groupRelation="and">
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\Environment\</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=ConsentPromptBehaviorAdmin Disablement Detected" groupRelation="and">
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=ConsentPromptBehaviorAdmin Disablement Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
-			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
-			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
+			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
+			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
@@ -4910,26 +4913,26 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
-			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
 				<TargetObject condition="end with">$</TargetObject>
  				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
 				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
 				<!--Customize: Add your configuration directory above-->
 			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</TargetObject>
 				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
 			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Modification to Per-Process Exploit Protection,Risk=30" groupRelation="and">
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Modification to Per-Process Exploit Protection,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
 				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
 				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions</TargetObject>
@@ -4937,135 +4940,135 @@
 				<Image condition="excludes">msiexec.exe</Image>
 				<Image condition="excludes">TiWorker.exe</Image>
 			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Modification to WOW64 Per-Process Exploit Protection Mitigation Options,Risk=30" groupRelation="and">
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Modification to WOW64 Per-Process Exploit Protection Mitigation Options,Risk=30" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
 				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
 				<Image condition="excludes">C:\Program Files\Microsoft Office 15\root\integration\integrator.exe</Image>
 				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
 				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
 				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
 				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\</TargetObject>
 				<TargetObject condition="contains all">\Instances\;Altitude</TargetObject>
 				<TargetObject condition="is not">HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
 			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">\Security\Level</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=1,Desc=Notifications for all macros,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Notifications for all macros,Risk=50" groupRelation="and">
 				<TargetObject condition="contains">\Security\Level</TargetObject>
 				<Details condition="contains">DWORD (0x00000002)</Details>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=Notifications for digitally signed macros - all other macros disabled,Risk=0" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Notifications for digitally signed macros - all other macros disabled,Risk=0" groupRelation="and">
 				<TargetObject condition="contains">\Security\Level</TargetObject>
 				<Details condition="contains">DWORD (0x00000003)</Details>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=0,Desc=All Office Macros Disabled without notification,Risk=0" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=All Office Macros Disabled without notification,Risk=0" groupRelation="and">
 				<TargetObject condition="contains">\Security\Level</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Outlook Security Changes" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Outlook Security Changes" groupRelation="and">
 				<TargetObject condition="contains">\Outlook\Security</TargetObject>
 				<!--Allow Outlook Details rules to fire-->
 				<TargetObject condition="excludes">\Security\Level</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft:Windows:Security Center: HideSCAHealth" condition="end with">\HideSCAHealth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft:Windows:Security Center: HideSCAHealth" condition="end with">\HideSCAHealth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="excludes">\Enabled</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Change Winevt Event Access Permission Via Registry,Author=frack113" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Change Winevt Event Access Permission Via Registry,Author=frack113" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\</TargetObject>
 				<TargetObject condition="end with">\ChannelAccess</TargetObject>
 				<Details condition="contains any">(A;;0x1;;;SY);(A;;0x5;;;BA);(A;;0x1;;;LA)</Details>
 				<Image condition="excludes any">C:\Windows\servicing\TrustedInstaller.exe;\TiWorker.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
 				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
 				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
 				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
 			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
 				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
 				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
 				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
 			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Eventlog Security Descriptor Modification,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Eventlog Security Descriptor Modification,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
 				<TargetObject condition="end with">\CustomSD</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=0,Desc=Eventlog Size Modification,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Eventlog Size Modification,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
 				<TargetObject condition="end with">\MaxSize</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
 				<TargetObject condition="contains">globallyopenports</TargetObject>
 			</Rule>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\.NETFramework\ETWEnabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Tampering,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Usagelog Tampering,Risk=70" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\.NETFramework\NGenAssemblyUsageLog</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="and">
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\Environment\NGenAssemblyUsageLog</TargetObject>
 			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="and">
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\Environment\COMPlus_ETWEnabled</TargetObject>
 			</Rule>
@@ -5077,20 +5080,20 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
 				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
 				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
 				<TargetObject condition="contains">&#x202e;</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
 
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
 				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
 				<EventType condition="is not">CreateKey</EventType>
 				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
@@ -5107,16 +5110,16 @@
 				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
 				<TargetObject condition="contains">&#xfffd;</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
 				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
@@ -5125,7 +5128,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
 			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject>
+			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
@@ -5167,17 +5170,17 @@
 			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
 			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
 			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Credentials in Registry,Level=4,Alert=Credentials in Registry: Password,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
 			<!--MITRE ATT&CK TACTIC: Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
 			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
@@ -5250,7 +5253,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
@@ -5275,7 +5278,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
 			<!--MITRE ATT&CK TACTIC: Impact-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,Level=1,Desc=User Account Deleted" groupRelation="and">
+			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,DS=Windows Registry: Windows Registry Key Deletion,Level=1,Desc=User Account Deleted" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
 				<EventType condition="is">DeleteKey</EventType>
 			</Rule>
@@ -5287,7 +5290,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
 			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<Rule name="Attack=T1485,Technique=Inhibit System Recovery,Tactic=Impact,Level=0,Desc=VSS Disablement Detection,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Inhibit System Recovery,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=VSS Disablement Detection,Risk=70" groupRelation="and">
 				<TargetObject condition="contains">\Services\VSS\Diag\(Default)</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
@@ -5295,35 +5298,35 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!-- UEBA/Uncategorized Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
 				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
 				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=IE history Detection" groupRelation="and">
 				<TargetObject condition="end with">\TypedURLs</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IPv6 Changes detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
 				<Details condition="excludes">Binary Data</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Network Card Changes detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Network Card Changes detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
 				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Adobe Recent File List History" groupRelation="and">
@@ -5333,236 +5336,236 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Office History MRU" groupRelation="and">
 				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
 			</Rule>
 			<!--Common Malware Persistence locations-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
 			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
 			<!--CLSID launch commands and file association changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject>
 			<!--Windows shell hijack-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
 			<!--AppPaths hijacking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject>
 			<!--Terminal service boobytraps-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
 			<!--Group Policy interity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
 			<!--Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>
 			<!--Credential providers-->
-			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject>
+			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject>
 			<!--Networking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
 			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			<!--Office-->
 			<!--Microsoft Office-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40,Author=Hexacorn" condition="contains">Office Test\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40,Author=Hexacorn" condition="contains">Office Test\</TargetObject>
 			<!--IE-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject>
 			<!--Magic registry keys-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject>
 			<!--Infection artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject>
 			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
 			<!--Group Policy Scripts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
 			<!--Detect Network History-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
 				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
 			</Rule>			
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Application File Info" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application File Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
 				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AmCache Office Information" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Office Information" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
-			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,Level=1,Desc=Service Set for Deletion" groupRelation="and">
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Set for Deletion" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DeleteFlag</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
 			<!--Detect User Activity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject>
 			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
 			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 				<Details condition="contains any">ndis;rndis</Details>
 			</Rule>
-			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
+			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
 			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
 				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
 				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
 			</Rule>
-			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
+			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
+			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
+			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
@@ -5570,33 +5573,33 @@
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
+			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
+			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
 			<Rule name="Antivirus" groupRelation="or">
 				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
 				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
@@ -5609,18 +5612,18 @@
 	<!--EVENT 15: "File stream created"-->
 	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
 		<FileCreateStreamHash onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Metadata,Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
 				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
 				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Metadata,Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
 				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
 				<Contents condition="contains any">blob:;about:internet</Contents>
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Metadata,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
 				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Metadata,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
 				<Hash condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hash><!--Exchange Zero Day Dropped DLL-->
 				<Hash condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hash><!--Exchange Zero Day Dropped DLL-->
 				<Hash condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hash><!--Exchange Zero Day Dropped DLL-->
@@ -5628,16 +5631,16 @@
 				<Hash condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hash><!--Exchange Zero Day Dropped DLL-->
 				<Hash condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hash><!--Exchange Zero Day Dropped DLL-->
 			</Rule>
-			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
+			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,DS=File: File Metadata,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
 				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonEnte Detection,Level=4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonEnte Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
 				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SysmonQuiet Detection,Level=4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonQuiet Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
 				<Hash condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hash>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=SharpEvtMute Detection,Level=4,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SharpEvtMute Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
 				<Hash condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hash>
 			</Rule>
 		</FileCreateStreamHash>
@@ -5665,60 +5668,60 @@
 	<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
 	<RuleGroup name="RG=PipeEvent Include Group" groupRelation="or">
 		<PipeEvent onmatch="include">
-			<Rule name="Attack=T1071,Technique=Application Layer Protocol,Tactic=Command and Control,Level=4,Alert=Cobalt Strike named pipe detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1071,Technique=Application Layer Protocol,Tactic=Command and Control,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike named pipe detected,Risk=100" groupRelation="and">
 				<PipeName condition="contains any">msagent_;\MSSE-;postex;\status_</PipeName>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=NA,Level=4,Alert=Turla Advanced Persistent Threat Named Pipe Detection,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=NA,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Turla Advanced Persistent Threat Named Pipe Detection,Risk=100" groupRelation="and">
 				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
 			</Rule>
-			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Level=4,Alert=lateral movement: psexec named pipe detected" groupRelation="or">
+			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lateral movement: psexec named pipe detected" groupRelation="or">
 				<PipeName condition="contains">\PSEXESVC</PipeName>
 				<PipeName condition="end with">-stdin</PipeName>
 				<PipeName condition="end with">-stdout</PipeName>
 			</Rule>
-			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Level=4,Alert=Impacket PSExec.py Named Pipe Detected" groupRelation="and">
+			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Impacket PSExec.py Named Pipe Detected" groupRelation="and">
 				<PipeName condition="contains">RemCom_</PipeName>
 				<PipeName condition="contains any">stdin;stdout;stderr;communication</PipeName>
 			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
 				<PipeName condition="contains">\svcctl</PipeName>
 			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,Level=3,Alert=NTSVCS Execution" groupRelation="or">
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=3,Alert=NTSVCS Execution" groupRelation="or">
 				<PipeName condition="contains">\ntsvcs</PipeName>
 				<EventType condition="is">ConnectPipe</EventType>
 			</Rule>
-			<PipeName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">tssmp_endpoint</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\NamePipe_MoreWindows</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=WCEServicePipe detected,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\WCEServicePipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=ahexec Named Pipe Detection,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\ahexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=cachedump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\cachedumppipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=csexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\csexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_dg</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsadump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\lsadump</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10,Author=@Cyb3rops/@olafhartong" condition="contains">\lsassw</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=paexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\paexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=pcheap_reuse Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\pcheap_reuse</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Covanant C2 Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\gruntsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=remcom Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\remcom</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\rpchlp_3</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\sdlrpc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=winsession Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\winsession</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Turla HyperStack Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\adschemerpc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Hidden Cobra Hoplight Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\AnonymousPipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc367</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc31a7</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Emissary Panda Hyerbri Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\testPipe</PipeName>
+			<PipeName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">tssmp_endpoint</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\NamePipe_MoreWindows</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=WCEServicePipe detected,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\WCEServicePipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=ahexec Named Pipe Detection,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\ahexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=cachedump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\cachedumppipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=csexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\csexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_dg</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsadump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\lsadump</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10,Author=@Cyb3rops/@olafhartong" condition="contains">\lsassw</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=paexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\paexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=pcheap_reuse Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\pcheap_reuse</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Covanant C2 Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\gruntsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=remcom Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\remcom</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\rpchlp_3</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\sdlrpc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=winsession Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\winsession</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Turla HyperStack Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\adschemerpc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Hidden Cobra Hoplight Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\AnonymousPipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc367</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc31a7</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Emissary Panda Hyerbri Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\testPipe</PipeName>
 			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Named Pipe Detection 1" groupRelation="and">
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike Named Pipe Detection 1" groupRelation="and">
 				<PipeName condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester;demoagent_</PipeName>
 				<PipeName condition="is not">\wkssvc</PipeName>
 				<PipeName condition="is not">\spoolss</PipeName>
@@ -5728,26 +5731,26 @@
 				<PipeName condition="is not">\PGMessagePipe</PipeName>
 				<PipeName condition="is not">\MsFteWds</PipeName>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Forensic=Detect suspicious named pipe connections to an AD FS WID,Author=Florian Roth" groupRelation="and"> 
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=4,Forensic=Detect suspicious named pipe connections to an AD FS WID,Author=Florian Roth" groupRelation="and"> 
 				<EventType condition="is">ConnectPipe</EventType>
 				<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=4,Alert=Cobalt Strike Named Pipe Detection 2" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike Named Pipe Detection 2" groupRelation="and">
 				<PipeName condition="begin with">\Winsock2\CatalogChangeListener-</PipeName>
 				<PipeName condition="end with">-0,</PipeName>
 			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
 				<PipeName condition="contains any">\pipe\</PipeName>
 				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
 			</Rule>
 			<!-- Noisy
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
 			-->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName>
 			<!--Include Everything else to mark above rules-->
 			<!-- Disabled for now
-			<PipeName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
 			-->
 		</PipeEvent>
 	</RuleGroup>
@@ -5821,120 +5824,120 @@
 	<!-- SYSMON EVENT ID 22 : DNS Queries-->
 	<RuleGroup name="RG=DNS Query Includes" groupRelation="or">
 		<DnsQuery onmatch="include">
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Powershell TXT Record exfiltration" groupRelation="and">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Powershell TXT Record exfiltration" groupRelation="and">
 				<QueryResults condition="contains any">type: 16;type:  16</QueryResults>
 				<Image condition="image">powershell.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Powershell,Tactic=Execution,Level=4,Alert=Powershell Connection to github" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Powershell,Tactic=Execution,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Powershell Connection to github" groupRelation="and">
 				<QueryName condition="contains">github</QueryName>
 				<Image condition="image">powershell.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
 				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
 				<QueryName condition="contains">.</QueryName>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="end with">dropboxapi.com</QueryName>
 				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="contains">1drv</QueryName>
 				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="contains all">.box.com;upload</QueryName>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="contains any">mega.nz;mega.co.nz</QueryName>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="contains any">privatlab.com</QueryName>
 			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
 				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Social Networking" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Social Networking" groupRelation="or">
 				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
 				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
 				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
 			</Rule>
 			<!--Crypto Currency Mining pools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
 				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
 			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
 			<!--Public Port Scan Detection-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
 			<!--Domain TLD's to log-->
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
 			<!--Malware Domains-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
 				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
 			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
 			<!--Common Suspicious destinations-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
 			<!-- Malicious/Suspicious hosting domains-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
 			<!--Dynamic DNS Lookups-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
-			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
-			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
+			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
+			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
 				<QueryName condition="begin with">_ldap.</QueryName>
 				<Image condition="excludes">C:\Windows\</Image>
 				<Image condition="excludes">unknown process</Image>
 				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\Windows Defender\MsMpEng.exe;C:\Windows\</Image>
 			</Rule>
 			<!--
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
 			-->
 			<Image name="Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
 		</DnsQuery>
@@ -6208,7 +6211,7 @@
 	<!--SYSMON EVENT ID 25 : Process tampering events-->
 	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
 		<ProcessTampering onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Process Tampering Detected" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Process Tampering Detected" groupRelation="and">
 				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
 				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
@@ -6239,19 +6242,19 @@
 	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
 	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
 		<FileBlockExecutable onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block Office from Creating Executables" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block Office from Creating Executables" groupRelation="and">
 				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
 				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block Web Servers from creating binary files" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block Web Servers from creating binary files" groupRelation="and">
 				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block double extensions" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block double extensions" groupRelation="or">
 				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
 				<TargetFilename condition="end with">.doc.exe</TargetFilename>
 				<TargetFilename condition="end with">.docx.exe</TargetFilename>
@@ -6267,22 +6270,22 @@
 				<TargetFilename condition="end with">.ico.exe</TargetFilename>
 				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
 				<Image condition="contains any">psexesvc</Image>
 				<Image condition="contains any">psexec</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
 				<Image condition="image">wmiprvse.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
 				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
 				<Image condition="excludes any">intuit</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
 				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Malicious File Detection,Author=Florian Roth/ionstorm" groupRelation="or">
+			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Malicious File Detection,Author=Florian Roth/ionstorm" groupRelation="or">
 				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
 				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
 				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
@@ -6376,13 +6379,13 @@
 				<Hashes condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hashes><!--Exchange Zero Day Dropped DLL-->
 				<Hashes condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hashes><!--Exchange Zero Day Dropped DLL-->
 			</Rule>
-			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,Level=4,Alert=Exchange 0day Malicious File Detection,Author=ionstorm" groupRelation="and">
+			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Exchange 0day Malicious File Detection,Author=ionstorm" groupRelation="and">
 				<TargetFilename condition="contains any">\DrSDKCaller.exe;C:\Users\Public\all.exe;C:\Users\Public\dump.dll;C:\Users\Public\ad.exe;C:\PerfLogs\gpg-error.exe;C:\PerfLogs\cm.exe;C:\Program Files\Common Files\system\ado\msado32.tlb</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
 				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Desc=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
 				<Image condition="image">certutil.exe</Image>
 				<Image condition="image">certoc.exe</Image>
 				<Image condition="image">CertReq.exe</Image>
@@ -6393,16 +6396,16 @@
 				<Image condition="image">finger.exe</Image>
 				<Image condition="image">presentationhost.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Desc=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Desc=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
 				<Image condition="image">bitsadmin.exe</Image>
 				<TargetFilename condition="excludes any">C:\Windows;$WINDOWS.;\SoftwareDistribution\</TargetFilename>
 				<User condition="is not">System</User>
 				<User condition="excludes any">TrustedInstaller;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</User>
 			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
 				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,Level=4,Alert=Block Binaries dropped to Perflogs" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Block Binaries dropped to Perflogs" groupRelation="and">
 				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename>
 			</Rule>
 		</FileBlockExecutable>

From 2231a8d79744e8567301f818c878d23417ac51b9 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 3 Oct 2022 17:37:34 -0400
Subject: [PATCH 396/471] Add Missing MITRE Datasources

---
 sysmonconfig-export.xml | 242 ++++++++++++++++++++--------------------
 1 file changed, 121 insertions(+), 121 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5bc351b3..3a7c8f0b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -110,7 +110,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
 
 			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<Rule name="Attack=T1587,Technique=Develop Capabilities,Tactic=Resource Development,Alert=PurpleSharp Indicator,Risk=40" groupRelation="or">
+			<Rule name="Attack=T1587,Technique=Develop Capabilities,Tactic=Resource Development,Level=3,DS=Process: Process Creation,Alert=PurpleSharp Indicator,Risk=40" groupRelation="or">
 				<CommandLine condition="contains any">PurpleSharp;xyz123456</CommandLine> 
 				<OriginalFileName condition="contains any">PurpleSharp</OriginalFileName> 
 			</Rule>
@@ -119,7 +119,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
 			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,DS=Process: Process Creation,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Level=3,DS=Process: Process Creation,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
 				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
 			</Rule>
 			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
@@ -270,17 +270,17 @@
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
 				<Image condition="image">conhost.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,DS=Process: Process Creation,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
 				<ParentImage condition="image">conhost.exe</ParentImage>
 				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
 			</Rule>
 			<!-- Disabled for now
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
 				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
 			-->
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
 				<ParentImage condition="image">cmd.exe</ParentImage>
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<CommandLine condition="excludes">Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\</CommandLine>
@@ -299,7 +299,7 @@
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<ParentImage condition="image">mshta.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,UEBA=Suspicious WSCRIPT Command Line,Risk=50" groupRelation="and">
+			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,DS=Process: Process Creation,UEBA=Suspicious WSCRIPT Command Line,Risk=50" groupRelation="and">
 				<Image condition="contains any">wscript.exe;cscript.exe</Image>
 				<CommandLine condition="excludes any">IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload</CommandLine>
 			</Rule>
@@ -335,7 +335,7 @@
 				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
 				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
 			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1204,Technique=User Execution,DS=Process: Process Creation,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
 				<Image condition="image">regedit.exe</Image>
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
@@ -344,12 +344,12 @@
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
 			-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,UEBA=Unusual Child Process,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,UEBA=Unusual Child Process,Risk=30" groupRelation="and">
 				<Image condition="contains any">\svchost.exe;\taskhostw.exe;\userinit.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\lsass.exe;\logonui.exe;\services.exe</Image>
 				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
 				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe;\services.exe;\dwm.exe;System;\smss.exe;\svchost.exe</ParentImage>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>
 				<Image condition="excludes any">C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe</Image>
 				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
@@ -384,7 +384,7 @@
 				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
 				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
 				<Image condition="begin with">C:\Users\</Image>
 				<Image condition="end with">.exe</Image>
@@ -402,7 +402,7 @@
 				<Image condition="excludes">iexplore.exe</Image>
 				<Image condition="excludes">vivaldi.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,Info=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Info=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</ParentImage>
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<Product condition="excludes">Firefox</Product>
@@ -445,7 +445,7 @@
 				<Image condition="image">FLTLDR.EXE</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution" condition="contains any">/dde;-dde</CommandLine>
+			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution,DS=Process: Process Creation," condition="contains any">/dde;-dde</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Native API-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
@@ -672,18 +672,18 @@
 				<CommandLine condition="excludes any">route ; ADD </CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,Risk=20" groupRelation="and">
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Risk=20" groupRelation="and">
 				<ParentImage condition="image">eventvwr.exe</ParentImage>
 				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
 			</Rule>
-			<ParentImage name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
+			<ParentImage name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation," condition="image">fodhelper.exe</ParentImage>
 			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
 			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
 			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
 			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">computerdefaults.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="is">dism.exe</OriginalFileName>
-			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion" condition="image">fodhelper.exe</ParentImage>
+			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="is">computerdefaults.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="is">dism.exe</OriginalFileName>
+			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="image">fodhelper.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<Rule name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Risk=90,DS=Process: Process Creation,Level=3,Alert=Priv Escalation to System" groupRelation="and">
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
@@ -712,11 +712,11 @@
 				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
 			</Rule>
 			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">osk.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">Magnify.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">Narrator.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">AtBroker.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
 			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
@@ -852,7 +852,7 @@
 			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
 			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
 			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
-			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">.com</Image>
+			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation" condition="end with">.com</Image>
 			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
 
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
@@ -928,7 +928,7 @@
 				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
 			</Rule>
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
@@ -1089,11 +1089,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=InstallUtil 1" groupRelation="and">
-				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
+				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=InstallUtil 2" groupRelation="and">
-				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
+				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
 				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
@@ -1126,40 +1126,40 @@
 			</Rule>
 			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
 			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">bginfo</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">cbd</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">bginfo</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">cbd</CommandLine>
 			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
 			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
 			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
 			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
 			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
 			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">SyncAppvPublishingServer.exe</Image>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">Scriptrunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ATBroker.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">Appvlp.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">InfDefaultInstall.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">PresentationHost.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider2.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">RegisterCimProvider.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">ScriptRunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">csi.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">extexport.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">msconfig.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">rasdlui.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">tttracer.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">verclsid.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">wab.exe</OriginalFileName>
+			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">SyncAppvPublishingServer.exe</Image>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">Scriptrunner.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">ATBroker.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">Appvlp.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">InfDefaultInstall.EXE</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">PresentationHost.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">RegisterCimProvider2.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">RegisterCimProvider.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">ScriptRunner.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">csi.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">extexport.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">msconfig.EXE</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">rasdlui.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">tttracer.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">verclsid.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">wab.exe</OriginalFileName>
 			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">csi.exe</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="is">bginfo</ParentCommandLine>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">devtoolslauncher.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">wab.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution" condition="image">wsreset.exe</ParentImage>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">csi.exe</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">bginfo</ParentCommandLine>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">devtoolslauncher.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">wab.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">wsreset.exe</ParentImage>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
+			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
 			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
 			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
@@ -1178,7 +1178,7 @@
 				<Image condition="image">regsvr32.exe</Image> 
 				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
 			</Rule>
-			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution" condition="contains">Microsoft(C) Register Server</Description>
+			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation" condition="contains">Microsoft(C) Register Server</Description>
 			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
 			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
 			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
@@ -1507,11 +1507,11 @@
 			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Sysmon Detection with driver altitude " groupRelation="or">
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Alert=Sysmon Detection with driver altitude" groupRelation="or">
 				<CommandLine condition="contains all">find;385201</CommandLine>
 				<CommandLine condition="contains all">select-string;385201</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,Alert=Antivirus/edr/siem Discovery" groupRelation="or">
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Alert=Antivirus/edr/siem Discovery" groupRelation="or">
 				<CommandLine condition="contains all">find;virus</CommandLine>
 				<CommandLine condition="contains all">select-string;virus</CommandLine>
 				<CommandLine condition="contains all">process;Description;virus</CommandLine>
@@ -1555,9 +1555,9 @@
 				<CommandLine condition="contains all">select-string;sidecar</CommandLine>
 				<CommandLine condition="contains all">process;Description;sidecar</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" groupRelation="or">
-				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="is">fltMC.exe</OriginalFileName>
-				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery" condition="contains">misc::mflt</CommandLine>
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation" groupRelation="or">
+				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discover,DS=Process: Process Creationy" condition="is">fltMC.exe</OriginalFileName>
+				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation" condition="contains">misc::mflt</CommandLine>
 			</Rule>
 			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
 			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
@@ -1745,7 +1745,7 @@
 			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
 			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
-			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement" groupRelation="and">
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation" groupRelation="and">
 				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
 				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
 			</Rule>
@@ -2141,7 +2141,7 @@
 			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
 			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
-			<!-- <ParentCommandLine name="Information=Uncategorized Events" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
+			<!-- <ParentCommandLine name="Information=Uncategorized Events,DS=Process: Process Creation" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
 		</ProcessCreate>
 	</RuleGroup>
 	<RuleGroup name="RG=Process Create Exclude Group" groupRelation="or">
@@ -2155,12 +2155,12 @@
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
 	<RuleGroup name="RG=FileCreateTime Include Group" groupRelation="or">
 		<FileCreateTime onmatch="include">
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\Users</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="begin with">C:\ProgramData</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Temp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\tmp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\drivers\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion" condition="contains">\Download</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="begin with">C:\Users</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="begin with">C:\ProgramData</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\Temp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\tmp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\drivers\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\Download</Image>
 		</FileCreateTime>
 	</RuleGroup>
 	<RuleGroup name="RG=FileCreateTime Exclude Group" groupRelation="or">
@@ -2522,8 +2522,8 @@
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
 			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">omniinet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement" condition="image">hpsmhd.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" condition="image">omniinet.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" condition="image">hpsmhd.exe</Image>
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
@@ -3340,8 +3340,8 @@
 			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
 			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
 			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
-			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
-			<Rule name="Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
+			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Modification,Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
 				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
 				<StartFunction condition="contains">EtwEventWrite</StartFunction>
 			</Rule>
@@ -3565,7 +3565,7 @@
 			<!-- PROCESS_SUSPEND_RESUME -->
 			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Risk=70">0x820</GrantedAccess>
+			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Modification,Risk=70">0x820</GrantedAccess>
 			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
 			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
 			<SourceImage condition="end with">jjs.exe</SourceImage>
@@ -3761,9 +3761,9 @@
 			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
 			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
+			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
 			<!--MITRE ATT&CK TACTIC: Persistence-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -3784,8 +3784,8 @@
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
 			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.dotm</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence" condition="end with">.XLSB</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" condition="end with">.dotm</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" condition="end with">.XLSB</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename>
@@ -3914,15 +3914,15 @@
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
-			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">.chm</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
 			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">proj</TargetFilename>
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion" condition="end with">.sln</TargetFilename>
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">proj</TargetFilename>
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">.sln</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -4255,8 +4255,8 @@
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Forensic=Recent Jumplist Custom Destinations" condition="contains">\Recent\CustomDestinations\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Jumplist Custom Destinations" condition="contains">\Recent\CustomDestinations\</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
@@ -4402,7 +4402,7 @@
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
 			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
 			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
-			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
+			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=File: File Creation,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
 			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=File: File Creation,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
@@ -4454,7 +4454,7 @@
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
 			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
 			<!--Uncategorized-->
 			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
 			<TargetFilename condition="end with">.ade</TargetFilename>
@@ -4512,7 +4512,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=RDP Connection History Tracking" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=RDP Connection History Tracking" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
 				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
 			</Rule>
@@ -4627,8 +4627,8 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
+			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
 				<Image condition="excludes">Add_exclusions_here</Image>
@@ -4659,14 +4659,14 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
-			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation" condition="contains">\Print\Monitors</TargetObject>
+			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification" condition="contains">\Print\Monitors</TargetObject>
 			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
@@ -4677,7 +4677,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
 			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Level=0,Desc=New user created,Risk=40" groupRelation="and">
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=New user created,Risk=40" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
 				<TargetObject condition="excludes">$</TargetObject>
 				<EventType condition="is">CreateKey</EventType>
@@ -5077,7 +5077,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
@@ -5304,7 +5304,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
 				<TargetObject condition="end with">\LastKey</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
@@ -5313,7 +5313,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
 				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=IE history Detection" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=IE history Detection" groupRelation="and">
 				<TargetObject condition="end with">\TypedURLs</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
@@ -5329,11 +5329,11 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
 				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Adobe Recent File List History" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Adobe Recent File List History" groupRelation="and">
 				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
 				<TargetObject condition="end with">tDIText</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,Forensic=Office History MRU" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History MRU" groupRelation="and">
 				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
@@ -5378,7 +5378,7 @@
 			<!--CLSID launch commands and file association changes-->
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject>
 			<!--Windows shell hijack-->
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject>
@@ -5435,7 +5435,7 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject>
 			<!--Networking-->
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
 			<!--DLLs that get injected into every process launch-->
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
@@ -5487,13 +5487,13 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Office History" condition="contains">\Place MRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History" condition="contains">\Place MRU</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
@@ -5536,7 +5536,7 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
 			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
 			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
@@ -5559,20 +5559,20 @@
 				<Details condition="contains any">ndis;rndis</Details>
 			</Rule>
 			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
 				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
 				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
 			</Rule>
 			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
 			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
 			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
 			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
@@ -5592,11 +5592,11 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
@@ -5717,7 +5717,7 @@
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc367</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc31a7</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Emissary Panda Hyerbri Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\testPipe</PipeName>
-			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
+			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
 			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
 			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
@@ -5818,7 +5818,7 @@
 	<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
 	<RuleGroup name="RG=WmiEvent Include Group" groupRelation="or">
 		<WmiEvent onmatch="include">
-			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution" condition="is">Created</Operation>
+			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=WMI: WMI Creation" condition="is">Created</Operation>
 		</WmiEvent>
 	</RuleGroup>
 	<!-- SYSMON EVENT ID 22 : DNS Queries-->
@@ -5877,7 +5877,7 @@
 			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
 			<!--Public Port Scan Detection-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery" condition="contains">census</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content" condition="contains">census</QueryName>
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
 			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
@@ -5939,7 +5939,7 @@
 			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
 			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
 			-->
-			<Image name="Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=None,Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
 		</DnsQuery>
 	</RuleGroup>
 	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
@@ -6222,7 +6222,7 @@
 	</RuleGroup>
 	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
 		<ProcessTampering onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,Level=0,Desc=exclude common noise" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=exclude common noise" groupRelation="and">
 				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
 			</Rule>
 		</ProcessTampering>

From 7589df63ea598c966f5e2206eb6477b5d0e85fdc Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 3 Oct 2022 17:58:38 -0400
Subject: [PATCH 397/471] Add Contribution Guidelines text.

---
 sysmonconfig-export.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 3a7c8f0b..5156f305 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -75,6 +75,17 @@
 				 Other Notes:
 				 The Rulename field has a hard limit of 255 characters, make the best of the size available, shorten tags and descriptions as needed.
 				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
+				 
+				 Contribution Guidelines:
+				 Always submit new rule requests/pull requests in this format where possible, if the rule is highly accurate and should fire off a SIEM Alert replace Desc= with Alert=, 
+				 See Risk ratings and levels above for guidance.  
+				 Example Rule:
+				<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Your Description Here,Author=YourTwitter/Github" groupRelation="and">
+					<Your Rule Here/>
+				</Rule>
+			-->
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=None,Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+				 
 -->
 <Sysmon schemaversion="4.82">
 	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms>

From a917402b7bfa120824ab0cbbf845fbe3b1edfeb0 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 3 Oct 2022 18:00:08 -0400
Subject: [PATCH 398/471] Fix Copy/paste after contributor guidelines edit :P

---
 sysmonconfig-export.xml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5156f305..04718648 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -82,10 +82,7 @@
 				 Example Rule:
 				<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Your Description Here,Author=YourTwitter/Github" groupRelation="and">
 					<Your Rule Here/>
-				</Rule>
-			-->
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=None,Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
-				 
+				</Rule> 
 -->
 <Sysmon schemaversion="4.82">
 	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms>

From c77e3c9ac5a5fd2b0072322bdc971a176bc4aeee Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 09:31:56 -0400
Subject: [PATCH 399/471] Re-enable explorer.exe parentimage logging

---
 sysmonconfig-export.xml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 04718648..246f8de1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -282,12 +282,10 @@
 				<ParentImage condition="image">conhost.exe</ParentImage>
 				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
 			</Rule>
-			<!-- Disabled for now
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
 				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
-			-->
 			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
 				<ParentImage condition="image">cmd.exe</ParentImage>
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
@@ -347,11 +345,6 @@
 				<Image condition="image">regedit.exe</Image>
 				<ParentImage condition="image">explorer.exe</ParentImage>
 			</Rule>
-			<!-- Disabled for now
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Generic User Execution,Risk=1" groupRelation="and">
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,UEBA=Unusual Child Process,Risk=30" groupRelation="and">
 				<Image condition="contains any">\svchost.exe;\taskhostw.exe;\userinit.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\lsass.exe;\logonui.exe;\services.exe</Image>
 				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
@@ -2148,6 +2141,9 @@
 			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
 			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
 			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Generic User Execution,Risk=0" groupRelation="and">
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
 			<!-- <ParentCommandLine name="Information=Uncategorized Events,DS=Process: Process Creation" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
 		</ProcessCreate>
@@ -5561,7 +5557,6 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject>
-			<!-- NOTICE: Detect New USB Network Devices: Poison Tap: Creates lots of noise, disabled for now-->
 			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 				<Details condition="contains any">ndis;rndis</Details>

From 30302ea5b58176455ec83c125cf4cd6f6789a17d Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 10:06:21 -0400
Subject: [PATCH 400/471] Implement FileBlockShredding Protection for C:\Users,
 event log directory, Program Files, Program Data directories.  Protect
 Pagefile, MFT and system config directory

---
 sysmonconfig-export.xml | 56 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 246f8de1..2705edef 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -84,7 +84,7 @@
 					<Your Rule Here/>
 				</Rule> 
 -->
-<Sysmon schemaversion="4.82">
+<Sysmon schemaversion="4.83">
 	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms>
 	<CheckRevocation/>
 	<EventFiltering>
@@ -6438,5 +6438,59 @@
 			</Rule>
 		</FileBlockExecutable>
 	</RuleGroup>
+	<!--SYSMON EVENT ID 28 : FILE BLOCK SHREDDING [FileBlockShredding]-->
+	<RuleGroup name="RG=FileBlockShredding Include Group" groupRelation="or">
+		<FileBlockShredding onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect Home,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect ProgramFiles,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Program Files</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect ProgramData,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="begin with">C:\ProgramData</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect ProgramFiles,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="begin with">C:\$mft</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect Windows Event Logs,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\System32\winevt\Logs</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=ntuser.dat artifacts,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="end with">ntuser.dat</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=ntuser.dat,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="end with">Pagefile.sys</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=System Profile and registry backups,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\System32\config</TargetFilename>
+			</Rule>
+		</FileBlockShredding>		
+	</RuleGroup>
+	<RuleGroup name="RG=FileBlockShredding Exclude Group" groupRelation="or">
+		<FileBlockShredding onmatch="exclude">
+			<Rule name="safe executables - be careful" groupRelation="and">
+				<Image condition="is any">C:\WINDOWS\system32\wuauclt.exe;C:\$WINDOWS.~BT\Sources\SetupHost.Exe</Image>
+			</Rule>
+			<Rule name="safe paths - be careful" groupRelation="and">
+				<TargetFilename condition="contains any">C:\Windows\SoftwareDistribution\;C:\$WINDOWS.~BT\NewOS\</TargetFilename>
+			</Rule>
+			<Rule name="safe users - be careful" groupRelation="or">
+				<!--<User condition="is">SYSTEM</User>
+				<User condition="is">NT AUTHORITY\SYSTEM</User>
+				<User condition="is">TrustedInstaller</User>
+				<User condition="is">NT AUTHORITY\TrustedInstaller</User>
+				<User condition="is">NT AUTHORITY\NETWORK SERVICE</User>
+				<User condition="end with">ERVICE RÉSEAU</User>
+				<User condition="end with">NETZWERKDIENST</User>
+				<User condition="is">NT AUTHORITY\LOCAL SERVICE</User>
+				<User condition="end with">SERVICE LOCAL</User>
+				<User condition="end with">LOKALER DIENST</User>
+				<User condition="end with">СИСТЕМА</User>
+				<User condition="is">NT-AUTORITÄT\SYSTEM</User>
+				<User condition="is">AUTORITE NT\SYSTEM</User>-->
+			</Rule>
+		</FileBlockShredding>		
+	</RuleGroup>
 	</EventFiltering>
 </Sysmon>
\ No newline at end of file

From 2bfaa0553343159b371c61ba53d19ed3f31ee6e8 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 10:18:50 -0400
Subject: [PATCH 401/471] MITRE Tagging and SIEM Alerting of Data
 Destruction/File Shred protected locations.

---
 sysmonconfig-export.xml | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2705edef..80620534 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6441,39 +6441,45 @@
 	<!--SYSMON EVENT ID 28 : FILE BLOCK SHREDDING [FileBlockShredding]-->
 	<RuleGroup name="RG=FileBlockShredding Include Group" groupRelation="or">
 		<FileBlockShredding onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect Home,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in C:\Users,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect ProgramFiles,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Program Files</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect ProgramData,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramData,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\ProgramData</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect ProgramFiles,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\$mft</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Protect Windows Event Logs,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in Windows Event Logs,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\System32\winevt\Logs</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=ntuser.dat artifacts,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in ntuser.dat artifacts,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">ntuser.dat</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=ntuser.dat,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in Pagefile,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">Pagefile.sys</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=System Profile and registry backups,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert==Data Destruction Detected in System Profile and registry backups,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\System32\config</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert==Data Destruction Detected in Database Files,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="end with">.db</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert==Data Destruction Detected in Key files,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="end with">.key</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert==Data Destruction Detected in Recyclebin,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="contains">$Recycle</TargetFilename>
+			</Rule>
 		</FileBlockShredding>		
 	</RuleGroup>
 	<RuleGroup name="RG=FileBlockShredding Exclude Group" groupRelation="or">
 		<FileBlockShredding onmatch="exclude">
-			<Rule name="safe executables - be careful" groupRelation="and">
-				<Image condition="is any">C:\WINDOWS\system32\wuauclt.exe;C:\$WINDOWS.~BT\Sources\SetupHost.Exe</Image>
-			</Rule>
 			<Rule name="safe paths - be careful" groupRelation="and">
-				<TargetFilename condition="contains any">C:\Windows\SoftwareDistribution\;C:\$WINDOWS.~BT\NewOS\</TargetFilename>
+				<TargetFilename condition="contains any">C:\Safe-shred-location</TargetFilename>
 			</Rule>
 			<Rule name="safe users - be careful" groupRelation="or">
 				<!--<User condition="is">SYSTEM</User>

From 867b82f566409ce500cb0e1dea7856af27ffa57e Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 10:22:58 -0400
Subject: [PATCH 402/471] Tag File Shred Protection with File: File
 Modification datasource, as shredding is a modification.

---
 sysmonconfig-export.xml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 80620534..d7d4f30e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6441,37 +6441,37 @@
 	<!--SYSMON EVENT ID 28 : FILE BLOCK SHREDDING [FileBlockShredding]-->
 	<RuleGroup name="RG=FileBlockShredding Include Group" groupRelation="or">
 		<FileBlockShredding onmatch="include">
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in C:\Users,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in C:\Users,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Program Files</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramData,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramData,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\ProgramData</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\$mft</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in Windows Event Logs,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Windows Event Logs,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\System32\winevt\Logs</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in ntuser.dat artifacts,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ntuser.dat artifacts,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">ntuser.dat</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert=Data Destruction Detected in Pagefile,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Pagefile,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">Pagefile.sys</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert==Data Destruction Detected in System Profile and registry backups,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert==Data Destruction Detected in System Profile and registry backups,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\System32\config</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert==Data Destruction Detected in Database Files,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert==Data Destruction Detected in Database Files,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">.db</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert==Data Destruction Detected in Key files,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert==Data Destruction Detected in Key files,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">.key</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=None,Level=4,Risk=100,Alert==Data Destruction Detected in Recyclebin,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert==Data Destruction Detected in Recyclebin,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="contains">$Recycle</TargetFilename>
 			</Rule>
 		</FileBlockShredding>		

From 3b71ab5953d11e340639c7fc1da63784459fa2b5 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 10:27:22 -0400
Subject: [PATCH 403/471] Fix alert text for $mft file

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d7d4f30e..44781d40 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6450,7 +6450,7 @@
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramData,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\ProgramData</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in $mft,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\$mft</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Windows Event Logs,Author=@ionstorm" groupRelation="and">

From f10e539390254453f1e5b2ac7192c3befd3c61b0 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 11:41:22 -0400
Subject: [PATCH 404/471] Protect common Office extensions, pdf's, archive
 files and more.

---
 sysmonconfig-export.xml | 110 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 106 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 44781d40..4a2e1dbf 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6462,18 +6462,120 @@
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Pagefile,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">Pagefile.sys</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert==Data Destruction Detected in System Profile and registry backups,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in System Profile and registry backups,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\System32\config</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert==Data Destruction Detected in Database Files,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Database Files,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">.db</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert==Data Destruction Detected in Key files,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in encryption/certificate files,Author=@ionstorm" groupRelation="or">
+				<TargetFilename condition="end with">.asc</TargetFilename>
+				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
+				<TargetFilename condition="end with">.cer</TargetFilename>
+				<TargetFilename condition="end with">.cer</TargetFilename>
+				<TargetFilename condition="end with">.crl</TargetFilename>
+				<TargetFilename condition="end with">.crt</TargetFilename>
+				<TargetFilename condition="end with">.csr</TargetFilename>
+				<TargetFilename condition="end with">.der</TargetFilename>
+				<TargetFilename condition="end with">.gpg</TargetFilename>
 				<TargetFilename condition="end with">.key</TargetFilename>
+				<TargetFilename condition="end with">.p7b</TargetFilename>
+				<TargetFilename condition="end with">.p7r</TargetFilename>
+				<TargetFilename condition="end with">.p7s</TargetFilename>
+				<TargetFilename condition="end with">.p12</TargetFilename>
+				<TargetFilename condition="end with">.pem</TargetFilename>
+				<TargetFilename condition="end with">.pfx</TargetFilename>
+				<TargetFilename condition="end with">.pgp</TargetFilename>
+				<TargetFilename condition="end with">.ppk</TargetFilename>
+				<TargetFilename condition="end with">.sst</TargetFilename>
+				<TargetFilename condition="end with">.sto</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Log files,Author=@ionstorm" groupRelation="or">
+				<TargetFilename condition="end with">.log</TargetFilename>
+				<TargetFilename condition="end with">ConsoleHost_history.txt</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert==Data Destruction Detected in Recyclebin,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in evtx files,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="end with">.evtx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Recyclebin,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="contains">$Recycle</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Executable Data Destruction Detected,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=DLL Data Destruction Detected,Author=@ionstorm" groupRelation="and">
+				<TargetFilename condition="end with">.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Office File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
+				<TargetFilename condition="contains">\Content.Outlook\</TargetFilename>
+				<TargetFilename condition="contains">\Microsoft\Office\Recent</TargetFilename>
+				<TargetFilename condition="contains">\Microsoft\Templates\</TargetFilename>
+				<TargetFilename condition="contains">\Recent\CustomDestinations\</TargetFilename>
+				<TargetFilename condition="contains">oleObject</TargetFilename>
+				<TargetFilename condition="end with">.accdb</TargetFilename>
+				<TargetFilename condition="end with">.accde</TargetFilename>
+				<TargetFilename condition="end with">.accdr</TargetFilename>
+				<TargetFilename condition="end with">.accdt</TargetFilename>
+				<TargetFilename condition="end with">.doc</TargetFilename>
+				<TargetFilename condition="end with">.docb</TargetFilename>
+				<TargetFilename condition="end with">.docm</TargetFilename>
+				<TargetFilename condition="end with">.docx</TargetFilename>
+				<TargetFilename condition="end with">.dot</TargetFilename>
+				<TargetFilename condition="end with">.dotx</TargetFilename>
+				<TargetFilename condition="end with">.eml</TargetFilename>
+				<TargetFilename condition="end with">.mdb</TargetFilename>
+				<TargetFilename condition="end with">.mde</TargetFilename>
+				<TargetFilename condition="end with">.msc</TargetFilename>
+				<TargetFilename condition="end with">.msg</TargetFilename>
+				<TargetFilename condition="end with">.mst</TargetFilename>
+				<TargetFilename condition="end with">.ped</TargetFilename>
+				<TargetFilename condition="end with">.potm</TargetFilename>
+				<TargetFilename condition="end with">.potx</TargetFilename>
+				<TargetFilename condition="end with">.ppam</TargetFilename>
+				<TargetFilename condition="end with">.ppsm</TargetFilename>
+				<TargetFilename condition="end with">.ppsx</TargetFilename>
+				<TargetFilename condition="end with">.ppt</TargetFilename>
+				<TargetFilename condition="end with">.pptm</TargetFilename>
+				<TargetFilename condition="end with">.pptx</TargetFilename>
+				<TargetFilename condition="end with">.pub</TargetFilename>
+				<TargetFilename condition="end with">.sldm</TargetFilename>
+				<TargetFilename condition="end with">.sldx</TargetFilename>
+				<TargetFilename condition="end with">.wbk</TargetFilename>
+				<TargetFilename condition="end with">.xla</TargetFilename>
+				<TargetFilename condition="end with">.xlam</TargetFilename>
+				<TargetFilename condition="end with">.xll</TargetFilename>
+				<TargetFilename condition="end with">.xls</TargetFilename>
+				<TargetFilename condition="end with">.xlsb</TargetFilename>
+				<TargetFilename condition="end with">.xlsm</TargetFilename>
+				<TargetFilename condition="end with">.xlsx</TargetFilename>
+				<TargetFilename condition="end with">.xlt</TargetFilename>
+				<TargetFilename condition="end with">.xltm</TargetFilename>
+				<TargetFilename condition="end with">.xlw</TargetFilename>
+				<TargetFilename condition="end with">.xps</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=PDF File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
+				<TargetFilename condition="end with">.pdf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Common Archive File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
+				<TargetFilename condition="end with">.zip</TargetFilename>
+				<TargetFilename condition="end with">.rar</TargetFilename>
+				<TargetFilename condition="end with">.tar</TargetFilename>
+				<TargetFilename condition="end with">.tgz</TargetFilename>
+				<TargetFilename condition="end with">.ace</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Common Script File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
+				<TargetFilename condition="end with">.cdxml</TargetFilename>
+				<TargetFilename condition="end with">.ps1</TargetFilename>
+				<TargetFilename condition="end with">.ps1xml</TargetFilename>
+				<TargetFilename condition="end with">.psc1</TargetFilename>
+				<TargetFilename condition="end with">.psd1</TargetFilename>
+				<TargetFilename condition="end with">.psm1</TargetFilename>
+				<TargetFilename condition="end with">.pssc</TargetFilename>
+				<TargetFilename condition="end with">.bat</TargetFilename>
+				<TargetFilename condition="end with">.com</TargetFilename>
+				<TargetFilename condition="end with">.hta</TargetFilename>
+				<TargetFilename condition="end with">.vbs</TargetFilename>
+			</Rule>
 		</FileBlockShredding>		
 	</RuleGroup>
 	<RuleGroup name="RG=FileBlockShredding Exclude Group" groupRelation="or">

From 828dc0469a272bafdb65c2fde4c2ec072cc20e82 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 12:02:31 -0400
Subject: [PATCH 405/471] Protect shredding of common Disk images from Virtual
 infrastructure, veeam, acronis, datto, hyper-v, vmware and more.

---
 sysmonconfig-export.xml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 4a2e1dbf..f0ff6787 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6562,6 +6562,7 @@
 				<TargetFilename condition="end with">.tar</TargetFilename>
 				<TargetFilename condition="end with">.tgz</TargetFilename>
 				<TargetFilename condition="end with">.ace</TargetFilename>
+				<TargetFilename condition="end with">.7z</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Common Script File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
 				<TargetFilename condition="end with">.cdxml</TargetFilename>
@@ -6576,6 +6577,46 @@
 				<TargetFilename condition="end with">.hta</TargetFilename>
 				<TargetFilename condition="end with">.vbs</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Virtual Disk Image File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
+				<TargetFilename condition="end with">.vmdk</TargetFilename>
+				<TargetFilename condition="end with">.vhd</TargetFilename>
+				<TargetFilename condition="end with">.vhdx</TargetFilename>
+				<TargetFilename condition="end with">.avhd</TargetFilename>
+				<TargetFilename condition="end with">.vdi</TargetFilename>
+				<TargetFilename condition="end with">.dvd</TargetFilename>
+				<TargetFilename condition="end with">.mdf</TargetFilename>
+				<TargetFilename condition="end with">.dsk</TargetFilename>
+				<TargetFilename condition="end with">.D01</TargetFilename>
+				<TargetFilename condition="end with">.D02</TargetFilename>
+				<TargetFilename condition="end with">.vmwarevm</TargetFilename>
+				<TargetFilename condition="end with">.vmwarevm</TargetFilename>
+				<TargetFilename condition="end with">.HDS</TargetFilename>
+				<TargetFilename condition="end with">.WIM</TargetFilename>
+				<TargetFilename condition="end with">.WIM</TargetFilename>
+				<TargetFilename condition="end with">.XVA</TargetFilename>
+				<TargetFilename condition="end with">.IMG</TargetFilename>
+				<TargetFilename condition="end with">.ISO</TargetFilename>
+				<TargetFilename condition="end with">.DD</TargetFilename>
+				<TargetFilename condition="end with">.DISK</TargetFilename>
+				<TargetFilename condition="end with">.WMT</TargetFilename>
+				<TargetFilename condition="end with">.LZ01</TargetFilename>
+				<TargetFilename condition="end with">.E01</TargetFilename>
+				<TargetFilename condition="end with">.EX01</TargetFilename>
+				<TargetFilename condition="end with">.L01</TargetFilename>
+				<TargetFilename condition="end with">.L01</TargetFilename>
+				<TargetFilename condition="end with">.TIB</TargetFilename>
+				<TargetFilename condition="end with">.HC</TargetFilename>
+				<TargetFilename condition="end with">.IMD</TargetFilename>
+				<TargetFilename condition="end with">.IMAGE</TargetFilename>
+				<TargetFilename condition="end with">.SPARSEIMAGE</TargetFilename>
+				<TargetFilename condition="end with">.PARTIMG</TargetFilename>
+				<TargetFilename condition="end with">.PGD</TargetFilename>
+				<TargetFilename condition="end with">.HDD</TargetFilename>
+				<TargetFilename condition="end with">.VBK</TargetFilename>
+				<TargetFilename condition="end with">.VIB</TargetFilename>
+				<TargetFilename condition="end with">.VIB</TargetFilename>
+				<TargetFilename condition="end with">.VBM</TargetFilename>
+			</Rule>
 		</FileBlockShredding>		
 	</RuleGroup>
 	<RuleGroup name="RG=FileBlockShredding Exclude Group" groupRelation="or">

From 882723149c7a3ab87725f7eb9e1cbdae932a8c49 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 12:04:30 -0400
Subject: [PATCH 406/471] Sort and remove dupes

---
 sysmonconfig-export.xml | 49 +++++++++++++++++++----------------------
 1 file changed, 23 insertions(+), 26 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f0ff6787..641b93e3 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6578,44 +6578,41 @@
 				<TargetFilename condition="end with">.vbs</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Virtual Disk Image File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
-				<TargetFilename condition="end with">.vmdk</TargetFilename>
-				<TargetFilename condition="end with">.vhd</TargetFilename>
-				<TargetFilename condition="end with">.vhdx</TargetFilename>
-				<TargetFilename condition="end with">.avhd</TargetFilename>
-				<TargetFilename condition="end with">.vdi</TargetFilename>
-				<TargetFilename condition="end with">.dvd</TargetFilename>
-				<TargetFilename condition="end with">.mdf</TargetFilename>
-				<TargetFilename condition="end with">.dsk</TargetFilename>
 				<TargetFilename condition="end with">.D01</TargetFilename>
 				<TargetFilename condition="end with">.D02</TargetFilename>
-				<TargetFilename condition="end with">.vmwarevm</TargetFilename>
-				<TargetFilename condition="end with">.vmwarevm</TargetFilename>
-				<TargetFilename condition="end with">.HDS</TargetFilename>
-				<TargetFilename condition="end with">.WIM</TargetFilename>
-				<TargetFilename condition="end with">.WIM</TargetFilename>
-				<TargetFilename condition="end with">.XVA</TargetFilename>
-				<TargetFilename condition="end with">.IMG</TargetFilename>
-				<TargetFilename condition="end with">.ISO</TargetFilename>
 				<TargetFilename condition="end with">.DD</TargetFilename>
 				<TargetFilename condition="end with">.DISK</TargetFilename>
-				<TargetFilename condition="end with">.WMT</TargetFilename>
-				<TargetFilename condition="end with">.LZ01</TargetFilename>
 				<TargetFilename condition="end with">.E01</TargetFilename>
 				<TargetFilename condition="end with">.EX01</TargetFilename>
-				<TargetFilename condition="end with">.L01</TargetFilename>
-				<TargetFilename condition="end with">.L01</TargetFilename>
-				<TargetFilename condition="end with">.TIB</TargetFilename>
 				<TargetFilename condition="end with">.HC</TargetFilename>
-				<TargetFilename condition="end with">.IMD</TargetFilename>
+				<TargetFilename condition="end with">.HDD</TargetFilename>
+				<TargetFilename condition="end with">.HDS</TargetFilename>
 				<TargetFilename condition="end with">.IMAGE</TargetFilename>
-				<TargetFilename condition="end with">.SPARSEIMAGE</TargetFilename>
+				<TargetFilename condition="end with">.IMD</TargetFilename>
+				<TargetFilename condition="end with">.IMG</TargetFilename>
+				<TargetFilename condition="end with">.ISO</TargetFilename>
+				<TargetFilename condition="end with">.L01</TargetFilename>
+				<TargetFilename condition="end with">.LZ01</TargetFilename>
 				<TargetFilename condition="end with">.PARTIMG</TargetFilename>
 				<TargetFilename condition="end with">.PGD</TargetFilename>
-				<TargetFilename condition="end with">.HDD</TargetFilename>
+				<TargetFilename condition="end with">.SPARSEIMAGE</TargetFilename>
+				<TargetFilename condition="end with">.TIB</TargetFilename>
 				<TargetFilename condition="end with">.VBK</TargetFilename>
-				<TargetFilename condition="end with">.VIB</TargetFilename>
-				<TargetFilename condition="end with">.VIB</TargetFilename>
 				<TargetFilename condition="end with">.VBM</TargetFilename>
+				<TargetFilename condition="end with">.VIB</TargetFilename>
+				<TargetFilename condition="end with">.WIM</TargetFilename>
+				<TargetFilename condition="end with">.WIM</TargetFilename>
+				<TargetFilename condition="end with">.WMT</TargetFilename>
+				<TargetFilename condition="end with">.XVA</TargetFilename>
+				<TargetFilename condition="end with">.avhd</TargetFilename>
+				<TargetFilename condition="end with">.dsk</TargetFilename>
+				<TargetFilename condition="end with">.dvd</TargetFilename>
+				<TargetFilename condition="end with">.mdf</TargetFilename>
+				<TargetFilename condition="end with">.vdi</TargetFilename>
+				<TargetFilename condition="end with">.vhd</TargetFilename>
+				<TargetFilename condition="end with">.vhdx</TargetFilename>
+				<TargetFilename condition="end with">.vmdk</TargetFilename>
+				<TargetFilename condition="end with">.vmwarevm</TargetFilename>
 			</Rule>
 		</FileBlockShredding>		
 	</RuleGroup>

From 3c1457b66fe420984ef6b453d983bf014063ea0a Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 12:28:26 -0400
Subject: [PATCH 407/471] ensure other rules fire before logging user activity
 launched from explorer.

---
 sysmonconfig-export.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 641b93e3..b340d201 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2143,6 +2143,7 @@
 			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Generic User Execution,Risk=0" groupRelation="and">
 				<ParentImage condition="image">explorer.exe</ParentImage>
+				<Image name="Allow other rules to fire" condition="excludes any">\regedit.exe;\cmd.exe;terminal;\powershell</Image>
 			</Rule>
 			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
 			<!-- <ParentCommandLine name="Information=Uncategorized Events,DS=Process: Process Creation" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->

From 1f07e3005e1d19e4e9ccacc2c64cbcc5c5fe2de8 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 12:48:45 -0400
Subject: [PATCH 408/471] update readme

---
 README.md | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e28c6dfd..eacd6572 100644
--- a/README.md
+++ b/README.md
@@ -3,11 +3,25 @@ The file provided should function as a great starting point for system monitorin
 
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)**
 
-Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems. It demonstrates a lot of what I wish I knew when I began with Sysmon in 2014.
+Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git, tag your naame with Author=YourName within the rulename field.
 
-Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git.
+This Sysmon ATT&CK Configuration is designed "Explicitely" to enrich your SIEM for threat intelligence, forensics, UEBA, use cases.  You'll want to create a key-value parser for the
+rulename field to create field names per event within your SIEM.  
+Ideally this is best used with an Alerting Repository/Index where the "Alert=" field is marked and a non-alerting visibility index/repository where threat hunting, investigations can be done 
+that contains added context and story line information of user behavior and activity leading up to an attack.  Non-Alerting Visibility rules are tagged with Desc=, and Forensic= and should
+are meant to provide contextual information for analysts to build cases and identify what is happening with SIEM enrichments.  Some of these non-alerting visibility rules can be graduated 
+to the Alerting rules or can be used with correlation rules within a SIEM/SOAR/XDR.  
+
+The goal with this configuration is a "Control" configuration that provides ultimate visibility that should be ran in conjunction with an EDR.  
+As we know, allot of EDR's today provide little contextual information, forensic information that is tagged, categorized, risk rated, some alerts EDR vendors choose to not alert
+on due to the differences between each environment and how hard it is to baseline some detections.  There is many use cases where EDR's fall short, they are not the greatest at 
+identifying suspicious activity that may fall short of being labeled as malicious.  The goal here is to detect all common user activity that would lead to exfiltration, infiltration, 
+malware, malicious activity, questionable activity.  If a user is poking around the registry, sending data to cloud storage, downloading and executing random attachments and files,
+copying files, we want to know.  We also want to leave an audit trail by monitoring the registry, artifact locations and provide our forensic analysts as much detail as possible.
+
+If you have forensic registry keys, file locations, artifacts, behavior detections and anything that may be beneficial here, feel free to put in a pull request.  
+The goal here is as much visibility as possible, with accurate alerts that are not noisy.  
 
-Note: Exact syntax and filtering choices are deliberate to catch appropriate entries and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area.
 
 This now has an Auto Updater script to update to the latest Sysmon config hourly.  This is great for mass deployments without having to manually update thousands of systems.
 

From a0e7dd3c279690147973d125ca1c003e3048d240 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 12:49:19 -0400
Subject: [PATCH 409/471] update readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index eacd6572..afa52f64 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ The file provided should function as a great starting point for system monitorin
 
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)**
 
-Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git, tag your naame with Author=YourName within the rulename field.
+Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git, tag your name with Author=YourName within the rulename field.
 
 This Sysmon ATT&CK Configuration is designed "Explicitely" to enrich your SIEM for threat intelligence, forensics, UEBA, use cases.  You'll want to create a key-value parser for the
 rulename field to create field names per event within your SIEM.  

From 045d80577487af5444c912bb1902b22b288b01f9 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 12:49:48 -0400
Subject: [PATCH 410/471] update readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index afa52f64..0bd58cac 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@ The file provided should function as a great starting point for system monitorin
 
 Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git, tag your name with Author=YourName within the rulename field.
 
-This Sysmon ATT&CK Configuration is designed "Explicitely" to enrich your SIEM for threat intelligence, forensics, UEBA, use cases.  You'll want to create a key-value parser for the
+This Sysmon ATT&CK Configuration is designed "Explicitly" to enrich your SIEM for threat intelligence, forensics, UEBA, use cases.  You'll want to create a key-value parser for the
 rulename field to create field names per event within your SIEM.  
 Ideally this is best used with an Alerting Repository/Index where the "Alert=" field is marked and a non-alerting visibility index/repository where threat hunting, investigations can be done 
 that contains added context and story line information of user behavior and activity leading up to an attack.  Non-Alerting Visibility rules are tagged with Desc=, and Forensic= and should

From 47a9c1eb0bc286a15bd674e4b505bd8a5a7a5edc Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 12:52:55 -0400
Subject: [PATCH 411/471] update readme..

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 0bd58cac..f41fe5e2 100644
--- a/README.md
+++ b/README.md
@@ -8,8 +8,8 @@ Pull requests and issue tickets are welcome, and new additions will be credited
 This Sysmon ATT&CK Configuration is designed "Explicitly" to enrich your SIEM for threat intelligence, forensics, UEBA, use cases.  You'll want to create a key-value parser for the
 rulename field to create field names per event within your SIEM.  
 Ideally this is best used with an Alerting Repository/Index where the "Alert=" field is marked and a non-alerting visibility index/repository where threat hunting, investigations can be done 
-that contains added context and story line information of user behavior and activity leading up to an attack.  Non-Alerting Visibility rules are tagged with Desc=, and Forensic= and should
-are meant to provide contextual information for analysts to build cases and identify what is happening with SIEM enrichments.  Some of these non-alerting visibility rules can be graduated 
+that contains added context and story line information of user behavior and activity leading up to an attack.  Non-Alerting Visibility rules are tagged with Desc=, and Forensic= and are
+meant to provide contextual information for analysts to build cases and identify what is happening with SIEM enrichments.  Some of these non-alerting visibility rules can be graduated 
 to the Alerting rules or can be used with correlation rules within a SIEM/SOAR/XDR.  
 
 The goal with this configuration is a "Control" configuration that provides ultimate visibility that should be ran in conjunction with an EDR.  

From a47c6a9fd78fa1cb51eb90a57f191d4306ea4e8d Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 15:20:35 -0400
Subject: [PATCH 412/471] Misc Detection additions and improvements

---
 sysmonconfig-export.xml | 101 +++++++++++++++++++++++++++++++++-------
 1 file changed, 85 insertions(+), 16 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b340d201..241dad38 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -379,14 +379,14 @@
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe;msidb.exe</Image>
 				<CommandLine condition="excludes all">.cmd;-</CommandLine>
 				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
 				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe</ParentImage>
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
 				<Image condition="begin with">C:\Users\</Image>
 				<Image condition="end with">.exe</Image>
 				<Product condition="excludes">Zoom Video</Product>
@@ -551,7 +551,7 @@
 				<CommandLine condition="contains">cmd.exe" /c cd</CommandLine>
 			</Rule>
 			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
-				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s</CommandLine>
+				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s;export-mft;ApplicationImpersonation</CommandLine>
 			</Rule>
 			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
 				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
@@ -741,8 +741,8 @@
 
 			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
 			<Image condition="contains">unknown process</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -836,16 +836,17 @@
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
 			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
-				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp</CommandLine>
+				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp;~ -d;~ /d</CommandLine>
 			</Rule>
 			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
 			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
 			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
 			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
+			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Windows Subsystem For Linux,Risk=100" condition="contains any">distro-id;vm-id</CommandLine>
 
 			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
 			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
@@ -1781,6 +1782,25 @@
 				<Image condition="image">7z.exe</Image>
 				<CommandLine condition="contains any">a -mx9 -r0 -p;a -v500m -mx9 -r0 -p</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=7z Renamed,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">7z</OriginalFileName>
+				<Image condition="excludes">7z</Image>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winrar Renamed,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">winrar</OriginalFileName>
+				<Image condition="excludes">winrar</Image>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winrar Renamed,Risk=100" groupRelation="and">
+				<Product condition="contains">winrar</Product>
+				<Image condition="excludes">winrar</Image>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winzip Renamed,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">winzip</OriginalFileName>
+				<Image condition="excludes">winzip</Image>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Powershell Compress-Archive,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">Compress-Archive</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
 			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
 			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
@@ -1800,6 +1820,9 @@
 			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
 				<CommandLine condition="contains">New-MailboxExportRequest</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=New Exchange Management Role could be used for email exfiltration,Risk=70" groupRelation="and">
+				<CommandLine condition="contains all">add-pssnapin;exchange;new-managementroleassignment;applicationimpersonation</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
 			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
@@ -2196,6 +2219,12 @@
 				<DestinationIp condition="begin with">137.184.67.</DestinationIp>
 				<DestinationHostname condition="is any">httpbin.org</DestinationHostname>
 			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Advanced IP scanner Detected,Risk=90"  groupRelation="or">
+				<DestinationHostname condition="contains any">advanced-ip-scanner.com</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Kali Linux Distribution Download/Apt URL,Risk=90"  groupRelation="or">
+				<DestinationHostname condition="contains any">kali.download</DestinationHostname>
+			</Rule>
 			<DestinationHostname condition="contains">shodan</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
@@ -3798,22 +3827,50 @@
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Exchange 0day from September 2022 overwriting legit file,Risk=80" groupRelation="and">
 				<TargetFilename condition="end with">RedirSuiteServiceProxy.aspx</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=HAFNIUM APT: IIS Creating ASPX files outside of wwwwroot,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 1,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 				<TargetFilename condition="end with">.aspx</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=HAFNIUM APT: IIS Creating PHP files,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 2,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.asp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 3,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.ashx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Alert=Web Shells Dropped 4,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 				<TargetFilename condition="end with">.php</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=HAFNIUM APT: IIS Creating AAA files,Risk=80" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Alert=Web Shells Dropped 5,Risk=80" groupRelation="and">
 				<Image condition="image">w3wp.exe</Image>
 				<TargetFilename condition="end with">.aaa</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=HAFNIUM Web Shells Dropped,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 6,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains any">\wwwroot\aspnet_client\;\FrontEnd\HttpProxy\owa\auth</TargetFilename>
 				<TargetFilename condition="contains any">.aspx;.php;.ashx</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1190,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=IIS Dropping Ps1 file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.ps1</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping Bat file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.bat</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping DLL file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping VBS file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.vbs</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping HTA file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.hta</TargetFilename>
+			</Rule>
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
 				<TargetFilename condition="excludes any">\wwwroot\aspnet_client\;jpg</TargetFilename>
@@ -4027,6 +4084,7 @@
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tgz</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
 			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
@@ -4494,6 +4552,11 @@
 		<RegistryEvent onmatch="include">
 			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<Rule name="ttack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=indows Registry: Windows Registry Key Modification,Level=4,Alert=Advanced IP Scanner Scan Detected" groupRelation="and">
+				<TargetObject condition="contains">Software\Famatech\advanced_ip_scanner\State</TargetObject>
+				<TargetObject condition="end with">LastRangeUsed</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
@@ -5869,8 +5932,14 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
 				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
 			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Advanced IP scanner Detected,Risk=90"  groupRelation="or">
+				<QueryName condition="contains any">advanced-ip-scanner.com</QueryName>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Kali Linux Distribution Download/Apt URL,Risk=90"  groupRelation="or">
+				<QueryName condition="contains any">kali.download</QueryName>
+			</Rule>
 			<!--Crypto Currency Mining pools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=10"  groupRelation="or">
+			<Rule name="Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Crypto Currency Miner Detected,Risk=85"  groupRelation="or">
 				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
 			</Rule>
 			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>

From e421fec9638d1f62318d7c8a6e3007d62054b390 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 15:44:55 -0400
Subject: [PATCH 413/471] Add some File Shred Exclusions

---
 sysmonconfig-export.xml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 241dad38..89427239 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6513,6 +6513,7 @@
 		<FileBlockShredding onmatch="include">
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in C:\Users,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+				<Image condition="excludes any">C:\Program Files\WindowsApps\</Image>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Program Files</TargetFilename>
@@ -6534,6 +6535,7 @@
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in System Profile and registry backups,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\System32\config</TargetFilename>
+				<Image condition="excludes">C:\WINDOWS\system32\consent.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Database Files,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">.db</TargetFilename>
@@ -6560,8 +6562,11 @@
 				<TargetFilename condition="end with">.sst</TargetFilename>
 				<TargetFilename condition="end with">.sto</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Log files,Author=@ionstorm" groupRelation="or">
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Log files,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">.log</TargetFilename>
+				<TargetFilename condition="excludes">C:\Windows\System32\sru\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Log files 2,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="end with">ConsoleHost_history.txt</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in evtx files,Author=@ionstorm" groupRelation="and">
@@ -6688,6 +6693,13 @@
 	</RuleGroup>
 	<RuleGroup name="RG=FileBlockShredding Exclude Group" groupRelation="or">
 		<FileBlockShredding onmatch="exclude">
+			<Rule name="safe images - be careful" groupRelation="or">
+				<Image condition="image">C:\WINDOWS\System32\svchost.exe</Image>
+				<Image condition="image">C:\WINDOWS\System32\services.exe</Image>
+				<Image condition="image">C:\WINDOWS\system32\consent.exe</Image>
+				<Image condition="contains all">C:\Program Files\Google\Drive File Stream\;\GoogleDriveFS.exe</Image>
+				<Image condition="contains all">C:\Program Files (x86)\Microsoft\EdgeWebView\Application\;msedgewebview2.exe</Image>
+			</Rule>
 			<Rule name="safe paths - be careful" groupRelation="and">
 				<TargetFilename condition="contains any">C:\Safe-shred-location</TargetFilename>
 			</Rule>

From 88eaac22bdb07e1a340fefefaf87908219bdeee7 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 16:02:13 -0400
Subject: [PATCH 414/471] Whitelist C:\Windows for now for file shred
 protection, just to prevent any weirdness.

---
 sysmonconfig-export.xml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 89427239..41f6e103 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6694,14 +6694,17 @@
 	<RuleGroup name="RG=FileBlockShredding Exclude Group" groupRelation="or">
 		<FileBlockShredding onmatch="exclude">
 			<Rule name="safe images - be careful" groupRelation="or">
-				<Image condition="image">C:\WINDOWS\System32\svchost.exe</Image>
-				<Image condition="image">C:\WINDOWS\System32\services.exe</Image>
-				<Image condition="image">C:\WINDOWS\system32\consent.exe</Image>
+				<Image condition="begin with">C:\WINDOWS\</Image>
+				<Image condition="begin with">C:\Program Files\WindowsApps\</Image>
+				<Image condition="image">C:\PROGRA~2\Citrix\ICACLI~1\WFICA32.EXE</Image>
+				<Image condition="contains all">C:\Program Files;\Microsoft\EdgeWebView\Application\;\msedgewebview2.exe</Image>
+				<Image condition="contains all">C:\Program Files;\Citrix\;\WFICA32.EXE</Image>
 				<Image condition="contains all">C:\Program Files\Google\Drive File Stream\;\GoogleDriveFS.exe</Image>
 				<Image condition="contains all">C:\Program Files (x86)\Microsoft\EdgeWebView\Application\;msedgewebview2.exe</Image>
 			</Rule>
-			<Rule name="safe paths - be careful" groupRelation="and">
+			<Rule name="safe paths - be careful" groupRelation="or">
 				<TargetFilename condition="contains any">C:\Safe-shred-location</TargetFilename>
+				<TargetFilename condition="end with">.lock</TargetFilename>
 			</Rule>
 			<Rule name="safe users - be careful" groupRelation="or">
 				<!--<User condition="is">SYSTEM</User>

From e56e36f09eb06be1067f7ca4cd4d0fd3ff9d0611 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 16:18:11 -0400
Subject: [PATCH 415/471] More white listing to be safe, in testing this
 appears to not cause any issues. When protecting wide areas, there also may
 need to be wide exclusions unless comfortable whitelisting per image.  Since
 this is widely used will design with that in mind.

---
 sysmonconfig-export.xml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 41f6e103..91f1a4e2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6513,7 +6513,7 @@
 		<FileBlockShredding onmatch="include">
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in C:\Users,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
-				<Image condition="excludes any">C:\Program Files\WindowsApps\</Image>
+				<Image condition="excludes any">C:\Program Files\WindowsApps\;AppData</Image>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Program Files</TargetFilename>
@@ -6704,10 +6704,13 @@
 			</Rule>
 			<Rule name="safe paths - be careful" groupRelation="or">
 				<TargetFilename condition="contains any">C:\Safe-shred-location</TargetFilename>
+				<TargetFilename condition="contains any">C:\$WINDOWS.~BT\NewOS\</TargetFilename>
+				<TargetFilename condition="contains all">:\Users\;\AppData\;\D3DSCache</TargetFilename>
 				<TargetFilename condition="end with">.lock</TargetFilename>
 			</Rule>
 			<Rule name="safe users - be careful" groupRelation="or">
-				<!--<User condition="is">SYSTEM</User>
+				<!--<User condition="is">NT AUTHORITY\TrustedInstaller</User>
+				<User condition="is">SYSTEM</User>
 				<User condition="is">NT AUTHORITY\SYSTEM</User>
 				<User condition="is">TrustedInstaller</User>
 				<User condition="is">NT AUTHORITY\TrustedInstaller</User>

From e138c5d07867864f9e1d5e8a8ed1ae4fe0cc555c Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 16:28:21 -0400
Subject: [PATCH 416/471] Comment Out Program Files/ProgramData Directories as
 I am unsure how this will run with enterprise software like exchange and
 other servers. Leaving it optional to let administrators have more control.

---
 sysmonconfig-export.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 91f1a4e2..82831c98 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6515,12 +6515,14 @@
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
 				<Image condition="excludes any">C:\Program Files\WindowsApps\;AppData</Image>
 			</Rule>
+			<!-- Unsure how this runs with Enterprise Software Like Exchange, Uncomment and provide feedback of any issues/things to whitelist
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Program Files</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramData,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\ProgramData</TargetFilename>
 			</Rule>
+			-->
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in $mft,Author=@ionstorm" groupRelation="and">
 				<TargetFilename condition="begin with">C:\$mft</TargetFilename>
 			</Rule>

From 8a9963d46ca2cecabe0c38b2e3a4589590689a58 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 4 Oct 2022 17:02:27 -0400
Subject: [PATCH 417/471] Target specific folders for powershell file block, as
 this will block copying of exe files as well \Temp\;\AppData\;C:\Users\Public

---
 sysmonconfig-export.xml | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 82831c98..cd54d838 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6315,19 +6315,21 @@
 	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
 	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
 		<FileBlockExecutable onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block Office from Creating Executables" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block Office from Creating Executables" groupRelation="and">
 				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
 				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block Web Servers from creating binary files" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block Web Servers from creating binary files" groupRelation="and">
 				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block Powershell from downloading EXE" groupRelation="and">
+			<!--Be Careful with this one, it blocks powershell file copies as well, target specific directories or comment out the rule-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block Powershell from downloading EXE" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<TargetFilename condition="contains any">\Temp\;\AppData\;C:\Users\Public</TargetFilename>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block double extensions" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="or">
 				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
 				<TargetFilename condition="end with">.doc.exe</TargetFilename>
 				<TargetFilename condition="end with">.docx.exe</TargetFilename>
@@ -6343,19 +6345,19 @@
 				<TargetFilename condition="end with">.ico.exe</TargetFilename>
 				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
 				<Image condition="contains any">psexesvc</Image>
 				<Image condition="contains any">psexec</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
 				<Image condition="image">wmiprvse.exe</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block executables from writing to Users\Public" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block executables from writing to Users\Public" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
 				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
 				<Image condition="excludes any">intuit</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Block LOLbins that drop files" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block LOLbins that drop files" groupRelation="and">
 				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Malicious File Detection,Author=Florian Roth/ionstorm" groupRelation="or">
@@ -6458,7 +6460,7 @@
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
 				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Desc=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
 				<Image condition="image">certutil.exe</Image>
 				<Image condition="image">certoc.exe</Image>
 				<Image condition="image">CertReq.exe</Image>
@@ -6469,7 +6471,7 @@
 				<Image condition="image">finger.exe</Image>
 				<Image condition="image">presentationhost.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Desc=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
 				<Image condition="image">bitsadmin.exe</Image>
 				<TargetFilename condition="excludes any">C:\Windows;$WINDOWS.;\SoftwareDistribution\</TargetFilename>
 				<User condition="is not">System</User>

From 7328ab70bccc259ededb51aa5eb056de84d2c6c0 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Oct 2022 12:01:16 -0400
Subject: [PATCH 418/471] More Amcache Forensic logging added

---
 sysmonconfig-export.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index cd54d838..f32e6a7e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5570,8 +5570,10 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Package Info" condition="contains">Root\InventoryDriverPackage</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache PNP Device Info" condition="contains">Root\InventoryDevicePnp</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer</TargetObject>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
 				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>

From 33d1499615c440922f2de7082c14e46256045e50 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Oct 2022 13:12:34 -0400
Subject: [PATCH 419/471] Add additional Data Exfiltration Rules, change order
 of web browser rules.

---
 sysmonconfig-export.xml | 74 ++++++++++++++++++++++++++++-------------
 1 file changed, 50 insertions(+), 24 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f32e6a7e..2929a47e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -2692,22 +2692,38 @@
 				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
 				<DestinationPort condition="is not">80</DestinationPort>
 				<DestinationPort condition="is not">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
 			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
 			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
-				<DestinationPort condition="is">80</DestinationPort>
-				<Initiated>true</Initiated>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=Dropbox Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="end with">dropboxapi.com</DestinationHostname>
+				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
-				<DestinationPort condition="is">443</DestinationPort>
-				<Initiated>true</Initiated>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=OneDrive Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains">1drv</DestinationHostname>
+				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=Box.com Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains all">.box.com;upload</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains any">privatlab.com</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Social Networking" groupRelation="or">
+				<DestinationHostname condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
+				<DestinationHostname condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
+				<DestinationHostname condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</DestinationHostname>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Apache Webserver" groupRelation="and">
 				<Image condition="image">apache.exe</Image>
@@ -2769,21 +2785,31 @@
 			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
 			<!--Source Ports to Monitor-->
 			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTP" condition="is">80</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=LDAPS" condition="is">636</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC" condition="is">5900</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
+				<DestinationPort condition="is">80</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">443</DestinationPort>
+				<DestinationPortName condition="is">https</DestinationPortName>
 				<Initiated>true</Initiated>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
 				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPort condition="is">80</DestinationPort>
+				<DestinationPortName condition="is">http</DestinationPortName>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
+				<DestinationPort condition="is">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTP" condition="is">80</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=LDAPS" condition="is">636</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC" condition="is">5900</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
 			<!--Suspicious network connections-->
 			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
 		</NetworkConnect>
@@ -3723,7 +3749,7 @@
 			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
 			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Alert=Powershell file types,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="or">
 				<TargetFilename condition="end with">.cdxml</TargetFilename>
 				<TargetFilename condition="end with">.ps1</TargetFilename>
 				<TargetFilename condition="end with">.ps1xml</TargetFilename>
@@ -3732,7 +3758,7 @@
 				<TargetFilename condition="end with">.psm1</TargetFilename>
 				<TargetFilename condition="end with">.pssc</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Alert=Powershell file creations,Risk=10" groupRelation="and">
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell Creating Files,Risk=10" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<TargetFilename condition="excludes">\Recent\CustomDestinations\</TargetFilename>
 			</Rule>
@@ -3779,7 +3805,7 @@
 			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
 				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
 				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
-				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\</TargetFilename>
+				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL</TargetFilename>
 			</Rule>
 			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
 			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
@@ -5905,21 +5931,21 @@
 				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
 				<QueryName condition="contains">.</QueryName>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="end with">dropboxapi.com</QueryName>
 				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="contains">1drv</QueryName>
 				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="contains all">.box.com;upload</QueryName>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="contains any">mega.nz;mega.co.nz</QueryName>
 			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
 				<QueryName condition="contains any">privatlab.com</QueryName>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">

From 5777038350416bc866b022647ead70d65d17f82e Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Oct 2022 17:43:52 -0400
Subject: [PATCH 420/471] Add additional Detections, expand qbot detection to
 detect subprocesses of rundll32/regsvr32.exe that are uncommon.

---
 sysmonconfig-export.xml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2929a47e..204f5839 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -1074,7 +1074,7 @@
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Possible qbot injection,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">\rundll32.exe;\regsvr32.exe</ParentImage>
-				<Image condition="contains any">\explorer.exe;\wermgr.exe;\msra.exe</Image>
+				<Image condition="contains any">\explorer.exe;\wermgr.exe;\msra.exe;\OneDriveSetup.exe;\mobsync.exe;\xwizard.exe</Image>
 				<CommandLine condition="end with">.exe</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
@@ -2705,7 +2705,8 @@
 			</Rule>
 			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=OneDrive Cloud Exfiltration" groupRelation="and">
 				<DestinationHostname condition="contains">1drv</DestinationHostname>
-				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
+				<!--We're looking for alternative Programs accessing Onedrive, If Onedrive is not allowed, uncomment onedrive exe exclusions-->
+				<Image condition="excludes any">C:\Program Files\Microsoft OneDrive\OneDrive.exe;\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=Box.com Cloud Exfiltration" groupRelation="and">
 				<DestinationHostname condition="contains all">.box.com;upload</DestinationHostname>
@@ -3274,6 +3275,9 @@
 				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
 				<Image condition="excludes">C:\Windows\explorer.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Module: Module Load,Level=2,Desc=Python DLL Loaded,Risk=30" groupRelation="and">
+				<ImageLoaded condition="contains any">python</ImageLoaded>
+			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Unsigned Global Assembly Cache Load" groupRelation="and">
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 				<Signed condition="is">false</Signed>
@@ -3537,6 +3541,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
 				<SourceImage condition="image">powershell.exe</SourceImage>
 				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
+				<CallTrace condition="excludes all">C:\WINDOWS\SYSTEM32\ntdll.dll+;|C:\WINDOWS\System32\KERNELBASE.dll+;|C:\ProgramData\Microsoft\Windows Defender\Platform\;\MPCLIENT.DLL;\MpOav.dll+;|C:\WINDOWS\SYSTEM32\amsi.dll</CallTrace>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
 				<CallTrace condition="contains">getasynckeystate</CallTrace>
@@ -5658,6 +5663,10 @@
 				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
 				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
 			</Rule>
+			<Rule name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=NetNTLM downgrade attack" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
+				<Details name="You should have this set to 5" condition="excludes">DWORD (0x00000005)</Details>
+			</Rule>
 			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
 			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
 			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
@@ -5688,13 +5697,11 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
+			<TargetObject name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
+			<TargetObject name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
 			<Rule name="Antivirus" groupRelation="or">
 				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
 				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>

From 2888b1bd34c7a948017d9677606f223a4efe7e45 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Oct 2022 18:03:55 -0400
Subject: [PATCH 421/471] Add Windows Defender Exclusion registry path, enable
 alerting

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 204f5839..34be84c6 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5554,6 +5554,9 @@
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
+			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Path Changes,Risk=100" condition="contains">\Exclusions\Paths</TargetObject>
+			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Extension Changes,Risk=100" condition="contains">\Exclusions\Extensions</TargetObject>
+			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Processes Changes,Risk=100" condition="contains">\Exclusions\Processes</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
 			<!--Group Policy Scripts-->

From caa8d68baa6dbd054128fe81b40f469f82ec89d8 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 6 Oct 2022 10:47:31 -0400
Subject: [PATCH 422/471] Add additional Service Monitoring capability with
 Driver detection based on DWORD Information, also add additional detail to be
 logged for driver tracking/correlation capability.

---
 sysmonconfig-export.xml | 84 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 34be84c6..b78af38a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5629,6 +5629,90 @@
 				<TargetObject condition="end with">\DeleteFlag</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New Kernel Device Driver" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New File System Driver" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000002)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New Adapter Driver" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000004)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New System Service: Own Process" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000020)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New System Service: Share Process" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000020)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New System Service: Interactive" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000100)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver Group" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Group</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver DependOnService" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DependOnService</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver BinaryPathName" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\BinaryPathName</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver RequiredPrivileges" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\RequiredPrivileges</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver Owners: Correlation to Amcache" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Owners</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver ObjectName: User Service Runs as specified in ServiceStartName" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\ObjectName</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver ObjectName: User Service Runs as" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\ServiceStartName</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver ErrorControl" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\ErrorControl</TargetObject>
+				<!--<Details name="Critical if lastknown good fails bugcheck" condition="contains">DWORD (0x00000003)</Details>
+				<Details name="Severe last known good" condition="contains">DWORD (0x00000002)</Details>
+				<Details name="Normal Boot on failure" condition="contains">DWORD (0x00000001)</Details>
+				<Details name="Ignore Failure"condition="contains">DWORD (0x00000000)</Details>
+				<Details condition="contains">DWORD (0x00000001)</Details>-->
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver DependOnGroup" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DependOnGroup</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver DisplayName" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DisplayName</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Group Order Modifications" groupRelation="and">
+				<TargetObject condition="contains">HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder</TargetObject>
+				<TargetObject condition="end with">\List</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Set for Deletion" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
 			<!--Detect User Activity-->
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>

From 084b234313c886faeb044161bb8f9557719e10d6 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 6 Oct 2022 12:12:16 -0400
Subject: [PATCH 423/471] Enable MITRE Tagging for drivers, system services,
 enable alerting.

---
 sysmonconfig-export.xml | 62 ++++++++++++++++++++---------------------
 1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index b78af38a..e659fcc2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4735,27 +4735,27 @@
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Start Mode Changed to: Boot" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: Boot" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Start Mode Changed to: System" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: System" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Start Mode Changed to: Automatic" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: Automatic" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000002)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Start Mode Changed to: Manual" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Service Start Mode Changed to: Manual" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000003)</Details>
 			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Start Mode Changed to: Disabled" groupRelation="and">
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Service Start Mode Changed to: Disabled" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
 			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
@@ -5597,17 +5597,17 @@
 			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History" condition="contains">\Place MRU</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Package Info" condition="contains">Root\InventoryDriverPackage</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache PNP Device Info" condition="contains">Root\InventoryDevicePnp</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Package Info" condition="contains">Root\InventoryDriverPackage</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache PNP Device Info,Desc=Services: New or Updated Drivers" condition="contains">Root\InventoryDevicePnp</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer</TargetObject>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
 				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
@@ -5624,70 +5624,70 @@
 			</Rule>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
-			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Set for Deletion" groupRelation="and">
+			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Set for Deletion" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DeleteFlag</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New Kernel Device Driver" groupRelation="and">
+			<Rule name="Attack=Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New Kernel Device Driver" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Type</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New File System Driver" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New File System Driver" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Type</TargetObject>
 				<Details condition="contains">DWORD (0x00000002)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New Adapter Driver" groupRelation="and">
+			<Rule name="Attack=Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New Adapter Driver" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Type</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New System Service: Own Process" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Own Process" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Type</TargetObject>
 				<Details condition="contains">DWORD (0x00000020)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New System Service: Share Process" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Share Process" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Type</TargetObject>
 				<Details condition="contains">DWORD (0x00000020)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=New System Service: Interactive" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Interactive" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Type</TargetObject>
 				<Details condition="contains">DWORD (0x00000100)</Details>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver Group" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver Group" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Group</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver DependOnService" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DependOnService" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DependOnService</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver BinaryPathName" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver BinaryPathName" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\BinaryPathName</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver RequiredPrivileges" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver RequiredPrivileges" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\RequiredPrivileges</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver Owners: Correlation to Amcache" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver Owners: Correlation to Amcache" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Owners</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver ObjectName: User Service Runs as specified in ServiceStartName" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ObjectName: User Service Runs as specified in ServiceStartName" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\ObjectName</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver ObjectName: User Service Runs as" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ObjectName: User Service Runs as" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\ServiceStartName</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver ErrorControl" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ErrorControl" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\ErrorControl</TargetObject>
 				<!--<Details name="Critical if lastknown good fails bugcheck" condition="contains">DWORD (0x00000003)</Details>
@@ -5696,19 +5696,19 @@
 				<Details name="Ignore Failure"condition="contains">DWORD (0x00000000)</Details>
 				<Details condition="contains">DWORD (0x00000001)</Details>-->
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver DependOnGroup" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DependOnGroup" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DependOnGroup</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Monitor Driver DisplayName" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DisplayName" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DisplayName</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Group Order Modifications" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Group Order Modifications" groupRelation="and">
 				<TargetObject condition="contains">HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder</TargetObject>
 				<TargetObject condition="end with">\List</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Service Set for Deletion" groupRelation="and">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Set for Deletion" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\Type</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>

From 89e8cd59d518ae4949fe4d220f578ff469b13404 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 6 Oct 2022 12:29:46 -0400
Subject: [PATCH 424/471] Noise reduction in Class Keys for new hardware
 detections

---
 sysmonconfig-export.xml | 40 ++++++++++++++++++++++++++++++++--------
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e659fcc2..d57e04dd 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4616,17 +4616,41 @@
 				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Keyloggers and new Keyboards" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect USB Input Devices" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Mice" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Bluetooth Device" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Keyloggers and new Keyboards" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect USB Input Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Mice" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Bluetooth Device" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->

From 7bd07c130b23e1013e7ed38c15bd3e8011b0a2c5 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 09:02:34 -0400
Subject: [PATCH 425/471] MITRE Tagging of hardware additions

---
 sysmonconfig-export.xml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index d57e04dd..fc881eec 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4620,36 +4620,36 @@
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect USB Input Devices" groupRelation="and">
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect USB Input Devices" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Mice" groupRelation="and">
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Mice" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" groupRelation="and">
+			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Bluetooth Device" groupRelation="and">
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Bluetooth Device" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" groupRelation="and">
+			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" groupRelation="and">
+			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" groupRelation="and">
+			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
+			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
+			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->

From 995be59d850175762e23cbaa6649b2ff6b55ea85 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 09:09:32 -0400
Subject: [PATCH 426/471] AV Exclusions for performance, noise reduction

---
 sysmonconfig-export.xml | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index fc881eec..34a14b57 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -3303,6 +3303,13 @@
 				<Signed condition="is">true</Signed>
 			</Rule>
 			<!--Universal Exclusions: Be Careful-->
+			<Rule name="Antivirus Exclusions" groupRelation="or"> 
+				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
+				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
+				<Image condition="begin with">C:\Program Files\ESET</Image>
+				<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</Image>
+			</Rule>
 			<Company condition="contains">Fortinet</Company>
 			<Company condition="contains">Lenovo</Company>
 			<Company condition="contains">Sophos</Company>
@@ -3637,12 +3644,6 @@
 			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
 			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
 			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
-			<Rule name="Antivirus Exclusions" groupRelation="or"> 
-				<SourceImage condition="begin with">C:\Program Files (x86)\Kaspersky Lab</SourceImage> 
-				<SourceImage condition="begin with">C:\Program Files\Kaspersky Lab</SourceImage>
-				<SourceImage condition="begin with">C:\Program Files (x86)\ESET</SourceImage>
-				<SourceImage condition="begin with">C:\Program Files\ESET</SourceImage>
-			</Rule>
 		</ProcessAccess>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
@@ -3670,6 +3671,13 @@
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
 				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
 			</Rule>
+			<Rule name="Antivirus Exclusions" groupRelation="or"> 
+				<SourceImage condition="begin with">C:\Program Files (x86)\Kaspersky Lab</SourceImage> 
+				<SourceImage condition="begin with">C:\Program Files\Kaspersky Lab</SourceImage>
+				<SourceImage condition="begin with">C:\Program Files (x86)\ESET</SourceImage>
+				<SourceImage condition="begin with">C:\Program Files\ESET</SourceImage>
+				<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</SourceImage>
+			</Rule>
 		</ProcessAccess>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
@@ -6858,6 +6866,13 @@
 				<TargetFilename condition="contains all">:\Users\;\AppData\;\D3DSCache</TargetFilename>
 				<TargetFilename condition="end with">.lock</TargetFilename>
 			</Rule>
+			<Rule name="Antivirus Exclusions" groupRelation="or"> 
+				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
+				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
+				<Image condition="begin with">C:\Program Files\ESET</Image>
+				<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</Image>
+			</Rule>
 			<Rule name="safe users - be careful" groupRelation="or">
 				<!--<User condition="is">NT AUTHORITY\TrustedInstaller</User>
 				<User condition="is">SYSTEM</User>

From 8c78a7db0941250a10b82037c3f7ca3942888216 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 09:29:28 -0400
Subject: [PATCH 427/471] MITRE Tagging and a few new detections

---
 sysmonconfig-export.xml | 69 +++++++++++++++++++++++++++++++----------
 1 file changed, 53 insertions(+), 16 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 34a14b57..ab44be9f 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -144,18 +144,24 @@
 				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
 				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
+				<Image condition="end with">      .exe</Image>
+				<Image condition="end with">.7z.exe</Image>
+				<Image condition="end with">.doc.exe</Image>
 				<Image condition="end with">.doc.exe</Image>
 				<Image condition="end with">.docx.exe</Image>
-				<Image condition="end with">.docx.exe</Image>
-				<Image condition="end with">.xls.exe</Image>
-				<Image condition="end with">.xlsx.exe</Image>
+				<Image condition="end with">.ico.exe</Image>
+				<Image condition="end with">.iso.exe</Image>
+				<Image condition="end with">.lnk.exe</Image>
+				<Image condition="end with">.pdf.exe</Image>
 				<Image condition="end with">.ppt.exe</Image>
 				<Image condition="end with">.pptx.exe</Image>
+				<Image condition="end with">.rar.exe</Image>
 				<Image condition="end with">.rtf.exe</Image>
-				<Image condition="end with">.pdf.exe</Image>
 				<Image condition="end with">.txt.exe</Image>
-				<Image condition="end with">      .exe</Image>
+				<Image condition="end with">.xls.exe</Image>
+				<Image condition="end with">.xlsx.exe</Image>
+				<Image condition="end with">.zip.exe</Image>
 				<Image condition="end with">______.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
@@ -2096,6 +2102,13 @@
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
 				<Image condition="contains any">\awk.exe;\sed.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Execution Locations,Risk=30" groupRelation="and">
+				<Image condition="contains any">C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Desc=Suspicious Execution extensions,Risk=30" groupRelation="and">
+				<Image condition="contains any">C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\;\Downloads\</Image>
+				<CommandLine condition="contains any">.html;.hta;.iso;.js;.bat;.cmd;.cmdline;.vbs;.vb;.vbe;.reg;.com</CommandLine>
+			</Rule>
 			<CommandLine condition="contains">listena</CommandLine>
 			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
 			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
@@ -4000,6 +4013,26 @@
 				<Image condition="begin with">C:\Windows\</Image>
 				<Image condition="contains">\config\systemprofile\</Image>
 			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="or">
+				<TargetFilename condition="end with">      .exe</TargetFilename>
+				<TargetFilename condition="end with">.7z.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+				<TargetFilename condition="end with">.docx.exe</TargetFilename>
+				<TargetFilename condition="end with">.ico.exe</TargetFilename>
+				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
+				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
+				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
+				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
+				<TargetFilename condition="end with">.rar.exe</TargetFilename>
+				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
+				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+				<TargetFilename condition="end with">.xls.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
+				<TargetFilename condition="end with">.zip.exe</TargetFilename>
+				<TargetFilename condition="end with">______.exe</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
@@ -6483,21 +6516,25 @@
 				<TargetFilename condition="contains any">\Temp\;\AppData\;C:\Users\Public</TargetFilename>
 				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="or">
-				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="or">
+				<TargetFilename condition="end with">      .exe</TargetFilename>
+				<TargetFilename condition="end with">.7z.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
 				<TargetFilename condition="end with">.doc.exe</TargetFilename>
 				<TargetFilename condition="end with">.docx.exe</TargetFilename>
-				<TargetFilename condition="end with">.xls.exe</TargetFilename>
-				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
+				<TargetFilename condition="end with">.ico.exe</TargetFilename>
+				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
+				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
 				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
-				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
+				<TargetFilename condition="end with">.rar.exe</TargetFilename>
 				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
-				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+				<TargetFilename condition="end with">.xls.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
 				<TargetFilename condition="end with">.zip.exe</TargetFilename>
-				<TargetFilename condition="end with">.rar.exe</TargetFilename>
-				<TargetFilename condition="end with">.7z.exe</TargetFilename>
-				<TargetFilename condition="end with">.ico.exe</TargetFilename>
-				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
+				<TargetFilename condition="end with">______.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
 				<Image condition="contains any">psexesvc</Image>

From e1d603d630e71e6a2bc94a26a0720cb8ca19a79e Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 09:31:07 -0400
Subject: [PATCH 428/471] Move Double Extensions under masquerading

---
 sysmonconfig-export.xml | 42 ++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index ab44be9f..95cc6c20 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -144,26 +144,6 @@
 				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
 				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
 			</Rule>
-			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
-				<Image condition="end with">      .exe</Image>
-				<Image condition="end with">.7z.exe</Image>
-				<Image condition="end with">.doc.exe</Image>
-				<Image condition="end with">.doc.exe</Image>
-				<Image condition="end with">.docx.exe</Image>
-				<Image condition="end with">.ico.exe</Image>
-				<Image condition="end with">.iso.exe</Image>
-				<Image condition="end with">.lnk.exe</Image>
-				<Image condition="end with">.pdf.exe</Image>
-				<Image condition="end with">.ppt.exe</Image>
-				<Image condition="end with">.pptx.exe</Image>
-				<Image condition="end with">.rar.exe</Image>
-				<Image condition="end with">.rtf.exe</Image>
-				<Image condition="end with">.txt.exe</Image>
-				<Image condition="end with">.xls.exe</Image>
-				<Image condition="end with">.xlsx.exe</Image>
-				<Image condition="end with">.zip.exe</Image>
-				<Image condition="end with">______.exe</Image>
-			</Rule>
 			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
 				<ParentImage condition="image">Hwp.exe</ParentImage>
 				<Image condition="image">gbb.exe</Image>
@@ -866,7 +846,27 @@
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
 				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
-			</Rule>		
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
+				<Image condition="end with">      .exe</Image>
+				<Image condition="end with">.7z.exe</Image>
+				<Image condition="end with">.doc.exe</Image>
+				<Image condition="end with">.doc.exe</Image>
+				<Image condition="end with">.docx.exe</Image>
+				<Image condition="end with">.ico.exe</Image>
+				<Image condition="end with">.iso.exe</Image>
+				<Image condition="end with">.lnk.exe</Image>
+				<Image condition="end with">.pdf.exe</Image>
+				<Image condition="end with">.ppt.exe</Image>
+				<Image condition="end with">.pptx.exe</Image>
+				<Image condition="end with">.rar.exe</Image>
+				<Image condition="end with">.rtf.exe</Image>
+				<Image condition="end with">.txt.exe</Image>
+				<Image condition="end with">.xls.exe</Image>
+				<Image condition="end with">.xlsx.exe</Image>
+				<Image condition="end with">.zip.exe</Image>
+				<Image condition="end with">______.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->

From 0fd06947cde6e0528ce4b8b80dcab7f395430b09 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 09:43:14 -0400
Subject: [PATCH 429/471] add additional office apps

---
 sysmonconfig-export.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 95cc6c20..77d3cda0 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -390,7 +390,7 @@
 				<Image condition="excludes">vivaldi.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Info=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</ParentImage>
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<Product condition="excludes">Firefox</Product>
 				<Product condition="excludes">Microsoft Edge</Product>
@@ -3811,12 +3811,12 @@
 				<Image condition="image">C:\Windows\system32\wermgr.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
-				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
+				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</Image>
 				<TargetFilename condition="end with">.exe</TargetFilename>
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
-				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe</Image>
+				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</Image>
 				<TargetFilename condition="end with">.dll</TargetFilename>
 				<TargetFilename condition="begin with">C:\Users</TargetFilename>
 			</Rule>

From 1d16037648af970a1da2cc21a1687d9b627f516b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 14:17:24 -0400
Subject: [PATCH 430/471] Some new detections to track spearphishing
 attachments and more

---
 sysmonconfig-export.xml | 56 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 52 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 77d3cda0..f7914e02 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -344,9 +344,9 @@
 			</Rule>
 			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\7z</CommandLine><!-- exec from 7zip -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">AppData\Local\Temp\Temp1_</CommandLine><!-- exec from explorer -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\AppData\Local\Temp\Rar$</CommandLine><!-- exec from winrar -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\Temp\7z</CommandLine><!-- exec from 7zip -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\Temp\Temp1_</CommandLine><!-- exec from explorer -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\Temp\Rar$</CommandLine><!-- exec from winrar -->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
 			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
@@ -371,6 +371,51 @@
 				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
 				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
 			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+				<CommandLine condition="end with">.html</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment 2,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+				<CommandLine condition="end with">.html"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment 2,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+				<CommandLine condition="end with">.html"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed pfd attachment,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="end with">.pdf"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed pfd attachment 2,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="end with">.pdf</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed iso attachment,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="end with">.iso"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed iso attachment 2,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="end with">.iso</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Link Clicks,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe;BrowserAssist.exe;\msedgewebview;\msedge.exe</Image>
+				<CommandLine condition="contains any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed to Common Download locations,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+				<CommandLine condition="contains any">\Content.Outlook\;\Downloads\;\Documents\;:\Users\Public\;\Desktop\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Execution to UNC File Path,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="contains any">\\</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
 				<Image condition="begin with">C:\Users\</Image>
@@ -389,7 +434,7 @@
 				<Image condition="excludes">iexplore.exe</Image>
 				<Image condition="excludes">vivaldi.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Info=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Desc=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
 				<Image condition="begin with">C:\ProgramData\</Image>
 				<Product condition="excludes">Firefox</Product>
@@ -397,6 +442,9 @@
 				<Product condition="excludes">Microsoft Teams</Product>
 				<Product condition="excludes">Zoom Video</Product>
 			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Desc=Execution from within Zip File,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">.zip\</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
 				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
 				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>

From ede706773aa1bdbdeeab2c2309733e89fb958dee Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 14:40:58 -0400
Subject: [PATCH 431/471] additional mounted devices detection besides mounted
 devices keys to ensure logging of iso/img malware

---
 sysmonconfig-export.xml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f7914e02..813995d9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -344,9 +344,9 @@
 			</Rule>
 			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\Temp\7z</CommandLine><!-- exec from 7zip -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\Temp\Temp1_</CommandLine><!-- exec from explorer -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Archive File,Risk=50" condition="contains">\Temp\Rar$</CommandLine><!-- exec from winrar -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from 7z Archive File,Risk=50" condition="contains">\Temp\7z</CommandLine><!-- exec from 7zip -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Explorer Archive File,Risk=50" condition="contains">\Temp\Temp1_</CommandLine><!-- exec from explorer -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from winrar Archive File,Risk=50" condition="contains">\Temp\Rar$</CommandLine><!-- exec from winrar -->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
 			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
@@ -5735,7 +5735,12 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Office Information" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=ISO Drive Mounted" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume</TargetObject>
+				<TargetObject condition="end with">Drive Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000011)</Details>
+			</Rule>
+			<TargetObject name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
 			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Set for Deletion" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>

From 729b8a9d0c47e0266ac3036b304984e3b39f8824 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 14:48:05 -0400
Subject: [PATCH 432/471] Add alerting in Amcache for virtual  DVD-ROM Mount
 after iso mount for additional telemetry for iso/img malware.

---
 sysmonconfig-export.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 813995d9..bc574d0c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4737,6 +4737,10 @@
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=Virtual DVD-ROM Drive Mounted,Forensic=Virtual DVD-ROM Drive Mounted" groupRelation="and">
+				<TargetObject condition="contains all">Root\InventoryDevicePnp;prod_virtual_dvd-rom</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
 			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
 			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>

From 5b57c5cfbf97ce1c2896776e013def96469f441f Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 14:57:38 -0400
Subject: [PATCH 433/471] Add Bitlocker Status Monitoring for System drive with
 alerting enabled.

---
 sysmonconfig-export.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bc574d0c..1767a77e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5499,6 +5499,14 @@
 				<EventType condition="is">DeleteKey</EventType>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Bitlocker Drive Encryption Enabled on System Drive" groupRelation="and">
+				<TargetObject condition="begin with">SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Bitlocker Drive Encryption Disabled on System Drive" groupRelation="and">
+				<TargetObject condition="begin with">SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: Defacement-->

From 7ccb9bd3fa6658152d4d95c7815f46a4f8374952 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 15:02:08 -0400
Subject: [PATCH 434/471] Add Bitlocker Status Monitoring for System drive with
 alerting enabled. Fix

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1767a77e..a50d086a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5500,11 +5500,11 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Bitlocker Drive Encryption Enabled on System Drive" groupRelation="and">
-				<TargetObject condition="begin with">SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Bitlocker Drive Encryption Disabled on System Drive" groupRelation="and">
-				<TargetObject condition="begin with">SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->

From b7d421aebcc9906be23bff7696428ebc94d56f84 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 15:33:00 -0400
Subject: [PATCH 435/471] Push Vulnerable Driver detections from Nasreddine
 Bencherchali https://twitter.com/nas_bench/status/1578433581479002112 ref:
 https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers.yml

---
 sysmonconfig-export.xml | 483 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 482 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index a50d086a..11cb3215 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -85,7 +85,7 @@
 				</Rule> 
 -->
 <Sysmon schemaversion="4.83">
-	<HashAlgorithms>md5,sha256,imphash</HashAlgorithms>
+	<HashAlgorithms>md5,sha1,sha256,imphash</HashAlgorithms>
 	<CheckRevocation/>
 	<EventFiltering>
 	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
@@ -3108,6 +3108,487 @@
 			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
 			<SignatureStatus condition="contains">Valid</SignatureStatus>
 			<Signed name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Driver Loaded,Risk=100,Author=Nasreddine Bencherchali" groupRelation="or">
+				<!--# List below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT-->
+				<Hashes condition="contains">SHA1=2261198385d62d2117f50f631652eded0ecc71db</Hashes>
+				<Hashes condition="contains">SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc</Hashes>
+				<Hashes condition="contains">SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f</Hashes>
+				<Hashes condition="contains">SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd</Hashes>
+				<Hashes condition="contains">SHA1=21e6c104fe9731c874fab5c9560c929b2857b918</Hashes>
+				<Hashes condition="contains">SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2</Hashes>
+				<Hashes condition="contains">SHA1=2f991435a6f58e25c103a657d24ed892b99690b8</Hashes>
+				<Hashes condition="contains">SHA1=f02af84393e9627ba808d4159841854a6601cf80</Hashes>
+				<Hashes condition="contains">SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe</Hashes>
+				<Hashes condition="contains">SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba</Hashes>
+				<Hashes condition="contains">SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705</Hashes>
+				<Hashes condition="contains">SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa</Hashes>
+				<Hashes condition="contains">SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124</Hashes>
+				<Hashes condition="contains">SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2</Hashes>
+				<Hashes condition="contains">SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b</Hashes>
+				<Hashes condition="contains">SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc</Hashes>
+				<Hashes condition="contains">SHA1=72966ca845759d239d09da0de7eebe3abe86fee3</Hashes>
+				<Hashes condition="contains">SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de</Hashes>
+				<Hashes condition="contains">SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7</Hashes>
+				<Hashes condition="contains">SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e</Hashes>
+				<Hashes condition="contains">SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741</Hashes>
+				<Hashes condition="contains">SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95</Hashes>
+				<Hashes condition="contains">SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86</Hashes>
+				<Hashes condition="contains">SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65</Hashes>
+				<Hashes condition="contains">SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13</Hashes>
+				<Hashes condition="contains">SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b</Hashes>
+				<Hashes condition="contains">SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb</Hashes>
+				<Hashes condition="contains">SHA1=468e2e5505a3d924b14fedee4ddf240d09393776</Hashes>
+				<Hashes condition="contains">SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8</Hashes>
+				<Hashes condition="contains">SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f</Hashes>
+				<Hashes condition="contains">SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123</Hashes>
+				<Hashes condition="contains">SHA1=623cd2abef6c92255f79cbbd3309cb59176771da</Hashes>
+				<Hashes condition="contains">SHA1=1f3a9265963b660392c4053329eb9436deeed339</Hashes>
+				<Hashes condition="contains">SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c</Hashes>
+				<Hashes condition="contains">SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d</Hashes>
+				<Hashes condition="contains">SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb</Hashes>
+				<Hashes condition="contains">SHA1=c834c4931b074665d56ccab437dfcc326649d612</Hashes>
+				<Hashes condition="contains">SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c</Hashes>
+				<Hashes condition="contains">SHA1=51b60eaa228458dee605430aae1bc26f3fc62325</Hashes>
+				<Hashes condition="contains">SHA1=3270720a066492b046d7180ca6e60602c764cac7</Hashes>
+				<Hashes condition="contains">SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131</Hashes>
+				<Hashes condition="contains">SHA1=19bd488fe54b011f387e8c5d202a70019a204adf</Hashes>
+				<Hashes condition="contains">SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e</Hashes>
+				<Hashes condition="contains">SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344</Hashes>
+				<Hashes condition="contains">SHA1=205c69f078a563f54f4c0da2d02a25e284370251</Hashes>
+				<Hashes condition="contains">SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6</Hashes>
+				<Hashes condition="contains">SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac</Hashes>
+				<Hashes condition="contains">SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7</Hashes>
+				<Hashes condition="contains">SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843</Hashes>
+				<Hashes condition="contains">SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417</Hashes>
+				<Hashes condition="contains">SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181</Hashes>
+				<Hashes condition="contains">SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526</Hashes>
+				<Hashes condition="contains">SHA1=0307d76750dd98d707c699aee3b626643afb6936</Hashes>
+				<Hashes condition="contains">SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a</Hashes>
+				<Hashes condition="contains">SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946</Hashes>
+				<Hashes condition="contains">SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d</Hashes>
+				<Hashes condition="contains">SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0</Hashes>
+				<Hashes condition="contains">SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe</Hashes>
+				<Hashes condition="contains">SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0</Hashes>
+				<Hashes condition="contains">SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e</Hashes>
+				<Hashes condition="contains">SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d</Hashes>
+				<Hashes condition="contains">SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0</Hashes>
+				<Hashes condition="contains">SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2</Hashes>
+				<Hashes condition="contains">SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57</Hashes>
+				<Hashes condition="contains">SHA1=c948ae14761095e4d76b55d9de86412258be7afd</Hashes>
+				<Hashes condition="contains">SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad</Hashes>
+				<Hashes condition="contains">SHA1=745bad097052134548fe159f158c04be5616afc2</Hashes>
+				<Hashes condition="contains">SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754</Hashes>
+				<Hashes condition="contains">SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce</Hashes>
+				<Hashes condition="contains">SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d</Hashes>
+				<Hashes condition="contains">SHA1=ac13941f436139b909d105ad55637e1308f49d9a</Hashes>
+				<Hashes condition="contains">SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b</Hashes>
+				<Hashes condition="contains">SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1</Hashes>
+				<Hashes condition="contains">SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809</Hashes>
+				<Hashes condition="contains">SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387</Hashes>
+				<Hashes condition="contains">SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1</Hashes>
+				<Hashes condition="contains">SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee</Hashes>
+				<Hashes condition="contains">SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3</Hashes>
+				<Hashes condition="contains">SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0</Hashes>
+				<Hashes condition="contains">SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1</Hashes>
+				<Hashes condition="contains">SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4</Hashes>
+				<Hashes condition="contains">SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d</Hashes>
+				<Hashes condition="contains">SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd</Hashes>
+				<Hashes condition="contains">SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9</Hashes>
+				<Hashes condition="contains">SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312</Hashes>
+				<Hashes condition="contains">SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643</Hashes>
+				<Hashes condition="contains">SHA1=27eab595ec403580236e04101172247c4f5d5426</Hashes>
+				<Hashes condition="contains">SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8</Hashes>
+				<Hashes condition="contains">SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c</Hashes>
+				<Hashes condition="contains">SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef</Hashes>
+				<Hashes condition="contains">SHA1=9c256edd10823ca76c0443a330e523027b70522d</Hashes>
+				<Hashes condition="contains">SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e</Hashes>
+				<Hashes condition="contains">SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0</Hashes>
+				<Hashes condition="contains">SHA1=054a50293c7b4eea064c91ef59cf120d8100f237</Hashes>
+				<Hashes condition="contains">SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2</Hashes>
+				<Hashes condition="contains">SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e</Hashes>
+				<Hashes condition="contains">SHA1=14bf0eaa90e012169745b3e30c281a327751e316</Hashes>
+				<Hashes condition="contains">SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79</Hashes>
+				<Hashes condition="contains">SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08</Hashes>
+				<Hashes condition="contains">SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614</Hashes>
+				<Hashes condition="contains">SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a</Hashes>
+				<Hashes condition="contains">SHA1=879fcc6795cebe67718388228e715c470de87dca</Hashes>
+				<Hashes condition="contains">SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a</Hashes>
+				<Hashes condition="contains">SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67</Hashes>
+				<Hashes condition="contains">SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03</Hashes>
+				<Hashes condition="contains">SHA1=a7bd05de737f8ea57857f1e0845a25677df01872</Hashes>
+				<Hashes condition="contains">SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e</Hashes>
+				<Hashes condition="contains">SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3</Hashes>
+				<Hashes condition="contains">SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc</Hashes>
+				<Hashes condition="contains">SHA1=d62fa51e520022483bdc5847141658de689c0c29</Hashes>
+				<Hashes condition="contains">SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9</Hashes>
+				<Hashes condition="contains">SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b</Hashes>
+				<Hashes condition="contains">SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd</Hashes>
+				<Hashes condition="contains">SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be</Hashes>
+				<Hashes condition="contains">SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646</Hashes>
+				<Hashes condition="contains">SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b</Hashes>
+				<Hashes condition="contains">SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60</Hashes>
+				<Hashes condition="contains">SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430</Hashes>
+				<Hashes condition="contains">SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b</Hashes>
+				<Hashes condition="contains">SHA1=0b8b83f245d94107cb802a285e6529161d9a834d</Hashes>
+				<Hashes condition="contains">SHA1=c969f1f73922fd95db1992a5b552fbc488366a40</Hashes>
+				<Hashes condition="contains">SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451</Hashes>
+				<Hashes condition="contains">SHA1=da9cea92f996f938f699902482ac5313d5e8b28e</Hashes>
+				<Hashes condition="contains">SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53</Hashes>
+				<Hashes condition="contains">SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260</Hashes>
+				<Hashes condition="contains">SHA1=f052dc35b74a1a6246842fbb35eb481577537826</Hashes>
+				<Hashes condition="contains">SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf</Hashes>
+				<Hashes condition="contains">SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e</Hashes>
+				<Hashes condition="contains">SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15</Hashes>
+				<Hashes condition="contains">SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2</Hashes>
+				<Hashes condition="contains">SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939</Hashes>
+				<Hashes condition="contains">SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e</Hashes>
+				<Hashes condition="contains">SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1</Hashes>
+				<Hashes condition="contains">SHA1=7fb52290883a6b69a96d480f2867643396727e83</Hashes>
+				<!--# The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ -->
+				<Hashes condition="contains">SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab</Hashes>
+				<Hashes condition="contains">SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2</Hashes>
+				<Hashes condition="contains">SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d</Hashes>
+				<Hashes condition="contains">SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299</Hashes>
+				<Hashes condition="contains">SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c</Hashes>
+				<Hashes condition="contains">SHA1=fe10018af723986db50701c8532df5ed98b17c39</Hashes>
+				<Hashes condition="contains">SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b</Hashes>
+				<Hashes condition="contains">SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347</Hashes>
+				<Hashes condition="contains">SHA1=82ba5513c33e056c3f54152c8555abf555f3e745</Hashes>
+				<Hashes condition="contains">SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa</Hashes>
+				<Hashes condition="contains">SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4</Hashes>
+				<Hashes condition="contains">SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436</Hashes>
+				<Hashes condition="contains">SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891</Hashes>
+				<Hashes condition="contains">SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748</Hashes>
+				<Hashes condition="contains">SHA1=c771ea59f075170e952c393cfd6fc784b265027c</Hashes>
+				<Hashes condition="contains">SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1</Hashes>
+				<Hashes condition="contains">SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b</Hashes>
+				<Hashes condition="contains">SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04</Hashes>
+				<!--# The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c -->
+				<Hashes condition="contains">SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89</Hashes>
+				<Hashes condition="contains">SHA1=15df139494d2c40a645fb010908551185c27f3c5</Hashes>
+				<Hashes condition="contains">SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de</Hashes>
+				<Hashes condition="contains">SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75</Hashes>
+				<Hashes condition="contains">SHA1=490109fa6739f114651f4199196c5121d1c6bdf2</Hashes>
+				<Hashes condition="contains">SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5</Hashes>
+				<Hashes condition="contains">SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de</Hashes>
+				<Hashes condition="contains">SHA1=3f223581409492172a1e875f130f3485b90fbe5f</Hashes>
+				<Hashes condition="contains">SHA1=5db61d00a001fd493591dc919f69b14713889fc5</Hashes>
+				<!--# https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md -->
+				<Hashes condition="contains">SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f</Hashes>
+				<Hashes condition="contains">SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370</Hashes>
+				<Hashes condition="contains">SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c</Hashes>
+				<Hashes condition="contains">SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676</Hashes>
+				<Hashes condition="contains">SHA1=c6bd965300f07012d1b651a9b8776028c45b149a</Hashes>
+				<Hashes condition="contains">SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f</Hashes>
+				<Hashes condition="contains">SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1</Hashes>
+				<Hashes condition="contains">SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9</Hashes>
+				<Hashes condition="contains">SHA1=dc55217b6043d819eadebd423ff07704ee103231</Hashes>
+				<Hashes condition="contains">SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4</Hashes>
+				<Hashes condition="contains">SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f</Hashes>
+				<Hashes condition="contains">SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab</Hashes>
+				<Hashes condition="contains">SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63</Hashes>
+				<Hashes condition="contains">SHA1=c6d349823bbb1f5b44bae91357895dba653c5861</Hashes>
+				<Hashes condition="contains">SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2</Hashes>
+				<Hashes condition="contains">SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825</Hashes>
+				<Hashes condition="contains">SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d</Hashes>
+				<Hashes condition="contains">SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6</Hashes>
+				<Hashes condition="contains">SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162</Hashes>
+				<Hashes condition="contains">SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb</Hashes>
+				<Hashes condition="contains">SHA1=29a190727140f40cea9514a6420f5a195e36386b</Hashes>
+				<Hashes condition="contains">SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77</Hashes>
+				<Hashes condition="contains">SHA1=7667b72471689151e176baeba4e1cd9cd006a09a</Hashes>
+				<Hashes condition="contains">SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5</Hashes>
+				<Hashes condition="contains">SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8</Hashes>
+				<Hashes condition="contains">SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e</Hashes>
+				<Hashes condition="contains">SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403</Hashes>
+				<Hashes condition="contains">SHA1=d702d88b12233be9413446c445f22fda4a92a1d9</Hashes>
+				<Hashes condition="contains">SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1</Hashes>
+				<Hashes condition="contains">SHA1=643383938d5e0d4fd30d302af3e9293a4798e392</Hashes>
+				<Hashes condition="contains">SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07</Hashes>
+				<!--# The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver -->
+				<!--# These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules -->
+				<Hashes condition="contains">SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816</Hashes>
+				<Hashes condition="contains">SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e</Hashes>
+				<Hashes condition="contains">SHA1=166759fd511613414d3213942fe2575b926a6226</Hashes>
+				<Hashes condition="contains">SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4</Hashes>
+				<Hashes condition="contains">SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca</Hashes>
+				<Hashes condition="contains">SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8</Hashes>
+				<Hashes condition="contains">SHA1=4de33d03fee52f396a1c788000ca868d56ac30de</Hashes>
+				<Hashes condition="contains">SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0</Hashes>
+				<Hashes condition="contains">SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d</Hashes>
+				<Hashes condition="contains">SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1</Hashes>
+				<Hashes condition="contains">SHA1=943593e880b4d340f2548548e6e673ef6f61eed3</Hashes>
+				<Hashes condition="contains">SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd</Hashes>
+				<Hashes condition="contains">SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28</Hashes>
+				<Hashes condition="contains">SHA1=aa2ea973bb248b18973e57339307cfb8d309f687</Hashes>
+				<Hashes condition="contains">SHA1=3a5d176c50f97b71d139767ed795d178623f491d</Hashes>
+				<Hashes condition="contains">SHA1=25d812a5ece19ea375178ef9d60415841087726e</Hashes>
+				<Hashes condition="contains">SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07</Hashes>
+				<Hashes condition="contains">SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0</Hashes>
+				<Hashes condition="contains">SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02</Hashes>
+				<Hashes condition="contains">SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c</Hashes>
+				<Hashes condition="contains">SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a</Hashes>
+				<Hashes condition="contains">SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed</Hashes>
+				<Hashes condition="contains">SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b</Hashes>
+				<Hashes condition="contains">SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d</Hashes>
+				<Hashes condition="contains">SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef</Hashes>
+				<Hashes condition="contains">SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001</Hashes>
+				<Hashes condition="contains">SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c</Hashes>
+				<Hashes condition="contains">SHA1=9401389fba314d1810f83edce33c37e84a78e112</Hashes>
+				<Hashes condition="contains">SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371</Hashes>
+				<Hashes condition="contains">SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7</Hashes>
+				<Hashes condition="contains">SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0</Hashes>
+				<Hashes condition="contains">SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4</Hashes>
+				<Hashes condition="contains">SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2</Hashes>
+				<Hashes condition="contains">SHA1=38571f14fc014487194d1eecfa80561ee8644e09</Hashes>
+				<Hashes condition="contains">SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2</Hashes>
+				<Hashes condition="contains">SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8</Hashes>
+				<Hashes condition="contains">SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba</Hashes>
+				<Hashes condition="contains">SHA1=4c18754dca481f107f0923fb8ef5e149d128525d</Hashes>
+				<Hashes condition="contains">SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f</Hashes>
+				<Hashes condition="contains">SHA1=cde32654a041fedc7b0fa1083f6005b950760062</Hashes>
+				<Hashes condition="contains">SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a</Hashes>
+				<Hashes condition="contains">SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332</Hashes>
+				<Hashes condition="contains">SHA1=4f7a8e26a97980544be634b26899afbefb0a833c</Hashes>
+				<!--# The list below is from https://github.com/namazso/physmem_drivers -->
+				<Hashes condition="contains">SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748</Hashes>
+				<Hashes condition="contains">SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA</Hashes>
+				<Hashes condition="contains">SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA</Hashes>
+				<Hashes condition="contains">SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F</Hashes>
+				<Hashes condition="contains">SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414</Hashes>
+				<Hashes condition="contains">SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D</Hashes>
+				<Hashes condition="contains">SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA</Hashes>
+				<Hashes condition="contains">SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00</Hashes>
+				<Hashes condition="contains">SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E</Hashes>
+				<Hashes condition="contains">SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7</Hashes>
+				<Hashes condition="contains">SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602</Hashes>
+				<Hashes condition="contains">SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8</Hashes>
+				<Hashes condition="contains">SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A</Hashes>
+				<Hashes condition="contains">SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4</Hashes>
+				<Hashes condition="contains">SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4</Hashes>
+				<Hashes condition="contains">SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C</Hashes>
+				<Hashes condition="contains">SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B</Hashes>
+				<Hashes condition="contains">SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A</Hashes>
+				<Hashes condition="contains">SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9</Hashes>
+				<Hashes condition="contains">SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB</Hashes>
+				<Hashes condition="contains">SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC</Hashes>
+				<Hashes condition="contains">SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF</Hashes>
+				<Hashes condition="contains">SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A</Hashes>
+				<Hashes condition="contains">SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3</Hashes>
+				<Hashes condition="contains">SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5</Hashes>
+				<Hashes condition="contains">SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB</Hashes>
+				<Hashes condition="contains">SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94</Hashes>
+				<Hashes condition="contains">SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0</Hashes>
+				<Hashes condition="contains">SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F</Hashes>
+				<Hashes condition="contains">SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C</Hashes>
+				<Hashes condition="contains">SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8</Hashes>
+				<Hashes condition="contains">SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4</Hashes>
+				<Hashes condition="contains">SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303</Hashes>
+				<Hashes condition="contains">SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469</Hashes>
+				<Hashes condition="contains">SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B</Hashes>
+				<Hashes condition="contains">SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E</Hashes>
+				<Hashes condition="contains">SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608</Hashes>
+				<Hashes condition="contains">SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685</Hashes>
+				<Hashes condition="contains">SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71</Hashes>
+				<Hashes condition="contains">SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2</Hashes>
+				<Hashes condition="contains">SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293</Hashes>
+				<Hashes condition="contains">SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57</Hashes>
+				<Hashes condition="contains">SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A</Hashes>
+				<Hashes condition="contains">SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A</Hashes>
+				<Hashes condition="contains">SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659</Hashes>
+				<Hashes condition="contains">SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA</Hashes>
+				<Hashes condition="contains">SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2</Hashes>
+				<Hashes condition="contains">SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7</Hashes>
+				<Hashes condition="contains">SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57</Hashes>
+				<Hashes condition="contains">SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92</Hashes>
+				<Hashes condition="contains">SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184</Hashes>
+				<Hashes condition="contains">SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457</Hashes>
+				<Hashes condition="contains">SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A</Hashes>
+				<Hashes condition="contains">SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4</Hashes>
+				<Hashes condition="contains">SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F</Hashes>
+				<Hashes condition="contains">SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8</Hashes>
+				<Hashes condition="contains">SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165</Hashes>
+				<Hashes condition="contains">SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E</Hashes>
+				<Hashes condition="contains">SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A</Hashes>
+				<Hashes condition="contains">SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C</Hashes>
+				<Hashes condition="contains">SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653</Hashes>
+				<Hashes condition="contains">SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028</Hashes>
+				<Hashes condition="contains">SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3</Hashes>
+				<Hashes condition="contains">SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D</Hashes>
+				<Hashes condition="contains">SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5</Hashes>
+				<Hashes condition="contains">SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3</Hashes>
+				<Hashes condition="contains">SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955</Hashes>
+				<Hashes condition="contains">SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339</Hashes>
+				<Hashes condition="contains">SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25</Hashes>
+				<Hashes condition="contains">SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0</Hashes>
+				<Hashes condition="contains">SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357</Hashes>
+				<Hashes condition="contains">SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21</Hashes>
+				<Hashes condition="contains">SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D</Hashes>
+				<Hashes condition="contains">SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF</Hashes>
+				<Hashes condition="contains">SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B</Hashes>
+				<Hashes condition="contains">SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4</Hashes>
+				<Hashes condition="contains">SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097</Hashes>
+				<Hashes condition="contains">SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6</Hashes>
+				<Hashes condition="contains">SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD</Hashes>
+				<Hashes condition="contains">SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492</Hashes>
+				<Hashes condition="contains">SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1</Hashes>
+				<Hashes condition="contains">SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558</Hashes>
+				<Hashes condition="contains">SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6</Hashes>
+				<Hashes condition="contains">SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219</Hashes>
+				<Hashes condition="contains">SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE</Hashes>
+				<Hashes condition="contains">SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250</Hashes>
+				<Hashes condition="contains">SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB</Hashes>
+				<Hashes condition="contains">SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5</Hashes>
+				<Hashes condition="contains">SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A</Hashes>
+				<Hashes condition="contains">SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E</Hashes>
+				<Hashes condition="contains">SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3</Hashes>
+				<Hashes condition="contains">SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5</Hashes>
+				<Hashes condition="contains">SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005</Hashes>
+				<Hashes condition="contains">SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793</Hashes>
+				<Hashes condition="contains">SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7</Hashes>
+				<Hashes condition="contains">SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52</Hashes>
+				<Hashes condition="contains">SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3</Hashes>
+				<Hashes condition="contains">SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4</Hashes>
+				<Hashes condition="contains">SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57</Hashes>
+				<Hashes condition="contains">SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94</Hashes>
+				<Hashes condition="contains">SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE</Hashes>
+				<Hashes condition="contains">SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B</Hashes>
+				<Hashes condition="contains">SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7</Hashes>
+				<Hashes condition="contains">SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8</Hashes>
+				<Hashes condition="contains">SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1</Hashes>
+				<Hashes condition="contains">SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449</Hashes>
+				<Hashes condition="contains">SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499</Hashes>
+				<Hashes condition="contains">SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526</Hashes>
+				<Hashes condition="contains">SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D</Hashes>
+				<Hashes condition="contains">SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B</Hashes>
+				<Hashes condition="contains">SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB</Hashes>
+				<Hashes condition="contains">SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B</Hashes>
+				<Hashes condition="contains">SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889</Hashes>
+				<Hashes condition="contains">SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530</Hashes>
+				<Hashes condition="contains">SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482</Hashes>
+				<Hashes condition="contains">SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1</Hashes>
+				<Hashes condition="contains">SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A</Hashes>
+				<Hashes condition="contains">SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA</Hashes>
+				<Hashes condition="contains">SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0</Hashes>
+				<Hashes condition="contains">SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D</Hashes>
+				<Hashes condition="contains">SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03</Hashes>
+				<Hashes condition="contains">SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C</Hashes>
+				<Hashes condition="contains">SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008</Hashes>
+				<Hashes condition="contains">SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC</Hashes>
+				<Hashes condition="contains">SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004</Hashes>
+				<Hashes condition="contains">SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D</Hashes>
+				<Hashes condition="contains">SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB</Hashes>
+				<Hashes condition="contains">SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA</Hashes>
+				<Hashes condition="contains">SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980</Hashes>
+				<Hashes condition="contains">SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099</Hashes>
+				<Hashes condition="contains">SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C</Hashes>
+				<Hashes condition="contains">SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E</Hashes>
+				<Hashes condition="contains">SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8</Hashes>
+				<Hashes condition="contains">SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84</Hashes>
+				<!--# The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ -->
+				<Hashes condition="contains">SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b</Hashes>
+				<Hashes condition="contains">SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790</Hashes>
+				<Hashes condition="contains">SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22</Hashes>
+				<Hashes condition="contains">SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44</Hashes>
+				<Hashes condition="contains">SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8</Hashes>
+				<Hashes condition="contains">SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009</Hashes>
+				<Hashes condition="contains">SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df</Hashes>
+				<Hashes condition="contains">SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead</Hashes>
+				<Hashes condition="contains">SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16</Hashes>
+				<Hashes condition="contains">SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7</Hashes>
+				<Hashes condition="contains">SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5</Hashes>
+				<Hashes condition="contains">SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495</Hashes>
+				<Hashes condition="contains">SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd</Hashes>
+				<Hashes condition="contains">SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c</Hashes>
+				<Hashes condition="contains">SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427</Hashes>
+				<!--# The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c -->
+				<Hashes condition="contains">SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4</Hashes>
+				<Hashes condition="contains">SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6</Hashes>
+				<Hashes condition="contains">SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062</Hashes>
+				<Hashes condition="contains">SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b</Hashes>
+				<Hashes condition="contains">SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece</Hashes>
+				<Hashes condition="contains">SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374</Hashes>
+				<Hashes condition="contains">SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50</Hashes>
+				<Hashes condition="contains">SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6</Hashes>
+				<Hashes condition="contains">SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e</Hashes>
+				<!--# https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md -->
+				<Hashes condition="contains">SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc</Hashes>
+				<Hashes condition="contains">SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d</Hashes>
+				<Hashes condition="contains">SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65</Hashes>
+				<Hashes condition="contains">SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347</Hashes>
+				<Hashes condition="contains">SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9</Hashes>
+				<Hashes condition="contains">SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219</Hashes>
+				<Hashes condition="contains">SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8</Hashes>
+				<Hashes condition="contains">SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813</Hashes>
+				<Hashes condition="contains">SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a</Hashes>
+				<Hashes condition="contains">SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f</Hashes>
+				<Hashes condition="contains">SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc</Hashes>
+				<Hashes condition="contains">SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de</Hashes>
+				<Hashes condition="contains">SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073</Hashes>
+				<Hashes condition="contains">SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890</Hashes>
+				<Hashes condition="contains">SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0</Hashes>
+				<Hashes condition="contains">SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200</Hashes>
+				<Hashes condition="contains">SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf</Hashes>
+				<Hashes condition="contains">SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2</Hashes>
+				<Hashes condition="contains">SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173</Hashes>
+				<Hashes condition="contains">SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6</Hashes>
+				<Hashes condition="contains">SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8</Hashes>
+				<Hashes condition="contains">SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508</Hashes>
+				<Hashes condition="contains">SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3</Hashes>
+				<Hashes condition="contains">SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52</Hashes>
+				<Hashes condition="contains">SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129</Hashes>
+				<Hashes condition="contains">SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993</Hashes>
+				<Hashes condition="contains">SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d</Hashes>
+				<Hashes condition="contains">SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd</Hashes>
+				<Hashes condition="contains">SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35</Hashes>
+				<Hashes condition="contains">SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33</Hashes>
+				<Hashes condition="contains">SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29</Hashes>
+				<!--# The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver -->
+				<!--# These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules -->
+				<Hashes condition="contains">SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838</Hashes>
+				<Hashes condition="contains">SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b</Hashes>
+				<Hashes condition="contains">SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82</Hashes>
+				<Hashes condition="contains">SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7</Hashes>
+				<Hashes condition="contains">SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038</Hashes>
+				<Hashes condition="contains">SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89</Hashes>
+				<Hashes condition="contains">SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e</Hashes>
+				<Hashes condition="contains">SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3</Hashes>
+				<Hashes condition="contains">SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6</Hashes>
+				<Hashes condition="contains">SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89</Hashes>
+				<Hashes condition="contains">SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf</Hashes>
+				<Hashes condition="contains">SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea</Hashes>
+				<Hashes condition="contains">SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5</Hashes>
+				<Hashes condition="contains">SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a</Hashes>
+				<Hashes condition="contains">SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f</Hashes>
+				<Hashes condition="contains">SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3</Hashes>
+				<Hashes condition="contains">SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003</Hashes>
+				<Hashes condition="contains">SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7</Hashes>
+				<Hashes condition="contains">SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498</Hashes>
+				<Hashes condition="contains">SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22</Hashes>
+				<Hashes condition="contains">SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4</Hashes>
+				<Hashes condition="contains">SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c</Hashes>
+				<Hashes condition="contains">SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53</Hashes>
+				<Hashes condition="contains">SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de</Hashes>
+				<Hashes condition="contains">SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330</Hashes>
+				<Hashes condition="contains">SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46</Hashes>
+				<Hashes condition="contains">SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347</Hashes>
+				<Hashes condition="contains">SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026</Hashes>
+				<Hashes condition="contains">SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15</Hashes>
+				<Hashes condition="contains">SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91</Hashes>
+				<Hashes condition="contains">SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf</Hashes>
+				<Hashes condition="contains">SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c</Hashes>
+				<Hashes condition="contains">SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64</Hashes>
+				<Hashes condition="contains">SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59</Hashes>
+				<Hashes condition="contains">SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6</Hashes>
+				<Hashes condition="contains">SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b</Hashes>
+				<Hashes condition="contains">SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9</Hashes>
+				<Hashes condition="contains">SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351</Hashes>
+				<Hashes condition="contains">SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5</Hashes>
+				<Hashes condition="contains">SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c</Hashes>
+				<Hashes condition="contains">SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b</Hashes>
+				<Hashes condition="contains">SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05</Hashes>
+				<Hashes condition="contains">SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433</Hashes>
+			</Rule>
 		</DriverLoad>
 	</RuleGroup>
 	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">

From 81679a2c928979423fd709d89616460e286a4079 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 7 Oct 2022 15:54:15 -0400
Subject: [PATCH 436/471] Add Risk Rating to vuln driver loads

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 11cb3215..6506266b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -3108,7 +3108,7 @@
 			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
 			<SignatureStatus condition="contains">Valid</SignatureStatus>
 			<Signed name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Driver Loaded,Risk=100,Author=Nasreddine Bencherchali" groupRelation="or">
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Driver Loaded,Risk=100,Author=Nasreddine Bencherchali,Risk=75" groupRelation="or">
 				<!--# List below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT-->
 				<Hashes condition="contains">SHA1=2261198385d62d2117f50f631652eded0ecc71db</Hashes>
 				<Hashes condition="contains">SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc</Hashes>

From a99afce0868b51bd5d06bd69a38eab55456a20f2 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Fri, 21 Oct 2022 18:01:04 -0400
Subject: [PATCH 437/471] Removing Blocking from Config due to reports of
 interference of windows updates. No logs were provided yet to troubleshoot,
 so splitting out the blocking config. Use blocking config at your own risk

---
 sysmonconfig-export.xml          |  429 --
 sysmonconfig-export_blocking.xml | 7049 ++++++++++++++++++++++++++++++
 2 files changed, 7049 insertions(+), 429 deletions(-)
 create mode 100644 sysmonconfig-export_blocking.xml

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 6506266b..30796a47 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -7045,434 +7045,5 @@
 			<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
 		</FileDeleteDetected>
 	</RuleGroup>
-	<!--SYSMON EVENT ID 27 : FILE BLOCK [FileBlockExecutable]-->
-	<RuleGroup name="RG=ImageBlock Include Group" groupRelation="or">
-		<FileBlockExecutable onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block Office from Creating Executables" groupRelation="and">
-				<Image condition="contains any">OUTLOOK.exe;WINWORD.exe;EXCEL.EXE;powerpnt.exe;msaccess.exe;mspub.exe;eqnedt32.exe;visio.exe;wordpad.exe;wordview.exe;msohtmed.exe;lync.exe;teams.exe</Image>
-				<TargetFilename condition="excludes any">:\Program Files\Microsoft Office\;:\Program Files (x86)\Microsoft Office\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block Web Servers from creating binary files" groupRelation="and">
-				<Image condition="contains any">w3wp.exe;tomcat;apache;nginx;httpd</Image>
-				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
-			</Rule>
-			<!--Be Careful with this one, it blocks powershell file copies as well, target specific directories or comment out the rule-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block Powershell from downloading EXE" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<TargetFilename condition="contains any">\Temp\;\AppData\;C:\Users\Public</TargetFilename>
-				<TargetFilename condition="excludes any">whitelist_me_here</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="or">
-				<TargetFilename condition="end with">      .exe</TargetFilename>
-				<TargetFilename condition="end with">.7z.exe</TargetFilename>
-				<TargetFilename condition="end with">.doc.exe</TargetFilename>
-				<TargetFilename condition="end with">.doc.exe</TargetFilename>
-				<TargetFilename condition="end with">.docx.exe</TargetFilename>
-				<TargetFilename condition="end with">.ico.exe</TargetFilename>
-				<TargetFilename condition="end with">.iso.exe</TargetFilename>
-				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
-				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
-				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
-				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
-				<TargetFilename condition="end with">.rar.exe</TargetFilename>
-				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
-				<TargetFilename condition="end with">.txt.exe</TargetFilename>
-				<TargetFilename condition="end with">.xls.exe</TargetFilename>
-				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
-				<TargetFilename condition="end with">.zip.exe</TargetFilename>
-				<TargetFilename condition="end with">______.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block PSexec and PSEXESVC from Dropping binaries" groupRelation="or">
-				<Image condition="contains any">psexesvc</Image>
-				<Image condition="contains any">psexec</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block wmiprvse.exe from Dropping binaries" groupRelation="or">
-				<Image condition="image">wmiprvse.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block executables from writing to Users\Public" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
-				<TargetFilename condition="excludes any">amdsfhdcd.bin</TargetFilename>
-				<Image condition="excludes any">intuit</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Alert=Block LOLbins that drop files" groupRelation="and">
-				<Image condition="contains any">AcroRd32.exe;notepad.exe;mshta.exe;hh.exe;certutil.exe;certoc.exe;certreq.exe;desktopimgdownldr.exe;esentutl.exe;finger.exe;presentationhost.exe;cscript.exe;wscript.exe;mspaint.exe;RdrCEF.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Malicious File Detection,Author=Florian Roth/ionstorm" groupRelation="or">
-				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
-				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
-				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
-				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
-				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=03866661686829D806989E2FC5A72606</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=E57401FBDADCD4571FF385AB82BD5D6D</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
-				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
-				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
-				<Hashes condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hashes><!--Exchange Zero Day Dropped DLL-->
-			</Rule>
-			<Rule name="Attack=T1311,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Exchange 0day Malicious File Detection,Author=ionstorm" groupRelation="and">
-				<TargetFilename condition="contains any">\DrSDKCaller.exe;C:\Users\Public\all.exe;C:\Users\Public\dump.dll;C:\Users\Public\ad.exe;C:\PerfLogs\gpg-error.exe;C:\PerfLogs\cm.exe;C:\Program Files\Common Files\system\ado\msado32.tlb</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
-				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Lolbins dropping binaries,Author=Florian Roth" groupRelation="or">
-				<Image condition="image">certutil.exe</Image>
-				<Image condition="image">certoc.exe</Image>
-				<Image condition="image">CertReq.exe</Image>
-				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
-				<Image condition="image">Desktopimgdownldr.exe</Image>
-				<Image condition="image">esentutl.exe</Image>
-				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
-				<Image condition="image">finger.exe</Image>
-				<Image condition="image">presentationhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Suspicious Bitsadmin Usage from Non System accounts,Author=@ionstorm" groupRelation="and">
-				<Image condition="image">bitsadmin.exe</Image>
-				<TargetFilename condition="excludes any">C:\Windows;$WINDOWS.;\SoftwareDistribution\</TargetFilename>
-				<User condition="is not">System</User>
-				<User condition="excludes any">TrustedInstaller;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</User>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Tools that tamper with Sysmon,Author=Florian Roth" groupRelation="and">
-				<TargetFilename condition="contains any">\EntenLoader.exe;\SysmonQuiet.exe;\SharpEvtMute.exe;\EvtMuteHook.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Block Binaries dropped to Perflogs" groupRelation="and">
-				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename>
-			</Rule>
-		</FileBlockExecutable>
-	</RuleGroup>
-	<RuleGroup name="RG=FileBlockExecutable Exclude Group" groupRelation="or">
-		<FileBlockExecutable onmatch="exclude">
-			<Rule name="safe executables - be careful" groupRelation="and">
-				<Image condition="is any">C:\WINDOWS\system32\wuauclt.exe;C:\$WINDOWS.~BT\Sources\SetupHost.Exe</Image>
-			</Rule>
-			<Rule name="safe paths - be careful" groupRelation="and">
-				<TargetFilename condition="contains any">C:\Windows\SoftwareDistribution\;C:\$WINDOWS.~BT\NewOS\</TargetFilename>
-			</Rule>
-			<Rule name="safe users - be careful" groupRelation="or">
-				<!--<User condition="is">SYSTEM</User>
-				<User condition="is">NT AUTHORITY\SYSTEM</User>
-				<User condition="is">TrustedInstaller</User>
-				<User condition="is">NT AUTHORITY\TrustedInstaller</User>
-				<User condition="is">NT AUTHORITY\NETWORK SERVICE</User>
-				<User condition="end with">ERVICE RÉSEAU</User>
-				<User condition="end with">NETZWERKDIENST</User>
-				<User condition="is">NT AUTHORITY\LOCAL SERVICE</User>
-				<User condition="end with">SERVICE LOCAL</User>
-				<User condition="end with">LOKALER DIENST</User>
-				<User condition="end with">СИСТЕМА</User>
-				<User condition="is">NT-AUTORITÄT\SYSTEM</User>
-				<User condition="is">AUTORITE NT\SYSTEM</User>-->
-			</Rule>
-		</FileBlockExecutable>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 28 : FILE BLOCK SHREDDING [FileBlockShredding]-->
-	<RuleGroup name="RG=FileBlockShredding Include Group" groupRelation="or">
-		<FileBlockShredding onmatch="include">
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in C:\Users,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Users</TargetFilename>
-				<Image condition="excludes any">C:\Program Files\WindowsApps\;AppData</Image>
-			</Rule>
-			<!-- Unsure how this runs with Enterprise Software Like Exchange, Uncomment and provide feedback of any issues/things to whitelist
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Program Files</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramData,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="begin with">C:\ProgramData</TargetFilename>
-			</Rule>
-			-->
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in $mft,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="begin with">C:\$mft</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Windows Event Logs,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Windows\System32\winevt\Logs</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ntuser.dat artifacts,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="end with">ntuser.dat</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Pagefile,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="end with">Pagefile.sys</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in System Profile and registry backups,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Windows\System32\config</TargetFilename>
-				<Image condition="excludes">C:\WINDOWS\system32\consent.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Database Files,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="end with">.db</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in encryption/certificate files,Author=@ionstorm" groupRelation="or">
-				<TargetFilename condition="end with">.asc</TargetFilename>
-				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
-				<TargetFilename condition="end with">.cer</TargetFilename>
-				<TargetFilename condition="end with">.cer</TargetFilename>
-				<TargetFilename condition="end with">.crl</TargetFilename>
-				<TargetFilename condition="end with">.crt</TargetFilename>
-				<TargetFilename condition="end with">.csr</TargetFilename>
-				<TargetFilename condition="end with">.der</TargetFilename>
-				<TargetFilename condition="end with">.gpg</TargetFilename>
-				<TargetFilename condition="end with">.key</TargetFilename>
-				<TargetFilename condition="end with">.p7b</TargetFilename>
-				<TargetFilename condition="end with">.p7r</TargetFilename>
-				<TargetFilename condition="end with">.p7s</TargetFilename>
-				<TargetFilename condition="end with">.p12</TargetFilename>
-				<TargetFilename condition="end with">.pem</TargetFilename>
-				<TargetFilename condition="end with">.pfx</TargetFilename>
-				<TargetFilename condition="end with">.pgp</TargetFilename>
-				<TargetFilename condition="end with">.ppk</TargetFilename>
-				<TargetFilename condition="end with">.sst</TargetFilename>
-				<TargetFilename condition="end with">.sto</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Log files,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="end with">.log</TargetFilename>
-				<TargetFilename condition="excludes">C:\Windows\System32\sru\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Log files 2,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="end with">ConsoleHost_history.txt</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in evtx files,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="end with">.evtx</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Recyclebin,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="contains">$Recycle</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Executable Data Destruction Detected,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=DLL Data Destruction Detected,Author=@ionstorm" groupRelation="and">
-				<TargetFilename condition="end with">.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Office File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
-				<TargetFilename condition="contains">\Content.Outlook\</TargetFilename>
-				<TargetFilename condition="contains">\Microsoft\Office\Recent</TargetFilename>
-				<TargetFilename condition="contains">\Microsoft\Templates\</TargetFilename>
-				<TargetFilename condition="contains">\Recent\CustomDestinations\</TargetFilename>
-				<TargetFilename condition="contains">oleObject</TargetFilename>
-				<TargetFilename condition="end with">.accdb</TargetFilename>
-				<TargetFilename condition="end with">.accde</TargetFilename>
-				<TargetFilename condition="end with">.accdr</TargetFilename>
-				<TargetFilename condition="end with">.accdt</TargetFilename>
-				<TargetFilename condition="end with">.doc</TargetFilename>
-				<TargetFilename condition="end with">.docb</TargetFilename>
-				<TargetFilename condition="end with">.docm</TargetFilename>
-				<TargetFilename condition="end with">.docx</TargetFilename>
-				<TargetFilename condition="end with">.dot</TargetFilename>
-				<TargetFilename condition="end with">.dotx</TargetFilename>
-				<TargetFilename condition="end with">.eml</TargetFilename>
-				<TargetFilename condition="end with">.mdb</TargetFilename>
-				<TargetFilename condition="end with">.mde</TargetFilename>
-				<TargetFilename condition="end with">.msc</TargetFilename>
-				<TargetFilename condition="end with">.msg</TargetFilename>
-				<TargetFilename condition="end with">.mst</TargetFilename>
-				<TargetFilename condition="end with">.ped</TargetFilename>
-				<TargetFilename condition="end with">.potm</TargetFilename>
-				<TargetFilename condition="end with">.potx</TargetFilename>
-				<TargetFilename condition="end with">.ppam</TargetFilename>
-				<TargetFilename condition="end with">.ppsm</TargetFilename>
-				<TargetFilename condition="end with">.ppsx</TargetFilename>
-				<TargetFilename condition="end with">.ppt</TargetFilename>
-				<TargetFilename condition="end with">.pptm</TargetFilename>
-				<TargetFilename condition="end with">.pptx</TargetFilename>
-				<TargetFilename condition="end with">.pub</TargetFilename>
-				<TargetFilename condition="end with">.sldm</TargetFilename>
-				<TargetFilename condition="end with">.sldx</TargetFilename>
-				<TargetFilename condition="end with">.wbk</TargetFilename>
-				<TargetFilename condition="end with">.xla</TargetFilename>
-				<TargetFilename condition="end with">.xlam</TargetFilename>
-				<TargetFilename condition="end with">.xll</TargetFilename>
-				<TargetFilename condition="end with">.xls</TargetFilename>
-				<TargetFilename condition="end with">.xlsb</TargetFilename>
-				<TargetFilename condition="end with">.xlsm</TargetFilename>
-				<TargetFilename condition="end with">.xlsx</TargetFilename>
-				<TargetFilename condition="end with">.xlt</TargetFilename>
-				<TargetFilename condition="end with">.xltm</TargetFilename>
-				<TargetFilename condition="end with">.xlw</TargetFilename>
-				<TargetFilename condition="end with">.xps</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=PDF File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
-				<TargetFilename condition="end with">.pdf</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Common Archive File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
-				<TargetFilename condition="end with">.zip</TargetFilename>
-				<TargetFilename condition="end with">.rar</TargetFilename>
-				<TargetFilename condition="end with">.tar</TargetFilename>
-				<TargetFilename condition="end with">.tgz</TargetFilename>
-				<TargetFilename condition="end with">.ace</TargetFilename>
-				<TargetFilename condition="end with">.7z</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Common Script File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
-				<TargetFilename condition="end with">.cdxml</TargetFilename>
-				<TargetFilename condition="end with">.ps1</TargetFilename>
-				<TargetFilename condition="end with">.ps1xml</TargetFilename>
-				<TargetFilename condition="end with">.psc1</TargetFilename>
-				<TargetFilename condition="end with">.psd1</TargetFilename>
-				<TargetFilename condition="end with">.psm1</TargetFilename>
-				<TargetFilename condition="end with">.pssc</TargetFilename>
-				<TargetFilename condition="end with">.bat</TargetFilename>
-				<TargetFilename condition="end with">.com</TargetFilename>
-				<TargetFilename condition="end with">.hta</TargetFilename>
-				<TargetFilename condition="end with">.vbs</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Virtual Disk Image File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
-				<TargetFilename condition="end with">.D01</TargetFilename>
-				<TargetFilename condition="end with">.D02</TargetFilename>
-				<TargetFilename condition="end with">.DD</TargetFilename>
-				<TargetFilename condition="end with">.DISK</TargetFilename>
-				<TargetFilename condition="end with">.E01</TargetFilename>
-				<TargetFilename condition="end with">.EX01</TargetFilename>
-				<TargetFilename condition="end with">.HC</TargetFilename>
-				<TargetFilename condition="end with">.HDD</TargetFilename>
-				<TargetFilename condition="end with">.HDS</TargetFilename>
-				<TargetFilename condition="end with">.IMAGE</TargetFilename>
-				<TargetFilename condition="end with">.IMD</TargetFilename>
-				<TargetFilename condition="end with">.IMG</TargetFilename>
-				<TargetFilename condition="end with">.ISO</TargetFilename>
-				<TargetFilename condition="end with">.L01</TargetFilename>
-				<TargetFilename condition="end with">.LZ01</TargetFilename>
-				<TargetFilename condition="end with">.PARTIMG</TargetFilename>
-				<TargetFilename condition="end with">.PGD</TargetFilename>
-				<TargetFilename condition="end with">.SPARSEIMAGE</TargetFilename>
-				<TargetFilename condition="end with">.TIB</TargetFilename>
-				<TargetFilename condition="end with">.VBK</TargetFilename>
-				<TargetFilename condition="end with">.VBM</TargetFilename>
-				<TargetFilename condition="end with">.VIB</TargetFilename>
-				<TargetFilename condition="end with">.WIM</TargetFilename>
-				<TargetFilename condition="end with">.WIM</TargetFilename>
-				<TargetFilename condition="end with">.WMT</TargetFilename>
-				<TargetFilename condition="end with">.XVA</TargetFilename>
-				<TargetFilename condition="end with">.avhd</TargetFilename>
-				<TargetFilename condition="end with">.dsk</TargetFilename>
-				<TargetFilename condition="end with">.dvd</TargetFilename>
-				<TargetFilename condition="end with">.mdf</TargetFilename>
-				<TargetFilename condition="end with">.vdi</TargetFilename>
-				<TargetFilename condition="end with">.vhd</TargetFilename>
-				<TargetFilename condition="end with">.vhdx</TargetFilename>
-				<TargetFilename condition="end with">.vmdk</TargetFilename>
-				<TargetFilename condition="end with">.vmwarevm</TargetFilename>
-			</Rule>
-		</FileBlockShredding>		
-	</RuleGroup>
-	<RuleGroup name="RG=FileBlockShredding Exclude Group" groupRelation="or">
-		<FileBlockShredding onmatch="exclude">
-			<Rule name="safe images - be careful" groupRelation="or">
-				<Image condition="begin with">C:\WINDOWS\</Image>
-				<Image condition="begin with">C:\Program Files\WindowsApps\</Image>
-				<Image condition="image">C:\PROGRA~2\Citrix\ICACLI~1\WFICA32.EXE</Image>
-				<Image condition="contains all">C:\Program Files;\Microsoft\EdgeWebView\Application\;\msedgewebview2.exe</Image>
-				<Image condition="contains all">C:\Program Files;\Citrix\;\WFICA32.EXE</Image>
-				<Image condition="contains all">C:\Program Files\Google\Drive File Stream\;\GoogleDriveFS.exe</Image>
-				<Image condition="contains all">C:\Program Files (x86)\Microsoft\EdgeWebView\Application\;msedgewebview2.exe</Image>
-			</Rule>
-			<Rule name="safe paths - be careful" groupRelation="or">
-				<TargetFilename condition="contains any">C:\Safe-shred-location</TargetFilename>
-				<TargetFilename condition="contains any">C:\$WINDOWS.~BT\NewOS\</TargetFilename>
-				<TargetFilename condition="contains all">:\Users\;\AppData\;\D3DSCache</TargetFilename>
-				<TargetFilename condition="end with">.lock</TargetFilename>
-			</Rule>
-			<Rule name="Antivirus Exclusions" groupRelation="or"> 
-				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
-				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
-				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
-				<Image condition="begin with">C:\Program Files\ESET</Image>
-				<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</Image>
-			</Rule>
-			<Rule name="safe users - be careful" groupRelation="or">
-				<!--<User condition="is">NT AUTHORITY\TrustedInstaller</User>
-				<User condition="is">SYSTEM</User>
-				<User condition="is">NT AUTHORITY\SYSTEM</User>
-				<User condition="is">TrustedInstaller</User>
-				<User condition="is">NT AUTHORITY\TrustedInstaller</User>
-				<User condition="is">NT AUTHORITY\NETWORK SERVICE</User>
-				<User condition="end with">ERVICE RÉSEAU</User>
-				<User condition="end with">NETZWERKDIENST</User>
-				<User condition="is">NT AUTHORITY\LOCAL SERVICE</User>
-				<User condition="end with">SERVICE LOCAL</User>
-				<User condition="end with">LOKALER DIENST</User>
-				<User condition="end with">СИСТЕМА</User>
-				<User condition="is">NT-AUTORITÄT\SYSTEM</User>
-				<User condition="is">AUTORITE NT\SYSTEM</User>-->
-			</Rule>
-		</FileBlockShredding>		
-	</RuleGroup>
 	</EventFiltering>
 </Sysmon>
\ No newline at end of file
diff --git a/sysmonconfig-export_blocking.xml b/sysmonconfig-export_blocking.xml
new file mode 100644
index 00000000..30796a47
--- /dev/null
+++ b/sysmonconfig-export_blocking.xml
@@ -0,0 +1,7049 @@
+<!--
+	   ____                           ___ ________________    _______ __
+	  / __/_ _____ __ _  ___  ___    / _ /_  __/_  __/ __/___/ ___/ //_/
+	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
+	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
+		/___/                                                           
+	author:	ionstorm
+	project:	https://github.com/ion-storm/sysmon-config
+	license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+	Methodology: Detect the Most Techniques per Data source in MITRE ATT&CK.
+				 Provide Visibility into Forensic Artifact Events for UEBA.
+				 Detect Exploitation events with wide CVE Coverage.
+				 Risk Scoring of CVE, UEBA, Forensic, MITRE ATT&CK Events.
+				 
+				 Primary Tags:
+				 Attack: Mitre ATT&CK Identifier
+				 Technique: Mitre ATT&CK Technique
+				 Tactic: Mitre ATT&CK Tactic
+				 DS: Mitre ATT&CK Datasource
+				 Alert: Alert Text for SIEM/XDR
+				 Info: Informational Alert Text
+				 Level: The level field contains one of five string values. It describes the criticality of a triggered rule. 
+				 While low and medium level events have an informative character, events with high and critical level should 
+				 lead to immediate reviews by security analysts.
+				 Desc: Description of non-alerting UEBA/Behavioral Based Rules
+				 Forensic: Forensic Artifacts
+				 CVE: CVE Vulnerability Identification
+				 FP: False Positive Rate
+				 Author: Author of rule
+				 
+				 Additional Tag Details:
+				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
+				 kp=y 	Kill process with child processes
+				 kpp=y 	Kill Parent Processes & all Child Processes
+				 kc=y    Kill network connections
+				 ki=y    Kill Injected Thread
+				 sd=y 	Shutdown System
+				 fw=y	Add Windows Firewall Rule to block inbound/outbound network connectivity from process
+				 yara=y  Yara Scan file
+				 ydel=y  Delete on Yara Detection
+				 rf=y    Restore Deleted File
+				 nr=y 	Null route ip
+				 iso=y Isolate Host
+				 SD=y Service Desk Ticket
+				 SOC=y SOC Ticket Creation
+				 
+				 Risk Score ratings: (Risk=??)
+				 Low Risk: 1-39
+				 Medium Risk: 40-69
+				 High Risk: 70-89
+				 Critical Risk: 90-100
+				 
+				 Levels: (from Sigma)
+				 (0) informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered 
+				 by such rules because it is expected that a huge amount of events will match these rules.
+				 (1) low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. 
+				 Immediate reaction shouldn't be necessary, but a regular review is recommended.
+				 (2) medium: Relevant event that should be reviewed manually on a more frequent basis.
+				 (3) high: Relevant event that should trigger an internal alert and requires a prompt review.
+				 (4) critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
+				 
+				 False Positive Rates: (FP=?)
+				 (0) Zero False Positives rate
+				 (1) Some False Positives rate
+				 (2) Medium False Positive rate
+				 (3) High False Positive rate
+				 
+				 Properly Escape in XML:
+				 < &lt;
+				 > &gt;
+				 " &quot;
+				 ' &apos;
+				 & &amp;
+				 
+				 Other Notes:
+				 The Rulename field has a hard limit of 255 characters, make the best of the size available, shorten tags and descriptions as needed.
+				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
+				 
+				 Contribution Guidelines:
+				 Always submit new rule requests/pull requests in this format where possible, if the rule is highly accurate and should fire off a SIEM Alert replace Desc= with Alert=, 
+				 See Risk ratings and levels above for guidance.  
+				 Example Rule:
+				<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Your Description Here,Author=YourTwitter/Github" groupRelation="and">
+					<Your Rule Here/>
+				</Rule> 
+-->
+<Sysmon schemaversion="4.83">
+	<HashAlgorithms>md5,sha1,sha256,imphash</HashAlgorithms>
+	<CheckRevocation/>
+	<EventFiltering>
+	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
+	<RuleGroup name="RG=ProcessCreate Include Group" groupRelation="or">
+		<ProcessCreate onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Process: Process Creation,Level=3,Alert=Nessus Scan Detected,Risk=100" groupRelation="or">
+				<ParentCommandLine condition="contains any">TEMP\nessus_;nessus_task_list</ParentCommandLine>
+				<CommandLine condition="contains any">TEMP\nessus_;nessus_task_list</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Process: Process Creation,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe</CommandLine>
+				<OriginalFileName condition="is any">advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</OriginalFileName>
+				<Product condition="contains any">Network Scanner;Advanced IP Scanner</Product>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=4,Alert=ADFind.exe Discovery,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains">adfind</OriginalFileName>
+				<Product condition="contains">adfind</Product>
+				<CommandLine condition="contains any">-gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<Rule name="Attack=T1587,Technique=Develop Capabilities,Tactic=Resource Development,Level=3,DS=Process: Process Creation,Alert=PurpleSharp Indicator,Risk=40" groupRelation="or">
+				<CommandLine condition="contains any">PurpleSharp;xyz123456</CommandLine> 
+				<OriginalFileName condition="contains any">PurpleSharp</OriginalFileName> 
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,DS=Process: Process Creation,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Level=3,DS=Process: Process Creation,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
+				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
+			</Rule>
+			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">Content.Outlook</Image>
+			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Arbitrary Shell Command Execution Via Settingcontent-Ms,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
+				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
+				<ParentImage condition="image">Hwp.exe</ParentImage>
+				<Image condition="image">gbb.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Browser Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
+				<Image condition="excludes">C:\Windows\Setup</Image>
+				<Image condition="excludes">C:\Windows\SysWOW64</Image>
+				<Image condition="excludes">C:\Windows\System32</Image>
+				<Image condition="excludes">C:\Windows\WinSxS</Image>
+			</Rule>
+			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
+				<ParentImage condition="image">consent.exe</ParentImage>
+				<CommandLine condition="contains">http</CommandLine>
+				<Image condition="image">iexplore.exe</Image>
+				<User condition="contains">SYSTEM</User>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=IIS Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="image">w3wp.exe</ParentImage>
+				<Image condition="excludes any">\csc.exe;\TranscodingService.exe;\werfault.exe;\appcmd.exe</Image>
+				<!--Add wider coverage than specific lolbins, add exclusions above carefully, could be noisy, if too noisy comment above and uncomment below and add more lolbins-->
+				<!--<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>-->
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Suspicious IIS Module Registration,Risk=100,Author=Florian Roth/@ionstorm" groupRelation="and">
+				<ParentImage condition="image">w3wp.exe</ParentImage>
+				<Image condition="image">appcmd.exe</Image>
+				<CommandLine condition="contains any">appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">apache;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>				
+				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
+				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,DS=Process: Process Creation,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
+				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,DS=Process: Process Creation,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
+				<ParentImage condition="image">dns.exe</ParentImage>
+				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2019-0708,DS=Process: Process Creation,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
+				<CommandLine condition="excludes any">perfenabled</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2021-26857,DS=Process: Process Creation,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
+				<CommandLine condition="excludes any">perfenabled</CommandLine>
+				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
+				<Image condition="contains any">\wwwroot\</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
+				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
+				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Desktop Central Remote Exploit,Risk=100,CVE=CVE-2020-10189,Author=Florian Roth" groupRelation="and">
+				<ParentImage condition="end with">DesktopCentral_Server\jre\bin\java.exe</ParentImage>
+				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
+				<ParentImage condition="image">\jre\bin\java.exe</ParentImage>
+				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
+				<!--Allow Confluence Rule to fire-->
+				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">sqlservr</ParentImage>
+				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
+				<ParentImage condition="image">keytool.exe</ParentImage>
+				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Apache Spark Exploit,CVE=CVE-2022-33891,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">bash.exe;cmd.exe;powershell.exe;pwsh.exe</ParentImage>
+				<CommandLine condition="contains any">id -Gn `;id /Gn `;id -Gn ';id /Gn '</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<Rule name="Attack=T1133,Technique=External Remote Services,Tactic=Initial Access,DS=Process: Process Creation,Level=2,Alert=Screenconnect Remote Access,Risk=50" groupRelation="and">
+				<CommandLine condition="contains all">e=Access&amp;;y=Guest&amp;;&amp;p=;&amp;c=;&amp;k=</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=WMI Execution Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">process;call;create</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious WMIC Commands,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Execution Locations,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
+				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
+				<Image condition="image">conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
+				<Image condition="image">conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,DS=Process: Process Creation,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
+				<ParentImage condition="image">conhost.exe</ParentImage>
+				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
+				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
+				<ParentImage condition="image">cmd.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<CommandLine condition="excludes">Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\</CommandLine>
+				<CommandLine condition="excludes">mysql server</CommandLine>
+				<CommandLine condition="excludes">select-object displayversion,displayname</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell ran from Scripting Utilities,Risk=50" groupRelation="and">
+				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell ran from cscript or wscript,Risk=50" groupRelation="and">
+				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Powershell Launched from mshta,Risk=100" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<ParentImage condition="image">mshta.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,DS=Process: Process Creation,UEBA=Suspicious WSCRIPT Command Line,Risk=50" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<CommandLine condition="excludes any">IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
+				<Image condition="image">wscript.exe</Image>
+				<CommandLine condition="contains">.jse</CommandLine>
+				<CommandLine condition="contains">.js</CommandLine>
+				<CommandLine condition="contains">.vba</CommandLine>
+				<CommandLine condition="contains">.vbe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious scripting to dll commands,Risk=70" groupRelation="and">
+				<ParentImage condition="contains any">\wscript.exe;\cscript.exe</ParentImage>
+				<Image condition="contains any">\rundll32.exe;regsvr32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious rundll32 commands,Risk=70" groupRelation="and">
+				<Image condition="contains any">\rundll32.exe;regsvr32.exe</Image>
+				<CommandLine condition="excludes any">.dll;.cpl;.ocx;localserver;enable-speech-input;auto-scan-plugin;enable-media-stream;CastMediaRouteProvider;-eoim;/eoim</CommandLine><!--Already have localserver com detection-->
+				<CommandLine condition="excludes all">setupapi;InstallHinfSection;DefaultInstall;SplunkUniversalForwarder\bin\spl;rundll32.exe "C:\Windows\Installer\MSI</CommandLine>
+				<CommandLine condition="excludes all">\MSI;.tmp",zzzInvokeManagerCustomActionOutOfProc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
+				<Image condition="image">cscript.exe</Image>
+				<CommandLine condition="contains">.js</CommandLine>
+				<CommandLine condition="contains">.jse</CommandLine>
+				<CommandLine condition="contains">.vba</CommandLine>
+				<CommandLine condition="contains">.vbe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine>
+				<CommandLine condition="contains any">.jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.003,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Possible WinNTI Malware,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
+				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,DS=Process: Process Creation,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
+				<Image condition="image">regedit.exe</Image>
+				<ParentImage condition="image">explorer.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,UEBA=Unusual Child Process,Risk=30" groupRelation="and">
+				<Image condition="contains any">\svchost.exe;\taskhostw.exe;\userinit.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\lsass.exe;\logonui.exe;\services.exe</Image>
+				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
+				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe;\services.exe;\dwm.exe;System;\smss.exe;\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>
+				<Image condition="excludes any">C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe</Image>
+				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
+				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
+			</Rule>
+			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from 7z Archive File,Risk=50" condition="contains">\Temp\7z</CommandLine><!-- exec from 7zip -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Explorer Archive File,Risk=50" condition="contains">\Temp\Temp1_</CommandLine><!-- exec from explorer -->
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from winrar Archive File,Risk=50" condition="contains">\Temp\Rar$</CommandLine><!-- exec from winrar -->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
+			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<ParentImage condition="begin with">C:\users\</ParentImage>
+				<ParentImage condition="excludes">Microsoft VS Code\Code.exe</ParentImage>
+				<ParentImage condition="excludes">\Deployment tool extract\setupodt.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
+			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
+			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe;msidb.exe</Image>
+				<CommandLine condition="excludes all">.cmd;-</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
+				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+				<CommandLine condition="end with">.html</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment 2,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+				<CommandLine condition="end with">.html"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment 2,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+				<CommandLine condition="end with">.html"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed pfd attachment,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="end with">.pdf"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed pfd attachment 2,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="end with">.pdf</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed iso attachment,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="end with">.iso"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed iso attachment 2,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="end with">.iso</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Link Clicks,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe;BrowserAssist.exe;\msedgewebview;\msedge.exe</Image>
+				<CommandLine condition="contains any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed to Common Download locations,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
+				<CommandLine condition="contains any">\Content.Outlook\;\Downloads\;\Documents\;:\Users\Public\;\Desktop\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Execution to UNC File Path,Risk=50" groupRelation="and">
+				<ParentImage condition="image">outlook.exe</ParentImage>
+				<CommandLine condition="contains any">\\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
+				<Image condition="begin with">C:\Users\</Image>
+				<Image condition="end with">.exe</Image>
+				<Product condition="excludes">Zoom Video</Product>
+				<Product condition="excludes">Firefox</Product>
+				<Product condition="excludes">Microsoft Edge</Product>
+				<Product condition="excludes">Microsoft Teams</Product>
+				<Image condition="excludes">GrammarlyAddInSetupe</Image>
+				<Image condition="excludes">Teams.exe</Image>
+				<Image condition="excludes">Zoom.exe</Image>
+				<Image condition="excludes">browser_broker.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">edge.exe</Image>
+				<Image condition="excludes">firefox.exe</Image>
+				<Image condition="excludes">iexplore.exe</Image>
+				<Image condition="excludes">vivaldi.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Desc=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<Product condition="excludes">Firefox</Product>
+				<Product condition="excludes">Microsoft Edge</Product>
+				<Product condition="excludes">Microsoft Teams</Product>
+				<Product condition="excludes">Zoom Video</Product>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Desc=Execution from within Zip File,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">.zip\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
+				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
+				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
+				<Image condition="image">control.exe</Image>
+				<CommandLine condition="excludes any">input.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="image">msdt.exe</Image>
+				<OriginalFileName condition="is">msdt.exe</OriginalFileName>
+				<CommandLine condition="contains all">BrowseForFile=;PCWDiagnostic</CommandLine>
+				<CommandLine condition="contains any">/af;-af</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="image">msdt.exe</Image>
+				<ParentImage condition="is not">pcwrun.exe</ParentImage>
+				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="image">msdt.exe</Image>
+				<CommandLine condition="contains any">/cab;-cab</CommandLine>
+				<CommandLine condition="contains">.diagcab</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
+				<Image condition="image">msdt.exe</Image>
+			</Rule>
+			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
+				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
+				<Image condition="image">FLTLDR.EXE</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution,DS=Process: Process Creation," condition="contains any">/dde;-dde</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
+				<Image condition="image">schtasks.exe</Image>
+				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
+			</Rule>
+			<OriginalFileName name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
+				<Image condition="image">schtasks.exe</Image>
+				<CommandLine condition="contains any">/Run;-run</CommandLine>
+				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
+				<ParentImage condition="image">schtasks.exe</ParentImage>
+				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
+				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create</ParentCommandLine>
+			</Rule>
+			<Image name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
+			<ParentImage name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Execution/Persistence/Privledge Escalation,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
+				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
+				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
+				<CommandLine condition="excludes all">netsvcs;-p;-s;Schedule</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Service Stop detected,Risk=0" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains">stop</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=NET.EXE Service Start detected,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains">start</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Impacket Detection 1,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
+				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;/Q /c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Impacket Detection 2,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
+				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;-Q -c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PowerSploit/Empire Persistence,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">schtasks;Create;ONLOGON;TN;Updater;TR;powershell</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=2,Alert=Service added via SC,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains">create</CommandLine>
+				<CurrentDirectory condition="excludes any">\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains all">config;binpath</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
+				<Image condition="contains any">cmd.exe;powershell.exe</Image>
+				<ParentImage condition="image">services.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
+				<Description condition="contains">Execute processes remotely</Description>
+				<Image condition="contains">psexe</Image>
+				<Description condition="contains">PsExec Service</Description> 
+				<Description condition="contains">PsExec Launched</Description> 
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals Initial Tool Execution,Risk=100" groupRelation="or">
+				<CommandLine condition="contains">accepteula</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec SYSTEM Execution,Risk=100" groupRelation="and">
+				<Description condition="contains">Execute processes remotely</Description>
+				<CommandLine condition="contains any">-s;/s</CommandLine>
+			</Rule>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
+			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
+			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=PsKill Command" condition="contains">pskill</Image>
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k NetworkService -p</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious LanmanWorkstation Child Processes,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Network List Service Child Processes,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k netprofm -p -s netprofm</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Remote Procedure Call Service Crash detected,Risk=75" groupRelation="and">
+				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
+				<Image condition="image">werfault.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
+				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
+				<CommandLine condition="contains">&gt;</CommandLine>
+				<CommandLine condition="contains">cmd.exe" /c cd</CommandLine>
+			</Rule>
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
+				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s;export-mft;ApplicationImpersonation</CommandLine>
+			</Rule>
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
+				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
+				<ParentCommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</ParentCommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
+			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
+			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
+			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
+				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
+			</Rule>
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
+				<CommandLine condition="contains any">e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 2" groupRelation="and">
+				<CommandLine condition="contains all">FromBase64String</CommandLine>
+				<CommandLine condition="contains any">JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 3" groupRelation="and">
+				<CommandLine condition="contains any">/v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 4" groupRelation="and">
+				<CommandLine condition="contains any">JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Obfuscated Emotet Command Line detection" groupRelation="and">
+				<CommandLine condition="contains any">e^;^en^;^nc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Obfuscation Character" groupRelation="and">
+				<CommandLine condition="contains">^</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
+				<CommandLine condition="contains any">..\;\..</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
+				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
+
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,DS=Process: Process Creation,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
+				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
+				<CommandLine condition="contains any">user;group;localgroup</CommandLine>
+				<CommandLine condition="contains any">remove;delete;active;del</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<Rule name="Attack=T1098,Technique=Create Account,Tactic=Persistence,DS=Process: Process Creation,Level=3,Alert=Account Created,Risk=80" groupRelation="and">
+				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
+				<CommandLine condition="contains">user</CommandLine>
+				<CommandLine condition="contains any">add</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" condition="image">dsmod.exe</Image>
+			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Process: Process Creation,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,DS=Process: Process Creation,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
+				<ParentImage condition="image">WerFault.exe</ParentImage>
+				<ParentCommandLine condition="contains any">-s;/s</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<CommandLine condition="contains all">echo;\pipe\;&gt;</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<CommandLine condition="contains all">/c;copy;dll;\\;admin$</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Exec DLL Detected" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;StartW</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Susp activity 1" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;update;appdata;temp;/i:</CommandLine>
+			</Rule>
+			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Susp activity 2" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,;update;appdata;temp;-i:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Process: Process Creation,Level=3,Alert=CMSTPLUA UAC Bypass Child Processes" groupRelation="and">
+				<ParentImage condition="image">dllhost.exe</ParentImage>
+				<ParentCommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Process: Process Creation,Level=3,Alert=CMSTPLUA UAC Bypass" groupRelation="and">
+				<Image condition="image">dllhost.exe</Image>
+				<CommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<Rule name="Attack=T1548,Technique=Abuse Elevation Control Mechanism,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Abused Debug priviledge by Arbitrary Parent Process,Risk=100" groupRelation="and">
+				<ParentImage condition="contains any">winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe</ParentImage>
+				<Image condition="contains any">powershell.exe;pwsh.exe;cmd.exe</Image>
+				<User condition="contains any">AUTHORI;AUTORI</User>
+				<CommandLine condition="excludes any">route ; ADD </CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Risk=20" groupRelation="and">
+				<ParentImage condition="image">eventvwr.exe</ParentImage>
+				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
+			</Rule>
+			<ParentImage name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation," condition="image">fodhelper.exe</ParentImage>
+			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
+			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
+			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
+			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="is">computerdefaults.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="is">dism.exe</OriginalFileName>
+			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="image">fodhelper.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<Rule name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Risk=90,DS=Process: Process Creation,Level=3,Alert=Priv Escalation to System" groupRelation="and">
+				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
+				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
+			</Rule>
+			<ParentCommandLine name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=1,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
+			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,DS=Process: Process Creation,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Utilman Lock Screen Bypass,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
+				<ParentImage condition="image">winlogon.exe</ParentImage>
+				<Image condition="image">utilman.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=sethc.exe Lock Screen Bypass,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
+				<ParentImage condition="image">winlogon.exe</ParentImage>
+				<Image condition="image">sethc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=Utilman Priv Escalation" groupRelation="and">
+				<ParentImage condition="image">utilman.exe</ParentImage>
+				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
+			</Rule>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">osk.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">Magnify.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">DisplaySwitch.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">Narrator.exe</ParentImage>
+			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">AtBroker.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
+			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
+				<ParentImage condition="image">dwm.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=7zip Priv Escalation Detection,CVE=CVE-2022-29072" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">7zFM.exe</ParentImage>
+				<CommandLine condition="excludes any">;/c;-c</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=Possible InstallerFileTakeOver LPE,CVE=CVE-2021-41379" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">elevation_service.exe</ParentImage>
+				<IntegrityLevel condition="contains">System</IntegrityLevel>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<Image condition="contains">unknown process</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<Rule name="Attack=T1484.001,Technique=Group Policy Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Auditpol System Audit Policy Change - Should be set via group policy instead" groupRelation="and">
+				<OriginalFileName condition="contains">auditpol</OriginalFileName>
+				<CommandLine condition="contains any">/set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Hidden/SuperHidden File or Folder created" groupRelation="and">
+				<CommandLine condition="contains any">+s;+h</CommandLine>
+				<Image condition="image">attrib.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Powershell Hidden File or Folder created" groupRelation="and">
+				<CommandLine condition="contains all">Hidden;Attributes</CommandLine>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+				<Product condition="is">Sysinternals Sysmon</Product>
+				<CommandLine condition="contains any">/u;/c;-u;-c</CommandLine>
+				<CurrentDirectory condition="excludes">C:\ProgramdData\sysmon\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
+				<Image condition="image">MpCmdRun.exe</Image>
+				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools:  Disable Windows Event Logging-->
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SysmonEnte Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SysmonQuiet Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SharpEvtMute Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
+				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
+			<Image condition="image" name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=PSTools PSKill,Risk=80">PsKill.exe</Image>
+			<Rule name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Disabling of Windows Defender Features,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
+				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
+			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
+			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
+			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
+				<Image condition="image">wevtutil.exe</Image>
+				<CommandLine condition="contains"> cl </CommandLine>
+				<CommandLine condition="excludes">wevtutil im</CommandLine>
+				<CommandLine condition="excludes">wevtutil.exe im</CommandLine>
+				<CurrentDirectory condition="excludes">ClickToRun</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Risk=50" groupRelation="and">
+				<OriginalFileName condition="is">fltMC.exe</OriginalFileName>
+				<CommandLine condition="contains any">detach;unload</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=IIS Log disablement,Risk=80" groupRelation="and">
+				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
+				<CommandLine condition="contains all">DontLog;True</CommandLine>
+				<Image condition="excludes">iisetup.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="or">
+				<CommandLine condition="contains all">set;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">New-ItemProperty;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">reg;add;dword;NGenAssemblyUsageLog</CommandLine>
+				<CommandLine condition="contains all">$env;NGenAssemblyUsageLog</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="or">
+				<CommandLine condition="contains all">set;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">New-ItemProperty;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">reg;add;dword;COMPlus_ETWEnabled</CommandLine>
+				<CommandLine condition="contains all">$env;COMPlus_ETWEnabled</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
+				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp;~ -d;~ /d</CommandLine>
+			</Rule>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
+			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Windows Subsystem For Linux,Risk=100" condition="contains any">distro-id;vm-id</CommandLine>
+
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
+			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
+			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
+			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation" condition="end with">.com</Image>
+			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
+
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
+				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
+				<Image condition="end with">      .exe</Image>
+				<Image condition="end with">.7z.exe</Image>
+				<Image condition="end with">.doc.exe</Image>
+				<Image condition="end with">.doc.exe</Image>
+				<Image condition="end with">.docx.exe</Image>
+				<Image condition="end with">.ico.exe</Image>
+				<Image condition="end with">.iso.exe</Image>
+				<Image condition="end with">.lnk.exe</Image>
+				<Image condition="end with">.pdf.exe</Image>
+				<Image condition="end with">.ppt.exe</Image>
+				<Image condition="end with">.pptx.exe</Image>
+				<Image condition="end with">.rar.exe</Image>
+				<Image condition="end with">.rtf.exe</Image>
+				<Image condition="end with">.txt.exe</Image>
+				<Image condition="end with">.xls.exe</Image>
+				<Image condition="end with">.xlsx.exe</Image>
+				<Image condition="end with">.zip.exe</Image>
+				<Image condition="end with">______.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
+			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
+				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
+				<CommandLine condition="contains">:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=REG Registry Deletions" groupRelation="and">
+				<Image condition="image">reg.exe</Image>
+				<CommandLine condition="contains">delete </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Regedit Registry Deletions" groupRelation="and">
+				<Image condition="image">regedit.exe</Image>
+				<CommandLine condition="contains any">/d;-d</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Powershell Registry Deletions" groupRelation="and">
+				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
+				<CommandLine condition="contains">remove-item</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Powershell Registry Modifications" groupRelation="and">
+				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
+				<CommandLine condition="contains">set-item;new-item</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Code Page Switch,Risk=50" groupRelation="and">
+				<Image condition="image">chcp.exe</Image>
+				<CommandLine condition="contains">936</CommandLine>
+				<CommandLine condition="contains">1256</CommandLine>
+				<CommandLine condition="contains">864</CommandLine>
+				<CommandLine condition="contains">1258</CommandLine>
+				<CommandLine condition="contains">855</CommandLine>
+				<CommandLine condition="contains">866</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Encoded Command Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Hidden Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Execution Policy Bypass,Risk=75" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-ex;/ex</CommandLine>
+				<CommandLine condition="contains">bypass</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">-noni;/noni</CommandLine>
+				<CommandLine condition="excludes">Import-Module FileServerResourceManager</CommandLine>
+				<CurrentDirectory condition="excludes">C:\Program Files\LogicMonitor</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1027,Tactic=Defense Evasion,Technique=Obfuscated Files or Information,DS=Process: Process Creation,Level=4,Alert=Powershell Obfuscation Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
+			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Obfuscated Commands,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
+				<CommandLine condition="excludes all">ngen.exe;install</CommandLine>
+			</Rule>
+
+			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains any">decode;encode</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
+				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
+				<CommandLine condition="contains">0x</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
+			<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,DS=Process: Process Creation,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
+				<Image condition="image">csc.exe</Image>
+				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent of Csc.exe,Risk=80" groupRelation="and">
+				<Image condition="image">csc.exe</Image>
+				<ParentImage condition="image">wscript.exe</ParentImage>
+				<ParentImage condition="image">cscript.exe</ParentImage>
+				<ParentImage condition="image">mshta.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=MOFComp compilation of .Mof File,Risk=80" groupRelation="and">
+				<Image condition="image">mofcomp.exe</Image>
+				<CommandLine condition="contains">.mof</CommandLine>
+				<CurrentDirectory condition="excludes">C:\WINDOWS\Installer\MSI</CurrentDirectory>
+				<ParentImage condition="excludes">MsMpEng.exe</ParentImage>
+				<ParentImage condition="excludes">aspnet_regiis.exe</ParentImage>
+				<ParentImage condition="excludes">msiexec.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
+				<ParentImage condition="image">csc.exe</ParentImage>
+				<CommandLine condition="contains any">out:;target:library</CommandLine>
+			</Rule>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of Autochk,Risk=30" groupRelation="and">
+				<Image condition="image">autochk.exe</Image>
+				<ParentImage condition="excludes any">\smss.exe;\fontdrvhost.exe;\dwm.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
+				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
+				<ParentImage condition="excludes">\svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
+				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
+				<ParentImage condition="excludes any">svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
+				<Image condition="image">SearchProtocolHost.exe</Image>
+				<ParentImage condition="excludes any">\SearchIndexer.exe;\dllhost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
+				<Image condition="image">dllhost.exe</Image>
+				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
+				<Image condition="image">smss.exe</Image>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+				<ParentImage condition="is not">System</ParentImage>
+				<ParentImage condition="is not">-</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
+				<Image condition="image">csrss.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
+				<ParentImage condition="excludes any">\smss.exe;svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
+				<Image condition="image">wininit.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
+				<Image condition="image">winlogon.exe</Image>
+				<ParentImage condition="excludes">\smss.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of lsass/LsaIso,Risk=30" groupRelation="and">
+				<Image condition="contains any">\lsass.exe;LsaIso.exe</Image>
+				<ParentImage condition="excludes">\wininit.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of LogonUI,Risk=30" groupRelation="and">
+				<Image condition="image">LogonUI.exe</Image>
+				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of services,Risk=30" groupRelation="and">
+				<Image condition="image">services.exe</Image>
+				<ParentImage condition="excludes">\wininit.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
+				<Image condition="image">svchost.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
+				<ParentImage condition="excludes any">\MsMpEng.exe;\services.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
+				<Image condition="image">spoolsv.exe</Image>
+				<ParentImage condition="excludes">\services.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of taskhost,Risk=30" groupRelation="and">
+				<Image condition="image">taskhost.exe</Image>
+				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of userinit,Risk=30" groupRelation="and">
+				<Image condition="image">userinit.exe</Image>
+				<ParentImage condition="excludes any">\dwm.exe;\winlogon.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
+				<Image condition="contains any">\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe</Image>
+				<ParentImage condition="is not">-</ParentImage>
+				<ParentImage condition="excludes any">\svchost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe</ParentImage>
+				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
+				<ParentImage condition="image">autochk.exe</ParentImage>
+				<Image condition="excludes any">\chkdsk.exe;\doskey.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of smss,Risk=30" groupRelation="and">
+				<ParentImage condition="image">smss.exe</ParentImage>
+				<Image condition="excludes any">\autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of wermgr,Risk=30" groupRelation="and">
+				<ParentImage condition="image">wermgr.exe</ParentImage>
+				<Image condition="excludes any">\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Possible wermgr injection,Risk=30" groupRelation="and">
+				<Image condition="image">wermgr.exe</Image>
+				<CommandLine condition="end with">wermgr.exe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Possible qbot injection,Risk=30" groupRelation="and">
+				<ParentImage condition="contains any">\rundll32.exe;\regsvr32.exe</ParentImage>
+				<Image condition="contains any">\explorer.exe;\wermgr.exe;\msra.exe;\OneDriveSetup.exe;\mobsync.exe;\xwizard.exe</Image>
+				<CommandLine condition="end with">.exe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
+				<ParentImage condition="image">conhost.exe</ParentImage>
+				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution - Lateral Movement - Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" groupRelation="and">
+				<CommandLine condition="contains">System.Management.Automation</CommandLine>
+				<CommandLine condition="excludes all">"C:\Windows\Microsoft.NET\Framework\;\ngen.exe;install</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=InstallUtil 1" groupRelation="and">
+				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
+				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=InstallUtil 2" groupRelation="and">
+				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
+				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName>
+				<CommandLine condition="contains">INJECTRUNNING</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 1,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">/ni;/s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 2,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">/ns;/s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 3,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">-ni;-s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 4,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
+				<CommandLine condition="contains all">-ns;-s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
+				<CommandLine condition="contains all">rundll32.exe;shell32.dll;_RunDLL</CommandLine>
+				<Image condition="is not">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
+				<Image condition="image">odbcconf.exe</Image>
+				<CommandLine condition="contains any">/S /A {REGSVR;-S -A {REGSVR</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">bginfo</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">cbd</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
+			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
+			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
+			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">SyncAppvPublishingServer.exe</Image>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">Scriptrunner.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">ATBroker.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">Appvlp.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">InfDefaultInstall.EXE</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">PresentationHost.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">RegisterCimProvider2.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">RegisterCimProvider.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">ScriptRunner.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">csi.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">extexport.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">msconfig.EXE</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">rasdlui.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">tttracer.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">verclsid.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">wab.exe</OriginalFileName>
+			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">csi.exe</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
+			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">bginfo</ParentCommandLine>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">devtoolslauncher.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">wab.exe</ParentImage>
+			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">wsreset.exe</ParentImage>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
+			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
+			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
+			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
+			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains">DllRegisterServer</CommandLine>
+				<CommandLine condition="excludes any">xapauthenticodesip.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Regsvr32 loading in Appdata temp" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine> 
+			</Rule>
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Defense Evasion/Execution,DS=Process: Process Creation,Level=4,Alert=Suspicious Regsvr32 loading in Public User folder" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
+			</Rule>
+			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation" condition="contains">Microsoft(C) Register Server</Description>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
+			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
+			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<CommandLine condition="contains any">/y;-y</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\DartSock.dll</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\ImageViewer2.OCX</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\SysTray.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg6.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\todg7.ocx</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\todgub7.dll</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\SysWOW64\xarraydb.ocx</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSIExec Signed Binary Proxy Execution,Risk=70" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<CommandLine condition="contains any">/i;-i</CommandLine>
+				<CommandLine condition="contains any">http</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Rundll32-->
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Rundll32 Suspicious call by Ordinal,Risk=80" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">,;#</CommandLine>
+				<CommandLine condition="excludes">C:\Windows\resources\themes\Aero\AeroLite.msstyles</CommandLine>
+				<CommandLine condition="excludes">uxtheme.dll</CommandLine>
+				<CommandLine condition="excludes">ImageView_Fullscreen</CommandLine>
+				<CommandLine condition="excludes">EDGEHTML.dll</CommandLine>
+				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
+				<CurrentDirectory condition="excludes">\AppData\Local\WebEx\WebEx\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Rundll32 Single Threaded Apartment Switch - check for com hijacks,Risk=75" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains any">-sta;/sta</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Rundll32 localserver Switch - check for com hijacks,Risk=75" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains any">-localserver;/localserver</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Executing Powershell,Risk=70" groupRelation="and">
+				<ParentImage condition="image">RUNDLL32.EXE</ParentImage>
+				<OriginalFileName condition="contains">powershell</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious OpenURL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">url.dll;OpenURL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious FileProtocolHandler Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious RouteTheCall Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">zipfldr.dll;RouteTheCall</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious Control_RunDLL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains all">Shell32.dll;Control_RunDLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious javascript Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains">javascript:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious RegisterXLL Commands" groupRelation="and">
+				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
+				<CommandLine condition="contains">RegisterXLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious Rundll32 loading in Public User folder" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image> 
+				<CommandLine condition="contains all">C:\Users;Public</CommandLine>
+				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine> 
+				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage> 
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious Rundll32 loading in Appdata Temp" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine>
+				<CommandLine condition="excludes any">ImageView_</CommandLine>
+				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine>
+				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
+			<CommandLine condition="contains">InstallHinfSection</CommandLine>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
+			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MSHTA-->
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
+				<ParentImage condition="image">mshta.exe</ParentImage>
+				<Image condition="contains any">cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin</Image>
+			</Rule>
+			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
+			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Odbcconf-->
+			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
+
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Calling MSBuild" groupRelation="and">
+				<ParentImage condition="contains any">powershell.exe;powershell_ise.exe</ParentImage>
+				<Image condition="image">msbuild.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<Image condition="image">regasm.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<Image condition="image">userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Building from xml - Silent Trinity" groupRelation="and">
+				<ParentImage condition="image">msbuild.exe</ParentImage>
+				<ParentCommandLine condition="contains">.xml</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=RegAsm Parent process" groupRelation="and">
+				<ParentImage condition="image">regasm.exe</ParentImage>
+				<Image condition="excludes">\conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild building from lnk file" groupRelation="and">
+				<Image condition="image">msbuild.exe</Image>
+				<CommandLine condition="contains">.lnk</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
+			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
+			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,DS=Process: Process Creation,Level=4,Alert=Network Sniffing tool Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">sniff</CommandLine>
+				<CommandLine condition="excludes">C:\Program Files\Adobe\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,DS=Process: Process Creation,Level=4,Alert=PCAP Sniffing tool Detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="is any">tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe</OriginalFileName>
+				<CommandLine condition="contains any">windump;tshark;tcpdump;windump;wireshark</CommandLine>
+				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
+				<Image condition="image">vssadmin.exe</Image>
+				<CommandLine condition="contains any">create;shadow</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">shadowcopy;call;create</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">call;create;esentutl;vss</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">win32_shadowcopy;create;clientaccessible</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">mklink;GLOBALROOT;Shadow</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">copy;NTDS\ntds.dit</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
+				<Image condition="image">ntdsutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">copy;System32\config\SYSTEM</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all">reg;save;HKLM</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
+			</Rule>
+			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
+				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
+			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,DS=Process: Process Creation,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
+			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
+			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
+			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
+			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
+			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" condition="image">ProcDump.exe</Image>
+			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
+			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
+			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
+			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
+				<CommandLine condition="contains all">list;text;password</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
+				<CommandLine condition="excludes">/domain</CommandLine>
+				<CommandLine condition="excludes">SUService</CommandLine>
+				<CommandLine condition="excludes">\users</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Domain User or Group Discovery,Risk=50" groupRelation="and">
+				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
+				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
+				<CommandLine condition="contains any">/domain</CommandLine>
+				<CommandLine condition="excludes">SUService</CommandLine>
+				<CommandLine condition="excludes">\users</CommandLine>
+				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=4,Alert=Sharphound Discovery,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus</CommandLine>
+				<Company condition="contains any">sharphound;bloodhound</Company>
+				<Description condition="contains any">sharphound;bloodhound</Description>
+				<Image condition="contains any">sharphound;bloodhound</Image>
+				<OriginalFileName condition="contains any">sharphound;bloodhound</OriginalFileName>
+				<ParentImage condition="contains any">sharphound;bloodhound</ParentImage>
+				<Product condition="contains any">sharphound;bloodhound</Product>
+			</Rule>
+			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
+			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
+				<OriginalFileName condition="contains">auditpol</OriginalFileName>
+				<CommandLine condition="contains any">/get;-get;/list;-list;/backup;-backup</CommandLine>
+			</Rule>
+			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
+			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
+			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
+			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Driver Querying" condition="image">driverquery.exe</Image>
+
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
+			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Alert=Sysmon Detection with driver altitude" groupRelation="or">
+				<CommandLine condition="contains all">find;385201</CommandLine>
+				<CommandLine condition="contains all">select-string;385201</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Alert=Antivirus/edr/siem Discovery" groupRelation="or">
+				<CommandLine condition="contains all">find;virus</CommandLine>
+				<CommandLine condition="contains all">select-string;virus</CommandLine>
+				<CommandLine condition="contains all">process;Description;virus</CommandLine>
+				<CommandLine condition="contains all">find;cb</CommandLine>
+				<CommandLine condition="contains all">select-string;cb</CommandLine>
+				<CommandLine condition="contains all">process;Description;cb</CommandLine>
+				<CommandLine condition="contains all">find;defender</CommandLine>
+				<CommandLine condition="contains all">select-string;defender</CommandLine>
+				<CommandLine condition="contains all">process;Description;defender</CommandLine>
+				<CommandLine condition="contains all">find;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">select-string;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">process;Description;crowdstrike</CommandLine>
+				<CommandLine condition="contains all">find;sentinel</CommandLine>
+				<CommandLine condition="contains all">select-string;sentinel</CommandLine>
+				<CommandLine condition="contains all">process;Description;sentinel</CommandLine>
+				<CommandLine condition="contains all">find;nessusd</CommandLine>
+				<CommandLine condition="contains all">select-string;nessusd</CommandLine>
+				<CommandLine condition="contains all">process;Description;nessusd</CommandLine>
+				<CommandLine condition="contains all">find;td-agent</CommandLine>
+				<CommandLine condition="contains all">select-string;td-agent</CommandLine>
+				<CommandLine condition="contains all">process;Description;td-agent</CommandLine>
+				<CommandLine condition="contains all">find;cbagentd</CommandLine>
+				<CommandLine condition="contains all">select-string;cbagentd</CommandLine>
+				<CommandLine condition="contains all">process;Description;cbagentd</CommandLine>
+				<CommandLine condition="contains all">find;sysmon</CommandLine>
+				<CommandLine condition="contains all">select-string;sysmon</CommandLine>
+				<CommandLine condition="contains all">process;Description;sysmon</CommandLine>
+				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
+				<CommandLine condition="contains all">find;csfalcon</CommandLine>
+				<CommandLine condition="contains all">select-string;csfalcon</CommandLine>
+				<CommandLine condition="contains all">process;Description;csfalcon</CommandLine>
+				<CommandLine condition="contains all">find;splunk</CommandLine>
+				<CommandLine condition="contains all">select-string;splunk</CommandLine>
+				<CommandLine condition="contains all">process;Description;splunk</CommandLine>
+				<CommandLine condition="contains all">find;sidecar</CommandLine>
+				<CommandLine condition="contains all">select-string;sidecar</CommandLine>
+				<CommandLine condition="contains all">process;Description;sidecar</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation" groupRelation="or">
+				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discover,DS=Process: Process Creationy" condition="is">fltMC.exe</OriginalFileName>
+				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation" condition="contains">misc::mflt</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
+			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
+			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="contains any">get;list;show</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection Changes with netsh,Risk=60" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="excludes any">get;list;show</CommandLine>
+			</Rule>
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
+			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
+				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=WMIC Account Discovery,Risk=30" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">get;useraccount</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=DNS encryption enabled with netsh,Risk=40" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="contains any">add;set</CommandLine>
+				<CommandLine condition="contains any">encryption;dohtemplate</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
+				<Image condition="image">netsh.exe</Image>
+				<CommandLine condition="contains any">add;del;set</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=NBTStat DNS Lookup,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">nbtstat</CommandLine> 
+				<CommandLine condition="excludes">nessus</CommandLine> 
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=route.exe discovery,Risk=60" groupRelation="and">
+				<Image condition="image">route.exe</Image>
+				<CommandLine condition="contains">print</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Route Modification,Risk=40" groupRelation="and">
+				<Image condition="image">route.exe</Image>
+				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
+			</Rule>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
+			
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
+				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
+				<Image condition="excludes">Microsoft Office\root\Office</Image>
+				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Tactic=Lateral Movement,Technique=SMB/Windows Admin Shares,DS=Process: Process Creation,Level=3,Alert=Command Ran over Admin Share" groupRelation="and">
+				<CommandLine condition="contains">admin$</CommandLine>
+				<CommandLine condition="excludes any">davclnt.dll</CommandLine>
+				<ParentCommandLine condition="excludes any">WebClientGroup</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
+			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
+				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
+				<CommandLine condition="contains">dest:rdp-tcp:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Emotet Executed via WMI,Risk=100" groupRelation="and">
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+				<Image condition="contains">\Users\</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Network Detective System Scan Detected,Risk=100" groupRelation="and">
+				<Image condition="contains">NetworkDetective</Image>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Remote Tenable Malware Scan Detected,Risk=100" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+				<CommandLine condition="contains">tenable</CommandLine>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=CMD.exe Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+				<CommandLine condition="excludes any">do_vbsUpload;Spiceworks</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=regsvr32.exe Executed via WMI,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">regsvr32.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=CMD Executed via WMI,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">cmd.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
+				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=RSAT Tool Launch,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">dsa.msc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=HyperV Remote Management Tool Launch,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">virtmgmt.msc</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Potential Malicious Remote WMI Execution Detected,Risk=100" groupRelation="and">
+				<ParentImage condition="image">wmiprvse.exe</ParentImage>
+				<Image condition="excludes">CompMgmtLauncher.exe</Image>
+				<Image condition="excludes">DismHost.exe</Image>
+				<Image condition="excludes">Microsoft.NET\Framework</Image>
+				<Image condition="excludes">NetEvtFwdr.exe</Image>
+				<Image condition="excludes">ServerManager.exe</Image>
+				<Image condition="excludes">WerFault.exe</Image>
+				<Image condition="excludes">chcp.com</Image>
+				<Image condition="excludes">g2mupdate.exe</Image>
+				<Image condition="excludes">slack.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Suspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
+				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
+				<Image condition="image">cmd.exe</Image>
+				<Image condition="image">sh.exe</Image>
+				<Image condition="image">bash.exe</Image>
+				<Image condition="image">wsl.exe</Image>
+				<Image condition="image">powershell.exe</Image>
+				<Image condition="image">powershell_ise.exe</Image>
+				<Image condition="image">schtasks.exe</Image>
+				<Image condition="image">at.exe</Image>
+				<Image condition="image">certutil.exe</Image>
+				<Image condition="image">mshta.exe</Image>
+				<Image condition="image">whoami.exe</Image>
+				<Image condition="image">ping.exe</Image>
+				<Image condition="image">ping.exe</Image>
+				<Image condition="image">bitsadmin.exe</Image>
+			</Rule>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
+			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</ParentImage>
+			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
+			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
+				<ParentImage condition="image">wmiprvse.exe</ParentImage>
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
+				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image>
+			</Rule>
+			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
+				<Image condition="contains any">sftp;psftp</Image>
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
+				<CommandLine condition="is">rundll32.exe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Trickbot,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">..\;,</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Trickbot 2,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">,StartW</CommandLine>
+			</Rule>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
+			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation" groupRelation="and">
+				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
+				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
+			</Rule>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
+			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
+			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Dark Halo Protected zip file creation,Risk=100" groupRelation="and">
+				<Image condition="image">7z.exe</Image>
+				<CommandLine condition="contains any">a -mx9 -r0 -p;a -v500m -mx9 -r0 -p</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=7z Renamed,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">7z</OriginalFileName>
+				<Image condition="excludes">7z</Image>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winrar Renamed,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">winrar</OriginalFileName>
+				<Image condition="excludes">winrar</Image>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winrar Renamed,Risk=100" groupRelation="and">
+				<Product condition="contains">winrar</Product>
+				<Image condition="excludes">winrar</Image>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winzip Renamed,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">winzip</OriginalFileName>
+				<Image condition="excludes">winzip</Image>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Powershell Compress-Archive,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">Compress-Archive</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
+			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data injected into clipboard,Risk=30" condition="image">clip.exe</Image>
+			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">New-MailboxExportRequest</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=New Exchange Management Role could be used for email exfiltration,Risk=70" groupRelation="and">
+				<CommandLine condition="contains all">add-pssnapin;exchange;new-managementroleassignment;applicationimpersonation</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
+			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
+				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
+				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
+				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI</CommandLine>
+				<OriginalFileName condition="excludes any">msedgeupdate.dll</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
+				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=base64 encoded powershell" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<CommandLine condition="contains any">AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
+				<Image condition="image">certutil.exe</Image>
+				<CommandLine condition="contains all">urlcache;split;f</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Command Line file transfer,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest</CommandLine>
+				<Image condition="contains any">powershell.exe;cmd.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
+				<OriginalFileName condition="is">bitsadmin.exe</OriginalFileName>
+				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
+				<CommandLine condition="excludes all">util;setieproxy;localsystem;AUTODETECT</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
+				<Description condition="contains">BITS administration utility</Description>
+				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,DS=Process: Process Creation,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,DS=Process: Process Creation,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Certutil file download 1,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains all">split;f</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Certutil file download 2,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">certutil</OriginalFileName>
+				<CommandLine condition="contains any">verifyctl;URL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
+				<CurrentDirectory condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</CurrentDirectory>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
+				<Image condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</Image>
+			</Rule>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
+			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
+			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains any">psexec</OriginalFileName>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Exfiltration,DS=Process: Process Creation,Level=0,Desc=SCP Data exfiltration detected,Risk=100" groupRelation="and">
+				<Image condition="contains any">winscp.exe;winscp.com;scp.exe;pscp</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv &gt;&gt;;rsync -r</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=merlin CnC exfiltration detected 4,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">.exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=DNS Exfil detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">-q=txt;/q=txt</CommandLine>
+				<Image condition="image">nslookup.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=Rclone detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains any">rclone</OriginalFileName>
+				<Description condition="contains any">Rsync for cloud storage</Description>
+				<Product condition="contains any">rclone</Product>
+				<Company condition="contains any">rclone</Company>
+				<Image condition="contains any">\rclone</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=S3browser detected,Risk=100" groupRelation="or">
+				<OriginalFileName condition="contains any">s3browser</OriginalFileName>
+				<Description condition="contains any">s3browser</Description>
+				<Product condition="contains any">s3browser</Product>
+				<Image condition="contains any">s3browser</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=FTP exfiltration detected,Risk=100" groupRelation="or">
+				<CommandLine condition="contains any">add-ftp;.UploadFile(</CommandLine>
+				<Image condition="contains any">ftp.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1048,Tactic=Exfiltration,Technique=Exfiltration to Cloud Storage,DS=Process: Process Creation,Level=0,Desc=Webdav Share Mounted" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<CommandLine condition="contains all">davclnt.dll;DavSetCookie</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
+				<Image condition="image">bcdedit.exe</Image>
+				<CommandLine condition="contains">safeboot</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
+				<Image condition="image">bootcfg.exe</Image>
+				<CommandLine condition="contains">safeboot</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Virtual Machine,Risk=60" groupRelation="and">
+				<CommandLine condition="contains any">-startvm;vrun.exe -vm</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with vssadmin Detected,Risk=100" groupRelation="and">
+				<Image condition="image">vssadmin.exe</Image>
+				<CommandLine condition="contains any">delete;resize</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wmic shadowcopy delete Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains all">shadowcopy;delete</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wbadmin.exe</OriginalFileName>
+				<CommandLine condition="contains all">SYSTEMSTATEBACKUP;delete</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wmic shadowstorage Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains">wmic shadowstorage SET MaxSpace=</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Destructive WMIC Commands Detected,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
+				<CommandLine condition="contains any">cleareventlog;call disable;nteventlog where filename</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with diskpart" groupRelation="and">
+				<OriginalFileName condition="contains">diskpart.exe</OriginalFileName>
+				<CommandLine condition="contains any">format;clean;delete;remove</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with manage-bde.exe" groupRelation="and">
+				<OriginalFileName condition="contains">manage-bde.exe</OriginalFileName>
+				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with manage-bde.wsf" groupRelation="and">
+				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
+				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
+			</Rule>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
+			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" condition="contains">-nw -exec=</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" condition="contains">-p -nw</CommandLine>
+			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
+			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
+				<CommandLine condition="contains all"> del ; /f </CommandLine>
+				<CommandLine condition="contains all"> del ; -f </CommandLine>
+				<CommandLine condition="contains all"> rmdir ; /s ; /q </CommandLine>
+				<CommandLine condition="contains all"> rmdir ; -s ; -q </CommandLine>
+				<CommandLine condition="contains all"> rd ; /s ; /q </CommandLine>
+				<CommandLine condition="contains all"> rd ; -s ; -q </CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
+				<Image condition="image">fsutil.exe</Image>
+				<CommandLine condition="contains">deletejournal</CommandLine>
+				<CommandLine condition="contains">usn</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+			<!--Crypto Currency Miner Detections-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
+				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
+				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
+			</Rule>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
+			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
+			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
+			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
+			<!--UEBA Activities-->
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="excludes">pwd=</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: Video and Audio Session Start" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="contains">zc=0</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: Screen Share,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">zoommtg</CommandLine>
+				<CommandLine condition="contains">zc=1</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Microsoft Teams URL clicked" groupRelation="and">
+				<CommandLine condition="contains">msteams:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Webex URL clicked" groupRelation="and">
+				<CommandLine condition="contains">wbx:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Executed files within Downloads,Risk=30" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">\Downloads\</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+				<Image condition="contains">\Desktop\</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
+				<Image condition="contains any">\awk.exe;\sed.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Execution Locations,Risk=30" groupRelation="and">
+				<Image condition="contains any">C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Desc=Suspicious Execution extensions,Risk=30" groupRelation="and">
+				<Image condition="contains any">C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\;\Downloads\</Image>
+				<CommandLine condition="contains any">.html;.hta;.iso;.js;.bat;.cmd;.cmdline;.vbs;.vb;.vbe;.reg;.com</CommandLine>
+			</Rule>
+			<CommandLine condition="contains">listena</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
+			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
+			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
+			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
+			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
+			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
+			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
+			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
+			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
+			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
+			<ParentImage name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
+			<ParentImage name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
+			<!--Detection of Output Redirection-->
+			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
+			-->
+			<!--Detect Multiple Commands-->
+			<Rule  name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SVCHost Processes" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+			</Rule>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Permission Modifications with icacls or cacls" condition="image">cacls.exe</Image>
+			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Ownership Permission Modifications with takeown" condition="image">takeown.exe</Image>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<Rule  name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
+				<CommandLine condition="contains">\pipe\</CommandLine>
+				<CommandLine condition="excludes">&gt;</CommandLine>
+			</Rule>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
+			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
+			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
+			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Generic User Execution,Risk=0" groupRelation="and">
+				<ParentImage condition="image">explorer.exe</ParentImage>
+				<Image name="Allow other rules to fire" condition="excludes any">\regedit.exe;\cmd.exe;terminal;\powershell</Image>
+			</Rule>
+			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
+			<!-- <ParentCommandLine name="Information=Uncategorized Events,DS=Process: Process Creation" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
+		</ProcessCreate>
+	</RuleGroup>
+	<RuleGroup name="RG=Process Create Exclude Group" groupRelation="or">
+		<ProcessCreate onmatch="exclude">
+			<Rule name="exclude werfault from wmi" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
+				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
+			</Rule>
+		</ProcessCreate>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
+	<RuleGroup name="RG=FileCreateTime Include Group" groupRelation="or">
+		<FileCreateTime onmatch="include">
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="begin with">C:\Users</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="begin with">C:\ProgramData</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\Temp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\tmp\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\drivers\</Image>
+			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\Download</Image>
+		</FileCreateTime>
+	</RuleGroup>
+	<RuleGroup name="RG=FileCreateTime Exclude Group" groupRelation="or">
+		<FileCreateTime onmatch="exclude">
+			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
+			<Image condition="image">TrustedInstaller.exe</Image>
+			<Image condition="image">OneDrive.exe</Image>
+			<Image condition="image">vivaldi.exe</Image>
+			<Image condition="image">chrome.exe</Image>
+			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image>
+			<Image condition="contains">setup</Image>
+			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
+			<Image condition="end with">\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe</Image>
+		</FileCreateTime>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
+	<RuleGroup name="RG=NetworkConnect Include Group" groupRelation="or">
+		<NetworkConnect onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
+			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
+			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Exchange 0day Attackers from September 2022,Risk=100" groupRelation="or">
+				<DestinationIp condition="is any">137.184.67.33;206.188.196.77;125.212.220.48;5.180.61.17;47.242.39.92;61.244.94.85;86.48.6.69;86.48.12.64;94.140.8.48;94.140.8.113;103.9.76.208;103.9.76.211;104.244.79.6;112.118.48.186;122.155.174.188;125.212.241.134;185.220.101.182;194.150.167.88;212.119.34.11</DestinationIp>
+				<DestinationIp condition="begin with">137.184.67.</DestinationIp>
+				<DestinationHostname condition="is any">httpbin.org</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Advanced IP scanner Detected,Risk=90"  groupRelation="or">
+				<DestinationHostname condition="contains any">advanced-ip-scanner.com</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Kali Linux Distribution Download/Apt URL,Risk=90"  groupRelation="or">
+				<DestinationHostname condition="contains any">kali.download</DestinationHostname>
+			</Rule>
+			<DestinationHostname condition="contains">shodan</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=WSCRIPT Network connection,Risk=80" groupRelation="and">
+				<Image condition="image">wscript.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
+				<Image condition="contains">\temp\</Image>
+				<DestinationIp condition="excludes any">127.0.0.1</DestinationIp>		
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
+				<Image condition="contains">\wwwroot\</Image>
+			</Rule>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
+			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Attack=T1027.004,Tactic=Defense Evasion,Technique=Compile After Delivery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=CSC Network Conections" groupRelation="and">
+				<Image condition="image">CSC.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
+			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Installutil-->
+			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Msiexec-->
+			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvcs/regasm-->
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
+				<Image condition="contains any">regasm.exe;regsvcs.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
+			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<Rule name="Attack=T1127,Tactic=Defense Evasion,Technique=Signed Binary Proxy Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=MSBuild Network Conections" groupRelation="and">
+				<Image condition="image">msbuild.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=NBTSTAT Query,Risk=30" condition="image">nbtstat.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
+			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
+			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Suspicious RDP Connection 3389,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
+				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
+				<Image condition="excludes">FSAssessment.exe</Image>
+				<Image condition="excludes">FSDiscovery.exe</Image>
+				<Image condition="excludes">MobaRTE.exe</Image>
+				<Image condition="excludes">RDCMan.exe</Image>
+				<Image condition="excludes">RSSensor.exe</Image>
+				<Image condition="excludes">RTS2App.exe</Image>
+				<Image condition="excludes">RTSApp.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager.exe</Image>
+				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
+				<Image condition="excludes">Terminals.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">mRemote.exe</Image>
+				<Image condition="excludes">mRemoteNG.exe</Image>
+				<Image condition="excludes">mstsc.exe</Image>
+				<Image condition="excludes">spiceworks-finder.exe</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<Image condition="excludes">thor64.exe</Image>
+				<Image condition="excludes">thor.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3391</DestinationPort>
+				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
+				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
+				<Image condition="excludes">FSAssessment.exe</Image>
+				<Image condition="excludes">FSDiscovery.exe</Image>
+				<Image condition="excludes">MobaRTE.exe</Image>
+				<Image condition="excludes">RDCMan.exe</Image>
+				<Image condition="excludes">RSSensor.exe</Image>
+				<Image condition="excludes">RTS2App.exe</Image>
+				<Image condition="excludes">RTSApp.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
+				<Image condition="excludes">RemoteDesktopManager.exe</Image>
+				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
+				<Image condition="excludes">Terminals.exe</Image>
+				<Image condition="excludes">chrome.exe</Image>
+				<Image condition="excludes">mRemote.exe</Image>
+				<Image condition="excludes">mRemoteNG.exe</Image>
+				<Image condition="excludes">mstsc.exe</Image>
+				<Image condition="excludes">spiceworks-finder.exe</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<Image condition="excludes">thor64.exe</Image>
+				<Image condition="excludes">thor.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Localhost RDP Tunneling Detection,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
+			</Rule>
+			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
+				<Initiated>true</Initiated>
+				<DestinationPort condition="is">3389</DestinationPort>
+				<DestinationIp condition="begin with">fe80:0</DestinationIp>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
+				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
+				<Image condition="image">wsmprovhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
+				<Image condition="image">psftp.exe</Image>
+			</Rule>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
+			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" condition="image">omniinet.exe</Image>
+			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" condition="image">hpsmhd.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
+				<DestinationPort condition="is">50050</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
+				<DestinationPort condition="is">25</DestinationPort>
+				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
+				<Initiated>true</Initiated>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Network Connection,Risk=30" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<DestinationIp condition="excludes any">0:0:0:0:0:0:0:;127.0.0.1</DestinationIp>
+			</Rule>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
+			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
+			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
+			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
+			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!--UEBA Rules-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+				<DestinationPort condition="is not">3389</DestinationPort>
+				<DestinationPort condition="is not">22</DestinationPort>
+				<DestinationPort condition="is not">21</DestinationPort>
+				<DestinationPort condition="is not">5985</DestinationPort>
+				<Initiated>false</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
+				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
+				<Initiated>true</Initiated>
+				<SourcePort condition="is not">135</SourcePort>
+				<SourcePort condition="is not">445</SourcePort>
+				<DestinationPort condition="is not">5985</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
+				<Image condition="is not">System</Image>
+				<Image condition="excludes">svchost.exe</Image>
+				<DestinationPort condition="is">445</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
+				<Image condition="is not">System</Image>
+				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
+				<DestinationPort condition="is">389</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
+				<DestinationPort condition="is">389</DestinationPort>
+				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
+				<SourceHostname condition="excludes any">EXCH</SourceHostname>
+				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
+				<Initiated>false</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
+				<Image condition="image">notepad.exe</Image>
+				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
+				<DestinationPort condition="is not">80</DestinationPort>
+				<DestinationPort condition="is not">443</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
+			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=Dropbox Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="end with">dropboxapi.com</DestinationHostname>
+				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=OneDrive Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains">1drv</DestinationHostname>
+				<!--We're looking for alternative Programs accessing Onedrive, If Onedrive is not allowed, uncomment onedrive exe exclusions-->
+				<Image condition="excludes any">C:\Program Files\Microsoft OneDrive\OneDrive.exe;\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=Box.com Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains all">.box.com;upload</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains any">privatlab.com</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Social Networking" groupRelation="or">
+				<DestinationHostname condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
+				<DestinationHostname condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
+				<DestinationHostname condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Apache Webserver" groupRelation="and">
+				<Image condition="image">apache.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=JAVA Network Connections" groupRelation="and">
+				<Image condition="image">java.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=PHP Webserver" groupRelation="and">
+				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Setup Network connectivity" groupRelation="and">
+				<Image condition="contains">setup</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
+				<Image condition="contains">tomcat</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
+				<Image condition="contains">unins</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
+				<Image condition="contains">unknown process</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
+				<Image condition="image">explorer.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows SMTP Server" groupRelation="and">
+				<Image condition="image">inetinfo.exe</Image>
+			</Rule>
+			<!--3rd Party tools-->
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
+			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
+				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
+			</Rule>
+			<!--Destination Ports to Monitor-->
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
+			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
+			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
+			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
+			<!--Source Ports to Monitor-->
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTP" condition="is">80</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=LDAPS" condition="is">636</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC" condition="is">5900</SourcePort>
+			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
+				<DestinationPort condition="is">80</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
+				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPortName condition="is">https</DestinationPortName>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
+				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<DestinationPortName condition="is">http</DestinationPortName>
+				<Initiated>true</Initiated>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
+				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
+				<DestinationPort condition="is">443</DestinationPort>
+				<Initiated>true</Initiated>
+			</Rule>
+			<!--Suspicious network connections-->
+			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
+		</NetworkConnect>
+	</RuleGroup>
+	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
+		<NetworkConnect onmatch="exclude">
+			<Protocol condition="contains">udp</Protocol>
+			<Rule name="exclude interprocess communications with localhost" groupRelation="and">
+				<Image condition="contains any">System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe</Image>
+				<SourceIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
+				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
+			</Rule>
+			<!--SECTION: Custom -->
+			<Rule name="exclude dest ldap port 88" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
+				<DestinationPort condition="is">88</DestinationPort>
+			</Rule>
+			<!--Disable Monitoring of Protocols-->
+			<DestinationPortName condition="is">epmap</DestinationPortName>
+			<DestinationPortName condition="is">llmnr</DestinationPortName>
+			<DestinationPortName condition="is">microsoft-ds</DestinationPortName>
+			<DestinationPortName condition="is">netbios-dgm</DestinationPortName>
+			<DestinationPortName condition="is">ntp</DestinationPortName>
+			<DestinationPortName condition="is">ssdp</DestinationPortName>
+			<SourcePortName condition="is">epmap</SourcePortName>
+			<SourcePortName condition="is">llmnr</SourcePortName>
+			<SourcePortName condition="is">microsoft-ds</SourcePortName>
+			<SourcePortName condition="is">netbios-dgm</SourcePortName>
+			<SourcePortName condition="is">ntp</SourcePortName>
+			<SourcePortName condition="is">ssdp</SourcePortName>
+			<!--Disable Monitoring on Ports-->
+			<DestinationPort name="Service=DNS" condition="is">53</DestinationPort>
+			<DestinationPort name="Service=DNS" condition="is">67</DestinationPort>
+			<DestinationPort name="Service=Bootp" condition="is">68</DestinationPort>
+			<DestinationPort name="Service=SQL Noise" condition="is">1434</DestinationPort>
+			<DestinationPort name="Service=Radius" condition="is">1812</DestinationPort>
+			<DestinationPort name="Service=Teredo" condition="is">3544</DestinationPort>
+			<DestinationPort name="Service=WS-Discovery" condition="is">3702</DestinationPort>
+			<DestinationPort name="Service=Google Chrome Safe Search" condition="is">5228</DestinationPort>
+			<DestinationPort name="Service=Bonjour/Avahi" condition="is">5353</DestinationPort>
+			<DestinationPort name="Service=WSD API" condition="is">5357</DestinationPort>
+			<DestinationPort name="Service=Vcenter Secure server for CIM" condition="is">5989</DestinationPort>
+			<DestinationPort name="Service=Exchange WMI" condition="is">6007</DestinationPort>
+			<DestinationPort name="Service=DFRS/ADFS Replication 1" condition="is">49154</DestinationPort>
+			<DestinationPort name="Service=DFRS/ADFS Replication 2" condition="is">49209</DestinationPort>
+			<DestinationPort name="Service=DFRS/ADFS Replication 3" condition="is">52176</DestinationPort>
+			<DestinationPort name="Service=DFRS/ADFS Replication 4" condition="is">59241</DestinationPort>
+			<SourcePort name="Service=DNS" condition="is">53</SourcePort>
+			<SourcePort name="Service=Bootp" condition="is">67</SourcePort>
+			<SourcePort name="Service=Bootp" condition="is">68</SourcePort>
+			<SourcePort name="Service=Radius" condition="is">1812</SourcePort>
+			<SourcePort name="Service=WS-Discovery" condition="is">3702</SourcePort>
+			<SourcePort name="Service=Exchange WMI" condition="is">6007</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">49154</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">49209</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">50646</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">52176</SourcePort>
+			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">59241</SourcePort>
+			<!--SECTION: Microsoft -->
+			<DestinationHostname condition="end with">.bing.com</DestinationHostname>
+			<DestinationHostname condition="end with">.cloudapp.net</DestinationHostname>
+			<DestinationHostname condition="end with">.lync.com</DestinationHostname>
+			<DestinationHostname condition="end with">.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">.outlook.com</DestinationHostname>
+			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname>
+			<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
+			<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
+			<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
+			<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
+			<DestinationHostname condition="end with">ctldl.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">cy2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">fe3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">fe3.delivery.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">g.akamaiedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">g.live.com</DestinationHostname>
+			<DestinationHostname condition="end with">g.msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">geo-prod.do.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">geo-prod.dodsp.mp.microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">ile-service.weather.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
+			<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
+			<DestinationHostname condition="end with">msn.com</DestinationHostname>
+			<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
+			<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
+			<DestinationHostname condition="end with">odern.watson.data.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
+			<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
+			<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
+			<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">sls.update.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">storecatalogrevocation.storequality.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">storeedgefd.dsx.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">telecommand.telemetry.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">tile-service.weather.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">tlu.dl.delivery.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
+			<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
+			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
+			<DestinationHostname condition="end with">windows.net</DestinationHostname>
+			<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
+			<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
+			<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
+			<Image condition="image">EdgeTransport.exe</Image>
+			<Image condition="image">MSExchangeDelivery.exe</Image>
+			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
+			<Image condition="image">MSExchangeHMWorker.exe</Image>
+			<Image condition="image">MSExchangeSubmission.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
+			<!--SECTION: Antivirus Exclusions -->
+			<Rule name="Antivirus Exclusions" groupRelation="or">
+				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
+				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
+				<Image condition="begin with">C:\Program Files\ESET</Image>
+			</Rule>
+		</NetworkConnect>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
+
+		<!--DATA: UtcTime, State, Version, SchemaVersion-->
+		<!--Cannot be filtered.-->
+
+	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
+		<!--COMMENT:	Useful data in building infection timelines.-->
+		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
+		<ProcessTerminate onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in System32" groupRelation="and">
+				<Image condition="begin with">C:\Windows\system32\</Image>
+				<Image condition="excludes">config\systemprofile\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
+				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
+				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
+				<Image condition="excludes">:\PROGRA~</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\Program Files</Image>
+				<Image condition="excludes">:\ProgramData\</Image>
+				<Image condition="excludes">:\Users\</Image>
+				<Image condition="excludes">:\Windows\</Image>
+				<Image condition="excludes">:\inetpub\</Image>
+				<Image condition="excludes">:\$SysReset</Image>
+				<Image condition="excludes">:\$WinREAgent</Image>
+				<Image condition="excludes">:\inetpub\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
+				<Image condition="begin with">\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
+				<Image condition="begin with">C:\Users\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
+				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
+				<Image condition="begin with">C:\inetpub\</Image>
+			</Rule>
+		<!-- Useful data in building infection timelines.-->
+			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,DS=Process: Process Termination,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
+			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Termination,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
+			<Image condition="contains">\Temp\</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
+		</ProcessTerminate>
+	</RuleGroup>
+	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
+			<ProcessTerminate onmatch="exclude">
+			<Image condition="end with">Microsoft\Teams\current\Teams.exe</Image>
+			<Image condition="end with">\git.exe</Image>
+			<Image condition="end with">Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe</Image>
+			<Image condition="begin with">C:\ProgramData\Lenovo\ImController\</Image>
+		</ProcessTerminate>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
+	<RuleGroup name="RG=DriverLoad Include Group" groupRelation="or">
+		<DriverLoad onmatch="include">
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Driver: Driver Load,Level=4,Alert=Solarwinds/FireEye sunburst driver hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
+			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
+			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,DS=Driver: Driver Load,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
+			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
+			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
+			<SignatureStatus condition="contains">?</SignatureStatus>
+			<SignatureStatus condition="contains">Revoked</SignatureStatus>
+			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
+			<SignatureStatus condition="contains">Valid</SignatureStatus>
+			<Signed name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Driver Loaded,Risk=100,Author=Nasreddine Bencherchali,Risk=75" groupRelation="or">
+				<!--# List below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT-->
+				<Hashes condition="contains">SHA1=2261198385d62d2117f50f631652eded0ecc71db</Hashes>
+				<Hashes condition="contains">SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc</Hashes>
+				<Hashes condition="contains">SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f</Hashes>
+				<Hashes condition="contains">SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd</Hashes>
+				<Hashes condition="contains">SHA1=21e6c104fe9731c874fab5c9560c929b2857b918</Hashes>
+				<Hashes condition="contains">SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2</Hashes>
+				<Hashes condition="contains">SHA1=2f991435a6f58e25c103a657d24ed892b99690b8</Hashes>
+				<Hashes condition="contains">SHA1=f02af84393e9627ba808d4159841854a6601cf80</Hashes>
+				<Hashes condition="contains">SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe</Hashes>
+				<Hashes condition="contains">SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba</Hashes>
+				<Hashes condition="contains">SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705</Hashes>
+				<Hashes condition="contains">SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa</Hashes>
+				<Hashes condition="contains">SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124</Hashes>
+				<Hashes condition="contains">SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2</Hashes>
+				<Hashes condition="contains">SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b</Hashes>
+				<Hashes condition="contains">SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc</Hashes>
+				<Hashes condition="contains">SHA1=72966ca845759d239d09da0de7eebe3abe86fee3</Hashes>
+				<Hashes condition="contains">SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de</Hashes>
+				<Hashes condition="contains">SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7</Hashes>
+				<Hashes condition="contains">SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e</Hashes>
+				<Hashes condition="contains">SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741</Hashes>
+				<Hashes condition="contains">SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95</Hashes>
+				<Hashes condition="contains">SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86</Hashes>
+				<Hashes condition="contains">SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65</Hashes>
+				<Hashes condition="contains">SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13</Hashes>
+				<Hashes condition="contains">SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b</Hashes>
+				<Hashes condition="contains">SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb</Hashes>
+				<Hashes condition="contains">SHA1=468e2e5505a3d924b14fedee4ddf240d09393776</Hashes>
+				<Hashes condition="contains">SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8</Hashes>
+				<Hashes condition="contains">SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f</Hashes>
+				<Hashes condition="contains">SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123</Hashes>
+				<Hashes condition="contains">SHA1=623cd2abef6c92255f79cbbd3309cb59176771da</Hashes>
+				<Hashes condition="contains">SHA1=1f3a9265963b660392c4053329eb9436deeed339</Hashes>
+				<Hashes condition="contains">SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c</Hashes>
+				<Hashes condition="contains">SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d</Hashes>
+				<Hashes condition="contains">SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb</Hashes>
+				<Hashes condition="contains">SHA1=c834c4931b074665d56ccab437dfcc326649d612</Hashes>
+				<Hashes condition="contains">SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c</Hashes>
+				<Hashes condition="contains">SHA1=51b60eaa228458dee605430aae1bc26f3fc62325</Hashes>
+				<Hashes condition="contains">SHA1=3270720a066492b046d7180ca6e60602c764cac7</Hashes>
+				<Hashes condition="contains">SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131</Hashes>
+				<Hashes condition="contains">SHA1=19bd488fe54b011f387e8c5d202a70019a204adf</Hashes>
+				<Hashes condition="contains">SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e</Hashes>
+				<Hashes condition="contains">SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344</Hashes>
+				<Hashes condition="contains">SHA1=205c69f078a563f54f4c0da2d02a25e284370251</Hashes>
+				<Hashes condition="contains">SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6</Hashes>
+				<Hashes condition="contains">SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac</Hashes>
+				<Hashes condition="contains">SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7</Hashes>
+				<Hashes condition="contains">SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843</Hashes>
+				<Hashes condition="contains">SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417</Hashes>
+				<Hashes condition="contains">SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181</Hashes>
+				<Hashes condition="contains">SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526</Hashes>
+				<Hashes condition="contains">SHA1=0307d76750dd98d707c699aee3b626643afb6936</Hashes>
+				<Hashes condition="contains">SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a</Hashes>
+				<Hashes condition="contains">SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946</Hashes>
+				<Hashes condition="contains">SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d</Hashes>
+				<Hashes condition="contains">SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0</Hashes>
+				<Hashes condition="contains">SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe</Hashes>
+				<Hashes condition="contains">SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0</Hashes>
+				<Hashes condition="contains">SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e</Hashes>
+				<Hashes condition="contains">SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d</Hashes>
+				<Hashes condition="contains">SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0</Hashes>
+				<Hashes condition="contains">SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2</Hashes>
+				<Hashes condition="contains">SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57</Hashes>
+				<Hashes condition="contains">SHA1=c948ae14761095e4d76b55d9de86412258be7afd</Hashes>
+				<Hashes condition="contains">SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad</Hashes>
+				<Hashes condition="contains">SHA1=745bad097052134548fe159f158c04be5616afc2</Hashes>
+				<Hashes condition="contains">SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754</Hashes>
+				<Hashes condition="contains">SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce</Hashes>
+				<Hashes condition="contains">SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d</Hashes>
+				<Hashes condition="contains">SHA1=ac13941f436139b909d105ad55637e1308f49d9a</Hashes>
+				<Hashes condition="contains">SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b</Hashes>
+				<Hashes condition="contains">SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1</Hashes>
+				<Hashes condition="contains">SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809</Hashes>
+				<Hashes condition="contains">SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387</Hashes>
+				<Hashes condition="contains">SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1</Hashes>
+				<Hashes condition="contains">SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee</Hashes>
+				<Hashes condition="contains">SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3</Hashes>
+				<Hashes condition="contains">SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0</Hashes>
+				<Hashes condition="contains">SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1</Hashes>
+				<Hashes condition="contains">SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4</Hashes>
+				<Hashes condition="contains">SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d</Hashes>
+				<Hashes condition="contains">SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd</Hashes>
+				<Hashes condition="contains">SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9</Hashes>
+				<Hashes condition="contains">SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312</Hashes>
+				<Hashes condition="contains">SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643</Hashes>
+				<Hashes condition="contains">SHA1=27eab595ec403580236e04101172247c4f5d5426</Hashes>
+				<Hashes condition="contains">SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8</Hashes>
+				<Hashes condition="contains">SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c</Hashes>
+				<Hashes condition="contains">SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef</Hashes>
+				<Hashes condition="contains">SHA1=9c256edd10823ca76c0443a330e523027b70522d</Hashes>
+				<Hashes condition="contains">SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e</Hashes>
+				<Hashes condition="contains">SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0</Hashes>
+				<Hashes condition="contains">SHA1=054a50293c7b4eea064c91ef59cf120d8100f237</Hashes>
+				<Hashes condition="contains">SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2</Hashes>
+				<Hashes condition="contains">SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e</Hashes>
+				<Hashes condition="contains">SHA1=14bf0eaa90e012169745b3e30c281a327751e316</Hashes>
+				<Hashes condition="contains">SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79</Hashes>
+				<Hashes condition="contains">SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08</Hashes>
+				<Hashes condition="contains">SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614</Hashes>
+				<Hashes condition="contains">SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a</Hashes>
+				<Hashes condition="contains">SHA1=879fcc6795cebe67718388228e715c470de87dca</Hashes>
+				<Hashes condition="contains">SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a</Hashes>
+				<Hashes condition="contains">SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67</Hashes>
+				<Hashes condition="contains">SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03</Hashes>
+				<Hashes condition="contains">SHA1=a7bd05de737f8ea57857f1e0845a25677df01872</Hashes>
+				<Hashes condition="contains">SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e</Hashes>
+				<Hashes condition="contains">SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3</Hashes>
+				<Hashes condition="contains">SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc</Hashes>
+				<Hashes condition="contains">SHA1=d62fa51e520022483bdc5847141658de689c0c29</Hashes>
+				<Hashes condition="contains">SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9</Hashes>
+				<Hashes condition="contains">SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b</Hashes>
+				<Hashes condition="contains">SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd</Hashes>
+				<Hashes condition="contains">SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be</Hashes>
+				<Hashes condition="contains">SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646</Hashes>
+				<Hashes condition="contains">SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b</Hashes>
+				<Hashes condition="contains">SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60</Hashes>
+				<Hashes condition="contains">SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430</Hashes>
+				<Hashes condition="contains">SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b</Hashes>
+				<Hashes condition="contains">SHA1=0b8b83f245d94107cb802a285e6529161d9a834d</Hashes>
+				<Hashes condition="contains">SHA1=c969f1f73922fd95db1992a5b552fbc488366a40</Hashes>
+				<Hashes condition="contains">SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451</Hashes>
+				<Hashes condition="contains">SHA1=da9cea92f996f938f699902482ac5313d5e8b28e</Hashes>
+				<Hashes condition="contains">SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53</Hashes>
+				<Hashes condition="contains">SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260</Hashes>
+				<Hashes condition="contains">SHA1=f052dc35b74a1a6246842fbb35eb481577537826</Hashes>
+				<Hashes condition="contains">SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf</Hashes>
+				<Hashes condition="contains">SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e</Hashes>
+				<Hashes condition="contains">SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15</Hashes>
+				<Hashes condition="contains">SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2</Hashes>
+				<Hashes condition="contains">SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939</Hashes>
+				<Hashes condition="contains">SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e</Hashes>
+				<Hashes condition="contains">SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1</Hashes>
+				<Hashes condition="contains">SHA1=7fb52290883a6b69a96d480f2867643396727e83</Hashes>
+				<!--# The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ -->
+				<Hashes condition="contains">SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab</Hashes>
+				<Hashes condition="contains">SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2</Hashes>
+				<Hashes condition="contains">SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d</Hashes>
+				<Hashes condition="contains">SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299</Hashes>
+				<Hashes condition="contains">SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c</Hashes>
+				<Hashes condition="contains">SHA1=fe10018af723986db50701c8532df5ed98b17c39</Hashes>
+				<Hashes condition="contains">SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b</Hashes>
+				<Hashes condition="contains">SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347</Hashes>
+				<Hashes condition="contains">SHA1=82ba5513c33e056c3f54152c8555abf555f3e745</Hashes>
+				<Hashes condition="contains">SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa</Hashes>
+				<Hashes condition="contains">SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4</Hashes>
+				<Hashes condition="contains">SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436</Hashes>
+				<Hashes condition="contains">SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891</Hashes>
+				<Hashes condition="contains">SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748</Hashes>
+				<Hashes condition="contains">SHA1=c771ea59f075170e952c393cfd6fc784b265027c</Hashes>
+				<Hashes condition="contains">SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1</Hashes>
+				<Hashes condition="contains">SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b</Hashes>
+				<Hashes condition="contains">SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04</Hashes>
+				<!--# The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c -->
+				<Hashes condition="contains">SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89</Hashes>
+				<Hashes condition="contains">SHA1=15df139494d2c40a645fb010908551185c27f3c5</Hashes>
+				<Hashes condition="contains">SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de</Hashes>
+				<Hashes condition="contains">SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75</Hashes>
+				<Hashes condition="contains">SHA1=490109fa6739f114651f4199196c5121d1c6bdf2</Hashes>
+				<Hashes condition="contains">SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5</Hashes>
+				<Hashes condition="contains">SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de</Hashes>
+				<Hashes condition="contains">SHA1=3f223581409492172a1e875f130f3485b90fbe5f</Hashes>
+				<Hashes condition="contains">SHA1=5db61d00a001fd493591dc919f69b14713889fc5</Hashes>
+				<!--# https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md -->
+				<Hashes condition="contains">SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f</Hashes>
+				<Hashes condition="contains">SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370</Hashes>
+				<Hashes condition="contains">SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c</Hashes>
+				<Hashes condition="contains">SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676</Hashes>
+				<Hashes condition="contains">SHA1=c6bd965300f07012d1b651a9b8776028c45b149a</Hashes>
+				<Hashes condition="contains">SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f</Hashes>
+				<Hashes condition="contains">SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1</Hashes>
+				<Hashes condition="contains">SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9</Hashes>
+				<Hashes condition="contains">SHA1=dc55217b6043d819eadebd423ff07704ee103231</Hashes>
+				<Hashes condition="contains">SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4</Hashes>
+				<Hashes condition="contains">SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f</Hashes>
+				<Hashes condition="contains">SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab</Hashes>
+				<Hashes condition="contains">SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63</Hashes>
+				<Hashes condition="contains">SHA1=c6d349823bbb1f5b44bae91357895dba653c5861</Hashes>
+				<Hashes condition="contains">SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2</Hashes>
+				<Hashes condition="contains">SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825</Hashes>
+				<Hashes condition="contains">SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d</Hashes>
+				<Hashes condition="contains">SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6</Hashes>
+				<Hashes condition="contains">SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162</Hashes>
+				<Hashes condition="contains">SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb</Hashes>
+				<Hashes condition="contains">SHA1=29a190727140f40cea9514a6420f5a195e36386b</Hashes>
+				<Hashes condition="contains">SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77</Hashes>
+				<Hashes condition="contains">SHA1=7667b72471689151e176baeba4e1cd9cd006a09a</Hashes>
+				<Hashes condition="contains">SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5</Hashes>
+				<Hashes condition="contains">SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8</Hashes>
+				<Hashes condition="contains">SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e</Hashes>
+				<Hashes condition="contains">SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403</Hashes>
+				<Hashes condition="contains">SHA1=d702d88b12233be9413446c445f22fda4a92a1d9</Hashes>
+				<Hashes condition="contains">SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1</Hashes>
+				<Hashes condition="contains">SHA1=643383938d5e0d4fd30d302af3e9293a4798e392</Hashes>
+				<Hashes condition="contains">SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07</Hashes>
+				<!--# The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver -->
+				<!--# These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules -->
+				<Hashes condition="contains">SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816</Hashes>
+				<Hashes condition="contains">SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e</Hashes>
+				<Hashes condition="contains">SHA1=166759fd511613414d3213942fe2575b926a6226</Hashes>
+				<Hashes condition="contains">SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4</Hashes>
+				<Hashes condition="contains">SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca</Hashes>
+				<Hashes condition="contains">SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8</Hashes>
+				<Hashes condition="contains">SHA1=4de33d03fee52f396a1c788000ca868d56ac30de</Hashes>
+				<Hashes condition="contains">SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0</Hashes>
+				<Hashes condition="contains">SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d</Hashes>
+				<Hashes condition="contains">SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1</Hashes>
+				<Hashes condition="contains">SHA1=943593e880b4d340f2548548e6e673ef6f61eed3</Hashes>
+				<Hashes condition="contains">SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd</Hashes>
+				<Hashes condition="contains">SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28</Hashes>
+				<Hashes condition="contains">SHA1=aa2ea973bb248b18973e57339307cfb8d309f687</Hashes>
+				<Hashes condition="contains">SHA1=3a5d176c50f97b71d139767ed795d178623f491d</Hashes>
+				<Hashes condition="contains">SHA1=25d812a5ece19ea375178ef9d60415841087726e</Hashes>
+				<Hashes condition="contains">SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07</Hashes>
+				<Hashes condition="contains">SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0</Hashes>
+				<Hashes condition="contains">SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02</Hashes>
+				<Hashes condition="contains">SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c</Hashes>
+				<Hashes condition="contains">SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a</Hashes>
+				<Hashes condition="contains">SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed</Hashes>
+				<Hashes condition="contains">SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b</Hashes>
+				<Hashes condition="contains">SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d</Hashes>
+				<Hashes condition="contains">SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef</Hashes>
+				<Hashes condition="contains">SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001</Hashes>
+				<Hashes condition="contains">SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c</Hashes>
+				<Hashes condition="contains">SHA1=9401389fba314d1810f83edce33c37e84a78e112</Hashes>
+				<Hashes condition="contains">SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371</Hashes>
+				<Hashes condition="contains">SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7</Hashes>
+				<Hashes condition="contains">SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0</Hashes>
+				<Hashes condition="contains">SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4</Hashes>
+				<Hashes condition="contains">SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2</Hashes>
+				<Hashes condition="contains">SHA1=38571f14fc014487194d1eecfa80561ee8644e09</Hashes>
+				<Hashes condition="contains">SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2</Hashes>
+				<Hashes condition="contains">SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8</Hashes>
+				<Hashes condition="contains">SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba</Hashes>
+				<Hashes condition="contains">SHA1=4c18754dca481f107f0923fb8ef5e149d128525d</Hashes>
+				<Hashes condition="contains">SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f</Hashes>
+				<Hashes condition="contains">SHA1=cde32654a041fedc7b0fa1083f6005b950760062</Hashes>
+				<Hashes condition="contains">SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a</Hashes>
+				<Hashes condition="contains">SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332</Hashes>
+				<Hashes condition="contains">SHA1=4f7a8e26a97980544be634b26899afbefb0a833c</Hashes>
+				<!--# The list below is from https://github.com/namazso/physmem_drivers -->
+				<Hashes condition="contains">SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748</Hashes>
+				<Hashes condition="contains">SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA</Hashes>
+				<Hashes condition="contains">SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA</Hashes>
+				<Hashes condition="contains">SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F</Hashes>
+				<Hashes condition="contains">SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414</Hashes>
+				<Hashes condition="contains">SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D</Hashes>
+				<Hashes condition="contains">SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA</Hashes>
+				<Hashes condition="contains">SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00</Hashes>
+				<Hashes condition="contains">SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E</Hashes>
+				<Hashes condition="contains">SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7</Hashes>
+				<Hashes condition="contains">SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602</Hashes>
+				<Hashes condition="contains">SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8</Hashes>
+				<Hashes condition="contains">SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A</Hashes>
+				<Hashes condition="contains">SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4</Hashes>
+				<Hashes condition="contains">SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4</Hashes>
+				<Hashes condition="contains">SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C</Hashes>
+				<Hashes condition="contains">SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B</Hashes>
+				<Hashes condition="contains">SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A</Hashes>
+				<Hashes condition="contains">SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9</Hashes>
+				<Hashes condition="contains">SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB</Hashes>
+				<Hashes condition="contains">SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC</Hashes>
+				<Hashes condition="contains">SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF</Hashes>
+				<Hashes condition="contains">SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A</Hashes>
+				<Hashes condition="contains">SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3</Hashes>
+				<Hashes condition="contains">SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5</Hashes>
+				<Hashes condition="contains">SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB</Hashes>
+				<Hashes condition="contains">SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94</Hashes>
+				<Hashes condition="contains">SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0</Hashes>
+				<Hashes condition="contains">SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F</Hashes>
+				<Hashes condition="contains">SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C</Hashes>
+				<Hashes condition="contains">SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8</Hashes>
+				<Hashes condition="contains">SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4</Hashes>
+				<Hashes condition="contains">SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303</Hashes>
+				<Hashes condition="contains">SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469</Hashes>
+				<Hashes condition="contains">SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B</Hashes>
+				<Hashes condition="contains">SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E</Hashes>
+				<Hashes condition="contains">SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608</Hashes>
+				<Hashes condition="contains">SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685</Hashes>
+				<Hashes condition="contains">SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71</Hashes>
+				<Hashes condition="contains">SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2</Hashes>
+				<Hashes condition="contains">SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293</Hashes>
+				<Hashes condition="contains">SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57</Hashes>
+				<Hashes condition="contains">SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A</Hashes>
+				<Hashes condition="contains">SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A</Hashes>
+				<Hashes condition="contains">SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659</Hashes>
+				<Hashes condition="contains">SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA</Hashes>
+				<Hashes condition="contains">SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2</Hashes>
+				<Hashes condition="contains">SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7</Hashes>
+				<Hashes condition="contains">SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57</Hashes>
+				<Hashes condition="contains">SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92</Hashes>
+				<Hashes condition="contains">SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184</Hashes>
+				<Hashes condition="contains">SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457</Hashes>
+				<Hashes condition="contains">SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A</Hashes>
+				<Hashes condition="contains">SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4</Hashes>
+				<Hashes condition="contains">SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F</Hashes>
+				<Hashes condition="contains">SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8</Hashes>
+				<Hashes condition="contains">SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165</Hashes>
+				<Hashes condition="contains">SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E</Hashes>
+				<Hashes condition="contains">SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A</Hashes>
+				<Hashes condition="contains">SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C</Hashes>
+				<Hashes condition="contains">SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653</Hashes>
+				<Hashes condition="contains">SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028</Hashes>
+				<Hashes condition="contains">SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3</Hashes>
+				<Hashes condition="contains">SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D</Hashes>
+				<Hashes condition="contains">SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5</Hashes>
+				<Hashes condition="contains">SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3</Hashes>
+				<Hashes condition="contains">SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955</Hashes>
+				<Hashes condition="contains">SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339</Hashes>
+				<Hashes condition="contains">SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25</Hashes>
+				<Hashes condition="contains">SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0</Hashes>
+				<Hashes condition="contains">SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357</Hashes>
+				<Hashes condition="contains">SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21</Hashes>
+				<Hashes condition="contains">SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D</Hashes>
+				<Hashes condition="contains">SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF</Hashes>
+				<Hashes condition="contains">SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B</Hashes>
+				<Hashes condition="contains">SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4</Hashes>
+				<Hashes condition="contains">SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097</Hashes>
+				<Hashes condition="contains">SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6</Hashes>
+				<Hashes condition="contains">SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD</Hashes>
+				<Hashes condition="contains">SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492</Hashes>
+				<Hashes condition="contains">SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1</Hashes>
+				<Hashes condition="contains">SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558</Hashes>
+				<Hashes condition="contains">SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6</Hashes>
+				<Hashes condition="contains">SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219</Hashes>
+				<Hashes condition="contains">SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE</Hashes>
+				<Hashes condition="contains">SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250</Hashes>
+				<Hashes condition="contains">SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB</Hashes>
+				<Hashes condition="contains">SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5</Hashes>
+				<Hashes condition="contains">SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A</Hashes>
+				<Hashes condition="contains">SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E</Hashes>
+				<Hashes condition="contains">SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3</Hashes>
+				<Hashes condition="contains">SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5</Hashes>
+				<Hashes condition="contains">SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005</Hashes>
+				<Hashes condition="contains">SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793</Hashes>
+				<Hashes condition="contains">SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7</Hashes>
+				<Hashes condition="contains">SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52</Hashes>
+				<Hashes condition="contains">SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3</Hashes>
+				<Hashes condition="contains">SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4</Hashes>
+				<Hashes condition="contains">SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57</Hashes>
+				<Hashes condition="contains">SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94</Hashes>
+				<Hashes condition="contains">SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE</Hashes>
+				<Hashes condition="contains">SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B</Hashes>
+				<Hashes condition="contains">SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7</Hashes>
+				<Hashes condition="contains">SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8</Hashes>
+				<Hashes condition="contains">SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1</Hashes>
+				<Hashes condition="contains">SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449</Hashes>
+				<Hashes condition="contains">SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499</Hashes>
+				<Hashes condition="contains">SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526</Hashes>
+				<Hashes condition="contains">SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D</Hashes>
+				<Hashes condition="contains">SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B</Hashes>
+				<Hashes condition="contains">SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB</Hashes>
+				<Hashes condition="contains">SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B</Hashes>
+				<Hashes condition="contains">SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889</Hashes>
+				<Hashes condition="contains">SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530</Hashes>
+				<Hashes condition="contains">SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482</Hashes>
+				<Hashes condition="contains">SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1</Hashes>
+				<Hashes condition="contains">SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A</Hashes>
+				<Hashes condition="contains">SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA</Hashes>
+				<Hashes condition="contains">SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0</Hashes>
+				<Hashes condition="contains">SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D</Hashes>
+				<Hashes condition="contains">SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03</Hashes>
+				<Hashes condition="contains">SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C</Hashes>
+				<Hashes condition="contains">SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008</Hashes>
+				<Hashes condition="contains">SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC</Hashes>
+				<Hashes condition="contains">SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004</Hashes>
+				<Hashes condition="contains">SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D</Hashes>
+				<Hashes condition="contains">SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB</Hashes>
+				<Hashes condition="contains">SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA</Hashes>
+				<Hashes condition="contains">SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980</Hashes>
+				<Hashes condition="contains">SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099</Hashes>
+				<Hashes condition="contains">SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C</Hashes>
+				<Hashes condition="contains">SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E</Hashes>
+				<Hashes condition="contains">SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8</Hashes>
+				<Hashes condition="contains">SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84</Hashes>
+				<!--# The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ -->
+				<Hashes condition="contains">SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b</Hashes>
+				<Hashes condition="contains">SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790</Hashes>
+				<Hashes condition="contains">SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22</Hashes>
+				<Hashes condition="contains">SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44</Hashes>
+				<Hashes condition="contains">SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8</Hashes>
+				<Hashes condition="contains">SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009</Hashes>
+				<Hashes condition="contains">SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df</Hashes>
+				<Hashes condition="contains">SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead</Hashes>
+				<Hashes condition="contains">SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16</Hashes>
+				<Hashes condition="contains">SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7</Hashes>
+				<Hashes condition="contains">SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5</Hashes>
+				<Hashes condition="contains">SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495</Hashes>
+				<Hashes condition="contains">SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd</Hashes>
+				<Hashes condition="contains">SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c</Hashes>
+				<Hashes condition="contains">SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427</Hashes>
+				<!--# The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c -->
+				<Hashes condition="contains">SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4</Hashes>
+				<Hashes condition="contains">SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6</Hashes>
+				<Hashes condition="contains">SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062</Hashes>
+				<Hashes condition="contains">SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b</Hashes>
+				<Hashes condition="contains">SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece</Hashes>
+				<Hashes condition="contains">SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374</Hashes>
+				<Hashes condition="contains">SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50</Hashes>
+				<Hashes condition="contains">SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6</Hashes>
+				<Hashes condition="contains">SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e</Hashes>
+				<!--# https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md -->
+				<Hashes condition="contains">SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc</Hashes>
+				<Hashes condition="contains">SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d</Hashes>
+				<Hashes condition="contains">SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65</Hashes>
+				<Hashes condition="contains">SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347</Hashes>
+				<Hashes condition="contains">SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9</Hashes>
+				<Hashes condition="contains">SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219</Hashes>
+				<Hashes condition="contains">SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8</Hashes>
+				<Hashes condition="contains">SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813</Hashes>
+				<Hashes condition="contains">SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a</Hashes>
+				<Hashes condition="contains">SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f</Hashes>
+				<Hashes condition="contains">SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc</Hashes>
+				<Hashes condition="contains">SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de</Hashes>
+				<Hashes condition="contains">SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073</Hashes>
+				<Hashes condition="contains">SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890</Hashes>
+				<Hashes condition="contains">SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0</Hashes>
+				<Hashes condition="contains">SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200</Hashes>
+				<Hashes condition="contains">SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf</Hashes>
+				<Hashes condition="contains">SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2</Hashes>
+				<Hashes condition="contains">SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173</Hashes>
+				<Hashes condition="contains">SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6</Hashes>
+				<Hashes condition="contains">SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8</Hashes>
+				<Hashes condition="contains">SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508</Hashes>
+				<Hashes condition="contains">SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3</Hashes>
+				<Hashes condition="contains">SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52</Hashes>
+				<Hashes condition="contains">SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129</Hashes>
+				<Hashes condition="contains">SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993</Hashes>
+				<Hashes condition="contains">SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d</Hashes>
+				<Hashes condition="contains">SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd</Hashes>
+				<Hashes condition="contains">SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35</Hashes>
+				<Hashes condition="contains">SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33</Hashes>
+				<Hashes condition="contains">SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29</Hashes>
+				<!--# The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver -->
+				<!--# These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules -->
+				<Hashes condition="contains">SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838</Hashes>
+				<Hashes condition="contains">SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b</Hashes>
+				<Hashes condition="contains">SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82</Hashes>
+				<Hashes condition="contains">SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7</Hashes>
+				<Hashes condition="contains">SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038</Hashes>
+				<Hashes condition="contains">SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89</Hashes>
+				<Hashes condition="contains">SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e</Hashes>
+				<Hashes condition="contains">SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3</Hashes>
+				<Hashes condition="contains">SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6</Hashes>
+				<Hashes condition="contains">SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89</Hashes>
+				<Hashes condition="contains">SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf</Hashes>
+				<Hashes condition="contains">SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea</Hashes>
+				<Hashes condition="contains">SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5</Hashes>
+				<Hashes condition="contains">SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a</Hashes>
+				<Hashes condition="contains">SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f</Hashes>
+				<Hashes condition="contains">SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3</Hashes>
+				<Hashes condition="contains">SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003</Hashes>
+				<Hashes condition="contains">SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7</Hashes>
+				<Hashes condition="contains">SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498</Hashes>
+				<Hashes condition="contains">SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22</Hashes>
+				<Hashes condition="contains">SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4</Hashes>
+				<Hashes condition="contains">SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c</Hashes>
+				<Hashes condition="contains">SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53</Hashes>
+				<Hashes condition="contains">SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de</Hashes>
+				<Hashes condition="contains">SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330</Hashes>
+				<Hashes condition="contains">SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46</Hashes>
+				<Hashes condition="contains">SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347</Hashes>
+				<Hashes condition="contains">SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026</Hashes>
+				<Hashes condition="contains">SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15</Hashes>
+				<Hashes condition="contains">SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91</Hashes>
+				<Hashes condition="contains">SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf</Hashes>
+				<Hashes condition="contains">SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c</Hashes>
+				<Hashes condition="contains">SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64</Hashes>
+				<Hashes condition="contains">SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59</Hashes>
+				<Hashes condition="contains">SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6</Hashes>
+				<Hashes condition="contains">SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b</Hashes>
+				<Hashes condition="contains">SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9</Hashes>
+				<Hashes condition="contains">SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351</Hashes>
+				<Hashes condition="contains">SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5</Hashes>
+				<Hashes condition="contains">SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c</Hashes>
+				<Hashes condition="contains">SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b</Hashes>
+				<Hashes condition="contains">SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05</Hashes>
+				<Hashes condition="contains">SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433</Hashes>
+			</Rule>
+		</DriverLoad>
+	</RuleGroup>
+	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
+		<DriverLoad onmatch="exclude">
+		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
+				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
+		</DriverLoad>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+	<RuleGroup name="RG=Image Load Includes" groupRelation="or">
+		<ImageLoad onmatch="include">
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Module: Module Load,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<Image condition="image">msdt.exe</Image>
+				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
+				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
+				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,DS=Module: Module Load,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\</ImageLoaded>
+				<Image condition="contains any">spoolsv.exe;printisolationhost.exe</Image>
+				<SignatureStatus condition="excludes">Valid</SignatureStatus>
+				<Company condition="excludes any">Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard</Company>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Module: Module Load,Level=0,Desc=DLL Image Load by System in Suspicious Locations" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
+				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
+				<Image condition="image">EQNEDT32.EXE</Image>
+				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Module: Module Load,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
+				<Image condition="contains any">C:\Users;\Temp\;\ProgramData\</Image>
+			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Module: Module Load,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
+				<Image condition="contains any">\wscript.exe;\cscript.exe;\powershell.exe;\powershell_ise.exe;\rundll32.exe;\msbuild.exe;\csc.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
+				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
+				<Image condition="image">wmiprvse.exe</Image>
+				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
+				<Image condition="image">powershell.exe</Image>
+				<ImageLoaded condition="end with">msi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
+				<Image condition="contains">powershell</Image>
+				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
+				<Image condition="excludes">powershell</Image>
+				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Monitor logoncli.dll dll loads for injection - potential qbot activity" groupRelation="and">
+				<ImageLoaded condition="end with">logoncli.dll</ImageLoaded>
+				<Image condition="is not">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office clr.dll Load" groupRelation="and">
+				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
+				<ImageLoaded condition="end with">clr.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
+				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
+				<Image condition="contains any">wscript.exe;cscript.exe</Image>
+				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
+				<Image condition="contains any">installutil.exe</Image>
+				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
+				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Automation DLL Loaded" groupRelation="and">
+				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
+				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
+				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
+				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
+				<ImageLoaded condition="begin with">\\</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
+				<ImageLoaded condition="end with">.wll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
+				<ImageLoaded condition="end with">.xll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
+				<ImageLoaded condition="contains any">.xla</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,DS=Module: Module Load,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains">tor-lib.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
+				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+				<ImageLoaded condition="contains all">vaultcli.dll;wlanapi.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">combase.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">cryptdll.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">imm32.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">logoncli.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">netapi32.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">ntasn1.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">ntdsapi.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">samlib.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
+				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
+				<Image condition="image">C:\Windows\Explorer.EXE</Image>
+				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
+				<Image condition="begin with">C:\ProgramData\</Image>
+				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
+				<ImageLoaded condition="end with">.exe</ImageLoaded>
+				<Company condition="excludes">Adobe</Company>
+				<Image condition="excludes">C:\ProgramData\Lenovo\</Image>
+				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
+				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Module: Module Load,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
+				<ImageLoaded condition="end with">.exe</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Module: Module Load,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
+				<ImageLoaded condition="end with">.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Module: Module Load,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Module: Module Load,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
+				<Hashes condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hashes><!--Exchange Zero Day Dropped DLL-->
+				<Hashes condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hashes><!--Exchange Zero Day Dropped DLL-->
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
+				<Signed condition="is">false</Signed>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
+				<SignatureStatus condition="is">Revoked</SignatureStatus>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
+				<SignatureStatus condition="is">Expired</SignatureStatus>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
+				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
+			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
+				<ImageLoaded condition="end with">C:\Windows\System32\wlanapi.dll</ImageLoaded>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
+				<Image condition="excludes">C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience</Image>
+				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\AppHostRegistrationVerifier.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\CompatTelRunner.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\DeviceCensus.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</Image>
+				<Image condition="excludes">C:\Windows\System32\LogonUI.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\MoNotificationUx.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\SystemSettingsBroker.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\dxgiadaptercache.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\netsh.exe</Image>
+				<Image condition="excludes">C:\Windows\System32\wlanext.exe</Image>
+				<Image condition="excludes">C:\Windows\UUS\amd64\MoUsoCoreWorker.exe</Image>
+				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
+				<Image condition="excludes">C:\Windows\explorer.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Module: Module Load,Level=2,Desc=Python DLL Loaded,Risk=30" groupRelation="and">
+				<ImageLoaded condition="contains any">python</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Unsigned Global Assembly Cache Load" groupRelation="and">
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+				<Signed condition="is">false</Signed>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Signed Global Assembly Cache Load" groupRelation="and">
+				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
+				<Signed condition="is">true</Signed>
+			</Rule>
+		</ImageLoad>
+	</RuleGroup>
+	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
+		<ImageLoad onmatch="exclude">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+				<Image condition="contains">\Microsoft Office\</Image>
+				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
+				<Image condition="contains">\Microsoft Office\</Image>
+				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
+				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
+				<Signed condition="is">true</Signed>
+			</Rule>
+			<!--Universal Exclusions: Be Careful-->
+			<Rule name="Antivirus Exclusions" groupRelation="or"> 
+				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
+				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
+				<Image condition="begin with">C:\Program Files\ESET</Image>
+				<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</Image>
+			</Rule>
+			<Company condition="contains">Fortinet</Company>
+			<Company condition="contains">Lenovo</Company>
+			<Company condition="contains">Sophos</Company>
+			<Image condition="end with">mscorsvw.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\InstallAgentUserBroker.exe</Image>
+			<Image condition="image">C:\Windows\System32\RuntimeBroker.exe</Image>
+			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="image">C:\Windows\System32\SettingSyncHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\backgroundTaskHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\sppsvc.exe</Image>
+			<Image condition="image">C:\Windows\System32\taskhost.exe</Image>
+			<Image condition="image">C:\Windows\System32\taskhostw.exe</Image>
+			<Image condition="image">C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe</Image>
+			<Image condition="image">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
+			<Image condition="image">HxTsr.exe</Image>
+			<Image condition="image">SearchUI.exe</Image>
+			<ImageLoaded condition="contains">C:\Program Files (x86)\Common Files\BIExcelFunctions1.1\32bit\Sage.</ImageLoaded>
+			<ImageLoaded condition="contains">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Pfx.</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Adist64.dll</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
+			<ImageLoaded condition="is">C:\Windows\SysWOW64\sppc.dll</ImageLoaded>
+			<ImageLoaded condition="end with">Microsoft.Office.Interop.VisOcx.dll</ImageLoaded>
+			<ImageLoaded condition="end with">Microsoft.Office.Interop.Word.dll</ImageLoaded>
+			<ImageLoaded condition="end with">Microsoft.Vbe.Interop.dll</ImageLoaded>
+			<ImageLoaded condition="end with">OFFICE.DLL</ImageLoaded>
+		</ImageLoad>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
+	<RuleGroup name="RG=CreateRemoteThread Include Group" groupRelation="or">
+		<CreateRemoteThread onmatch="include">
+			<!--Custom Rules-->
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Modification,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
+				<StartAddress condition="is">0x001A0000</StartAddress>
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privledge Escalation,DS=Process: Process Modification,Level=4,Alert=CreateRemoteThread with msiexec,Risk=100" groupRelation="and">
+				<SourceImage condition="contains any">msiexec.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
+				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe;opera.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Process: Process Modification,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
+				<StartAddress condition="is">0x001A0000</StartAddress>
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Process: Process Modification,Level=0,Desc=Rundll32 LSASS Credential dumping,Risk=70" groupRelation="and">
+				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="image">c:\windows\system32\rundll32.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,DS=Process: Process Modification,Level=4,Alert=Remote Thread Process debugging detected,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">DbgUiRemoteBreakin</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,DS=Process: Process Modification,Level=0,Desc=Remote Query Debug info,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">QueryProcessDebugInformationRemote</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Query Debug info 2,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">isdebuggerpresent</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1546.012,Technique=Process Debugging Detected,Tactic=Defense Evasion,DS=Process: Process Modification,Level=3,Alert=Process Debug of active Process,Risk=30" groupRelation="and">
+				<StartFunction condition="contains">DebugActiveProcess</StartFunction>
+				<TargetImage condition="excludes">nacl64.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1055.001,Technique=Process Injection: Dynamic-link Library Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=3,Alert=LoadLibrary DLL Injection,Risk=70" groupRelation="and">
+				<StartFunction condition="contains">LoadLibrary</StartFunction>
+				<SourceImage condition="excludes">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\igfxEM.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Windows\System32\igfxHK.exe</SourceImage>
+				<SourceImage condition="excludes">Enterprise\Common7\IDE\devenv.exe</SourceImage>
+				<TargetImage condition="excludes">C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe</TargetImage>
+				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
+				<StartFunction condition="contains any">CreateFileMapping;MapViewOfFile</StartFunction>
+			</Rule>			
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=LdrLoadDll DLL Injection,Risk=70" groupRelation="and">
+				<StartFunction condition="contains any">LdrLoadDll</StartFunction>
+			</Rule>
+			<Rule name="Attack=T1106,Technique=Native API,Tactic=Execution,DS=Process: Process Modification,Level=0,Desc=Crypt API Usage" groupRelation="and">
+				<StartFunction condition="contains any">CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey</StartFunction>
+			</Rule>
+			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Modification,Level=0,Desc=Clipboard Usage Detected" groupRelation="and">
+				<SourceImage condition="image">c:\windows\system32\csrss.exe</SourceImage>
+				<StartFunction condition="contains">CrtlRoutine</StartFunction>
+			</Rule>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
+			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
+			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Modification,Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
+				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
+				<StartFunction condition="contains">EtwEventWrite</StartFunction>
+			</Rule>
+		</CreateRemoteThread>
+	</RuleGroup>
+	<RuleGroup name="RG=CreateRemoteThread Exclude Group" groupRelation="or">
+		<CreateRemoteThread onmatch="exclude">
+			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
+			<SourceImage condition="image">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\audiodg.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\services.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\svchost.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\wininit.exe</SourceImage>
+			<SourceImage condition="image">C:\Windows\system32\winlogon.exe</SourceImage>
+		</CreateRemoteThread>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
+	<RuleGroup name="RG=RawAccessRead Include Group" groupRelation="or">
+		<RawAccessRead onmatch="include">
+		</RawAccessRead>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
+	<RuleGroup name="RG=ProcessAccess Include Group" groupRelation="or">
+		<ProcessAccess onmatch="include">
+			<!--Custom Rules-->
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\System32\SHELL32.dll+9b5bd</CallTrace>
+				<TargetImage condition="excludes">\LocalBridge.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
+				<CallTrace condition="contains any">C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2cb3e</CallTrace>
+				<TargetImage condition="excludes any">C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2b496</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\SYSTEM32\dbgcore.DLL+6cfb</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
+				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
+				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
+				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 2,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">"UNKNOWN(;)|UNKNOWN(</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 3,Risk=30" groupRelation="and">
+				<CallTrace condition="contains all">"UNKNOWN</CallTrace>
+				<GrantedAccess condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Access,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
+				<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
+				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
+				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1FFFFF</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+				<CallTrace condition="excludes">WmiPerfClass.dll</CallTrace>
+				<SourceImage condition="excludes any">C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="image">C:\Windows\system32\wsmprovhost.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1FFFFF</GrantedAccess>
+				<CallTrace condition="contains all">python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="begin with">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+				<CallTrace condition="contains all">|C:\WINDOWS\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
+				<CallTrace condition="excludes any">wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange</CallTrace>
+				<SourceImage condition="excludes any">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
+				<GrantedAccess>0x1F3FFF</GrantedAccess>
+				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
+				<SourceImage condition="end with">.exe</SourceImage>
+				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
+				<GrantedAccess>0x1C00</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1F1FFF</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1010</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x143A</GrantedAccess>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<GrantedAccess>0x1fffff</GrantedAccess>
+				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
+				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
+				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
+				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
+				<SourceImage condition="image">powershell.exe</SourceImage>
+				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
+				<CallTrace condition="excludes all">C:\WINDOWS\SYSTEM32\ntdll.dll+;|C:\WINDOWS\System32\KERNELBASE.dll+;|C:\ProgramData\Microsoft\Windows Defender\Platform\;\MPCLIENT.DLL;\MpOav.dll+;|C:\WINDOWS\SYSTEM32\amsi.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
+				<CallTrace condition="contains">getasynckeystate</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Access,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
+				<CallTrace condition="contains">cmlua.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
+				<CallTrace condition="contains">System.Management.Automation</CallTrace>
+				<CallTrace condition="excludes">C:\ProgramData\Microsoft\Windows Defender\platform\</CallTrace>
+				<CallTrace condition="excludes">ctiuser.dll</CallTrace>
+				<SourceImage condition="is not">C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V16\bin\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\SysWOW64\sdiagnhost.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>
+				<SourceImage condition="is not">C:\Windows\Temp\ExchangeSetup\ExSetupUI.exe</SourceImage>
+				<SourceImage condition="is not">C:\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe</SourceImage>
+				<TargetImage condition="is not">C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\HOSTNAME.EXE</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\ROUTE.exe</TargetImage>
+				<TargetImage condition="is not">C:\Windows\system32\query.exe</TargetImage>
+				<TargetImage condition="is not">MsMpEng.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
+				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
+				<CallTrace condition="contains">comsvcs.dll</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Office Macro Execution VBE7,Risk=80" groupRelation="and">
+				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Office Macro Execution VBE6,Risk=80" groupRelation="and">
+				<CallTrace condition="contains any">VBE6.dll;VBEUI.DLL;VBE6INTL.DLL</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=verclsid Office Execution,Risk=80" groupRelation="and">
+				<SourceImage condition="contains">Office</SourceImage>
+				<TargetImage condition="contains">verclsid.exe</TargetImage>
+				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
+				<CallTrace condition="contains any">|UNKNOWN(</CallTrace>
+				<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
+				<SourceImage condition="contains">C:\Program Files\Microsoft Office\Root\Office</SourceImage>
+				<CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
+				<CallTrace condition="contains" >C:\Windows\System32\SHELL32.dll+ae3b9</CallTrace>
+				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
+				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
+			</Rule>
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
+				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
+				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
+				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
+				<CallTrace condition="end with">)</CallTrace>
+				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
+				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe</SourceImage>
+				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
+				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
+				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
+				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
+				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+				<GrantedAccess condition="contains">0x147a</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Access,Level=4,Alert=SysmonEnte Detection,DS=Process: Process Access,Level=4,Risk=100" groupRelation="and">
+				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
+				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
+				<SourceImage condition="is not">C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe</SourceImage>
+				<SourceImage condition="excludes any">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
+				<GrantedAccess condition="contains">0x1400</GrantedAccess>
+			</Rule>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
+			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,DS=Process: Process Access,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME -->
+			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
+			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Access,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME -->
+			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
+			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
+			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Modification,Risk=70">0x820</GrantedAccess>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
+			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
+			<SourceImage condition="end with">jjs.exe</SourceImage>
+			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
+			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
+			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
+		</ProcessAccess>
+	</RuleGroup>
+	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
+		<ProcessAccess onmatch="exclude">
+			<Rule name="wmi accessing lsass" groupRelation="and">
+				<SourceImage condition="image">wmiprvse.exe</SourceImage>
+				<TargetImage condition="image">lsass.exe</TargetImage>
+			</Rule>
+			<Rule name="lsass accessing winlogon" groupRelation="and">
+				<SourceImage condition="image">lsass.exe</SourceImage>
+				<TargetImage condition="image">winlogon.exe</TargetImage>
+			</Rule>
+			<!-- These binaries appear to access lsass legitimately -->
+			<Rule name="legitimate lsass access" groupRelation="and">
+				<TargetImage condition="image">lsass.exe</TargetImage>
+				<SourceImage condition="excludes any">C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; <!-- Exchange Process -->\EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe</SourceImage>
+			</Rule>
+			<!-- These binaries get or access processes running .NET -->
+			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
+			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
+			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
+			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Direct System Call Events" groupRelation="and">
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
+			</Rule>
+			<Rule name="Antivirus Exclusions" groupRelation="or"> 
+				<SourceImage condition="begin with">C:\Program Files (x86)\Kaspersky Lab</SourceImage> 
+				<SourceImage condition="begin with">C:\Program Files\Kaspersky Lab</SourceImage>
+				<SourceImage condition="begin with">C:\Program Files (x86)\ESET</SourceImage>
+				<SourceImage condition="begin with">C:\Program Files\ESET</SourceImage>
+				<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</SourceImage>
+			</Rule>
+		</ProcessAccess>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
+	<RuleGroup name="RG=FileCreate Include Group" groupRelation="or">
+		<FileCreate onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=File: File Creation,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Solarwinds sunburst suspicious file writes,Risk=100" groupRelation="and">
+				<Image condition="contains any">solarwinds.businesslayerhost</Image>
+				<TargetFilename condition="contains any">.exe;.dll;.ps1;.mz;.jpg;.png</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Solarwinds sunburst malware dll,Risk=100" groupRelation="and">
+				<TargetFilename condition="is">C:\WINDOWS\SysWOW64\netsetupsvc.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
+				<TargetFilename condition="is not">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe</TargetFilename>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
+				<TargetFilename condition="end with">proj</TargetFilename>
+				<TargetFilename condition="end with">.targets</TargetFilename>
+				<TargetFilename condition="end with">.build</TargetFilename>
+				<TargetFilename condition="end with">.props</TargetFilename>
+				<TargetFilename condition="end with">.tasks</TargetFilename>
+				<TargetFilename condition="end with">.sln</TargetFilename>
+				<TargetFilename condition="end with">.cs</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
+			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="or">
+				<TargetFilename condition="end with">.cdxml</TargetFilename>
+				<TargetFilename condition="end with">.ps1</TargetFilename>
+				<TargetFilename condition="end with">.ps1xml</TargetFilename>
+				<TargetFilename condition="end with">.psc1</TargetFilename>
+				<TargetFilename condition="end with">.psd1</TargetFilename>
+				<TargetFilename condition="end with">.psm1</TargetFilename>
+				<TargetFilename condition="end with">.pssc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell Creating Files,Risk=10" groupRelation="and">
+				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
+				<TargetFilename condition="excludes">\Recent\CustomDestinations\</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
+			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
+			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=CVE-2019-1315,Risk=70" groupRelation="and">
+				<TargetFilename condition="end with">Report.wer.tmp</TargetFilename>
+				<TargetFilename condition="excludes">\WER\</TargetFilename>
+				<Image condition="image">C:\Windows\system32\wermgr.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
+				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</Image>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
+				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</Image>
+				<TargetFilename condition="end with">.dll</TargetFilename>
+				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
+				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
+				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
+				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
+			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
+			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" condition="end with">.dotm</TargetFilename>
+			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" condition="end with">.XLSB</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Exchange 0day from September 2022 overwriting legit file,Risk=80" groupRelation="and">
+				<TargetFilename condition="end with">RedirSuiteServiceProxy.aspx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 1,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.aspx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 2,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.asp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 3,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.ashx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Alert=Web Shells Dropped 4,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.php</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Alert=Web Shells Dropped 5,Risk=80" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.aaa</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 6,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">\wwwroot\aspnet_client\;\FrontEnd\HttpProxy\owa\auth</TargetFilename>
+				<TargetFilename condition="contains any">.aspx;.php;.ashx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1190,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=IIS Dropping Ps1 file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.ps1</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping Bat file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.bat</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping DLL file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping VBS file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.vbs</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping HTA file,Risk=100" groupRelation="and">
+				<Image condition="image">w3wp.exe</Image>
+				<TargetFilename condition="end with">.hta</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\aspnet_client\;jpg</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=ASP Files dropped outside wwwroot directory" groupRelation="and">
+				<TargetFilename condition="end with">.asp</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=ASPX Files dropped outside wwwroot directory" groupRelation="and">
+				<TargetFilename condition="end with">.aspx</TargetFilename>
+				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=Printer Exploitation Detected,Risk=20" groupRelation="and">
+				<TargetFilename condition="end with">.SPL</TargetFilename>
+				<Image condition="excludes any">spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=Printer Spooler Created exe file,Risk=40" groupRelation="and">
+				<Image condition="image">spoolsv.exe</Image>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="excludes">C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=InstallerFileTakeOver,Risk=80,CVE=CVE-2021-41379" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+				<TargetFilename condition="contains">\Microsoft\Edge\Application</TargetFilename>
+				<TargetFilename condition="end with">elevation_service.exe</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
+
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
+				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Temp\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
+				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
+			</Rule>
+			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
+			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Files Created within System Profile" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Files Created from System Profile executable" groupRelation="and">
+				<Image condition="begin with">C:\Windows\</Image>
+				<Image condition="contains">\config\systemprofile\</Image>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="or">
+				<TargetFilename condition="end with">      .exe</TargetFilename>
+				<TargetFilename condition="end with">.7z.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+				<TargetFilename condition="end with">.docx.exe</TargetFilename>
+				<TargetFilename condition="end with">.ico.exe</TargetFilename>
+				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
+				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
+				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
+				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
+				<TargetFilename condition="end with">.rar.exe</TargetFilename>
+				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
+				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+				<TargetFilename condition="end with">.xls.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
+				<TargetFilename condition="end with">.zip.exe</TargetFilename>
+				<TargetFilename condition="end with">______.exe</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
+			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">.chm</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">proj</TargetFilename>
+			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">.sln</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<Rule name="Attack=T1203,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,DS=File: File Creation,Level=4,Alert=Exchange Exploitation UM Service File Creation,Risk=80,CVE=CVE-2021-26858" groupRelation="and">
+				<Image condition="contains any">UMWorkerProcess.exe;UMService.exe</Image>
+				<TargetFilename condition="contains any">.</TargetFilename>
+				<TargetFilename condition="excludes any">.log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tgz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
+			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created by Teamviewer" condition="image">Teamviewer.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created by rundll32" condition="image">rundll32.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created with Remote Desktop Client" condition="image">mstsc.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created with command shell,Risk=30" condition="image">cmd.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="image">ipy.exe</Image>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="image">WScript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="image">cscript.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="image">mshta.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="image">python.exe</Image>
+			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="image">wmic.exe</Image>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
+				<TargetFilename condition="end with">.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
+				<TargetFilename condition="end with">.exe</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
+			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Snatch Ransomware Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains all">RESTORE_;_FILES.txt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Snatch2 Ransomware Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains all">DECRYPT_;_FILES.txt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Nanocore Detected,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains any">\run.dat;\task.dat;\storage.dat</TargetFilename>
+				<TargetFilename condition="contains">AppData</TargetFilename>
+				<TargetFilename condition="excludes any">Symantec</TargetFilename>
+				<TargetFilename condition="excludes any">BlueJeans</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=RagnarLocker Virtualbox files: susceptible to FP,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">VBoxRT.dll;VboxC.dll</TargetFilename>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!--UEBA Detections-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
+				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
+				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
+				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
+				<TargetFilename condition="excludes">\system32\</TargetFilename> 
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
+				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
+				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
+				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
+				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
+				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
+				<TargetFilename condition="end with">.wll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
+				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
+				<TargetFilename condition="end with">.xll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
+				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
+				<TargetFilename condition="contains any">.xla</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
+				<TargetFilename condition="end with">.vsto</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
+				<TargetFilename condition="end with">.bat</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
+				<TargetFilename condition="end with">.dll</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
+				<TargetFilename condition="end with">.sys</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
+				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
+				<TargetFilename condition="end with">.theme</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
+				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
+				<Image condition="image">VirtualboxVM.exe</Image>
+			</Rule>
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
+			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,DS=File: File Creation,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
+			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Link">.lnk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=URL">.url</TargetFilename>
+			<!--Drivers dropped-->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
+			<TargetFilename condition="end with">.drv</TargetFilename> 
+			<!--Microsoft Office File Monitoring-->
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Jumplist Custom Destinations" condition="contains">\Recent\CustomDestinations\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="or">
+				<TargetFilename condition="end with">.accdb</TargetFilename>
+				<TargetFilename condition="end with">.accde</TargetFilename>
+				<TargetFilename condition="end with">.accdr</TargetFilename>
+				<TargetFilename condition="end with">.accdt</TargetFilename>
+				<TargetFilename condition="end with">.mdb</TargetFilename>
+				<TargetFilename condition="end with">.mde</TargetFilename>
+				<TargetFilename condition="end with">.msc</TargetFilename>
+				<TargetFilename condition="end with">.mst</TargetFilename>
+				<TargetFilename condition="end with">.potx</TargetFilename>
+				<TargetFilename condition="end with">.ppam</TargetFilename>
+				<TargetFilename condition="end with">.ppsm</TargetFilename>
+				<TargetFilename condition="end with">.ppsx</TargetFilename>
+				<TargetFilename condition="end with">.ppt</TargetFilename>
+				<TargetFilename condition="end with">.pptm</TargetFilename>
+				<TargetFilename condition="end with">.pptx</TargetFilename>
+				<TargetFilename condition="end with">.pub</TargetFilename>
+				<TargetFilename condition="end with">.sldm</TargetFilename>
+				<TargetFilename condition="end with">.sldx</TargetFilename>
+				<TargetFilename condition="end with">.xls</TargetFilename>
+				<TargetFilename condition="end with">.xps</TargetFilename>
+			</Rule>
+			<!--SECTION: Certificates -->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="or">
+				<TargetFilename condition="end with">.pem</TargetFilename>
+				<TargetFilename condition="end with">.crt</TargetFilename>
+				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
+				<TargetFilename condition="end with">.cer</TargetFilename>
+				<TargetFilename condition="end with">.csr</TargetFilename>
+				<TargetFilename condition="end with">.der</TargetFilename>
+				<TargetFilename condition="end with">.p7b</TargetFilename>
+				<TargetFilename condition="end with">.p7r</TargetFilename>
+				<TargetFilename condition="end with">.p7s</TargetFilename>
+				<TargetFilename condition="end with">.pfx</TargetFilename>
+				<TargetFilename condition="end with">.sto</TargetFilename>
+				<TargetFilename condition="end with">.p12</TargetFilename>
+				<TargetFilename condition="end with">.crl</TargetFilename>
+				<TargetFilename condition="end with">.sst</TargetFilename>
+				<TargetFilename condition="end with">.key</TargetFilename>
+			</Rule>
+			<!-- side loading -->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="or">
+				<TargetFilename condition="end with">.hlp</TargetFilename>
+				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
+				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
+				<TargetFilename condition="end with">AFLogVw.exe</TargetFilename>
+				<TargetFilename condition="end with">AShld.exe</TargetFilename>
+				<TargetFilename condition="end with">AShldRes.DLL.asr</TargetFilename>
+				<TargetFilename condition="end with">AShldRes.DLL</TargetFilename>
+				<TargetFilename condition="end with">AhnI2.dll</TargetFilename>
+				<TargetFilename condition="end with">CamMute.exe</TargetFilename>
+				<TargetFilename condition="end with">CommFunc.dll</TargetFilename>
+				<TargetFilename condition="end with">CommFunc.jax</TargetFilename>
+				<TargetFilename condition="end with">DESqmWrapper.dll</TargetFilename>
+				<TargetFilename condition="end with">DESqmWrapper.wrapper</TargetFilename>
+				<TargetFilename condition="end with">FSPMAPI.dll.fsp</TargetFilename>
+				<TargetFilename condition="end with">FSPMAPI.dll</TargetFilename>
+				<TargetFilename condition="end with">Gadget.exe</TargetFilename>
+				<TargetFilename condition="end with">LoLTWLauncher.exe</TargetFilename>
+				<TargetFilename condition="end with">Mc.exe</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll.ping</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll.url</TargetFilename>
+				<TargetFilename condition="end with">McUtil.dll</TargetFilename>
+				<TargetFilename condition="end with">MpSvc.dll</TargetFilename>
+				<TargetFilename condition="end with">MsMpEng.exe</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
+				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmart.exe</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
+				<TargetFilename condition="end with">NvSmartMaxapp.dll</TargetFilename>
+				<TargetFilename condition="end with">OInfo11.ISO</TargetFilename>
+				<TargetFilename condition="end with">OInfo11.ocx</TargetFilename>
+				<TargetFilename condition="end with">OInfoP11.exe</TargetFilename>
+				<TargetFilename condition="end with">OleView.exe</TargetFilename>
+				<TargetFilename condition="end with">OleView.exe</TargetFilename>
+				<TargetFilename condition="end with">POETWLauncher.exe</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll.config</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll.msc</TargetFilename>
+				<TargetFilename condition="end with">RasTls.dll</TargetFilename>
+				<TargetFilename condition="end with">RasTls.exe</TargetFilename>
+				<TargetFilename condition="end with">RunHelp.exe</TargetFilename>
+				<TargetFilename condition="end with">Sidebar.dll.doc</TargetFilename>
+				<TargetFilename condition="end with">Sidebar.dll</TargetFilename>
+				<TargetFilename condition="end with">Ushata.dll</TargetFilename>
+				<TargetFilename condition="end with">Ushata.exe</TargetFilename>
+				<TargetFilename condition="end with">Ushata.fox</TargetFilename>
+				<TargetFilename condition="end with">VeetlePlayer.exe</TargetFilename>
+				<TargetFilename condition="end with">boot.ldr</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.dll.rom</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.dll</TargetFilename>
+				<TargetFilename condition="end with">chrome_frame_helper.exe</TargetFilename>
+				<TargetFilename condition="end with">dvcemumanager.exe</TargetFilename>
+				<TargetFilename condition="end with">fsguidll.exe</TargetFilename>
+				<TargetFilename condition="end with">fslapi.dll.gui</TargetFilename>
+				<TargetFilename condition="end with">fslapi.dll</TargetFilename>
+				<TargetFilename condition="end with">fsstm.exe</TargetFilename>
+				<TargetFilename condition="end with">hccutils.dll.res</TargetFilename>
+				<TargetFilename condition="end with">hccutils.dll</TargetFilename>
+				<TargetFilename condition="end with">hha.dll.bak</TargetFilename>
+				<TargetFilename condition="end with">hha.dll</TargetFilename>
+				<TargetFilename condition="end with">hhc.exe</TargetFilename>
+				<TargetFilename condition="end with">hkcmd.exe</TargetFilename>
+				<TargetFilename condition="end with">iviewers.dll</TargetFilename>
+				<TargetFilename condition="end with">jli.dll</TargetFilename>
+				<TargetFilename condition="end with">libvlc.dll</TargetFilename>
+				<TargetFilename condition="end with">mPclient.dll</TargetFilename>
+				<TargetFilename condition="end with">mcf.ep</TargetFilename>
+				<TargetFilename condition="end with">mcf.exe</TargetFilename>
+				<TargetFilename condition="end with">mcupdui.exe</TargetFilename>
+				<TargetFilename condition="end with">mcut.exe</TargetFilename>
+				<TargetFilename condition="end with">mcutil.dll.bbc</TargetFilename>
+				<TargetFilename condition="end with">mcvsmap.exe</TargetFilename>
+				<TargetFilename condition="end with">msi.dll.dat</TargetFilename>
+				<TargetFilename condition="end with">msi.dll</TargetFilename>
+				<TargetFilename condition="end with">msseces.asm</TargetFilename>
+				<TargetFilename condition="end with">msseces.exe</TargetFilename>
+				<TargetFilename condition="end with">mtcReport.ktc</TargetFilename>
+				<TargetFilename condition="end with">rc.dll</TargetFilename>
+				<TargetFilename condition="end with">rc.exe</TargetFilename>
+				<TargetFilename condition="end with">rc.hlp</TargetFilename>
+				<TargetFilename condition="end with">sep_NE.exe</TargetFilename>
+				<TargetFilename condition="end with">sep_NE.slf</TargetFilename>
+				<TargetFilename condition="end with">tplcdclr.exe</TargetFilename>
+				<TargetFilename condition="end with">winmm.dll</TargetFilename>
+				<TargetFilename condition="end with">wts.chm</TargetFilename>
+				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
+			</Rule>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
+			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
+			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=File: File Creation,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
+			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=File: File Creation,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
+			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Set" condition="end with">.set</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
+			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
+			<!--Uncategorized-->
+			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
+			<TargetFilename condition="end with">.ade</TargetFilename>
+			<TargetFilename condition="end with">.adp</TargetFilename>
+			<TargetFilename condition="end with">.application</TargetFilename>
+			<TargetFilename condition="end with">.appref-ms</TargetFilename>
+			<TargetFilename condition="end with">.asc</TargetFilename>
+			<TargetFilename condition="end with">.bmf</TargetFilename>
+			<TargetFilename condition="end with">.cer</TargetFilename>
+			<TargetFilename condition="end with">.dmp</TargetFilename>
+			<TargetFilename condition="end with">.gpg</TargetFilename>
+			<TargetFilename condition="end with">.htm</TargetFilename>
+			<TargetFilename condition="end with">.html</TargetFilename>
+			<TargetFilename condition="end with">.json</TargetFilename>
+			<TargetFilename condition="end with">.jsp</TargetFilename>
+			<TargetFilename condition="end with">.key</TargetFilename>
+			<TargetFilename condition="end with">.mof</TargetFilename>
+			<TargetFilename condition="end with">.ocx</TargetFilename>
+			<TargetFilename condition="end with">.p7b</TargetFilename>
+			<TargetFilename condition="end with">.p12</TargetFilename>
+			<TargetFilename condition="end with">.pem</TargetFilename>
+			<TargetFilename condition="end with">.pfx</TargetFilename>
+			<TargetFilename condition="end with">.pgp</TargetFilename>
+			<TargetFilename condition="end with">.php</TargetFilename>
+			<TargetFilename condition="end with">.ppk</TargetFilename>
+			<TargetFilename condition="end with">.war</TargetFilename>
+			<TargetFilename condition="end with">.xml</TargetFilename>
+		</FileCreate>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
+	<RuleGroup name="RG=RegistryEvent Include Group" groupRelation="or">
+		<RegistryEvent onmatch="include">
+			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<Rule name="ttack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=indows Registry: Windows Registry Key Modification,Level=4,Alert=Advanced IP Scanner Scan Detected" groupRelation="and">
+				<TargetObject condition="contains">Software\Famatech\advanced_ip_scanner\State</TargetObject>
+				<TargetObject condition="end with">LastRangeUsed</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
+			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
+
+			<!--MITRE ATT&CK TACTIC: Resource Development-->
+			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
+			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
+
+			<!--MITRE ATT&CK TACTIC: Initial Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=RDP Connection History Tracking" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
+				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Keyloggers and new Keyboards" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect USB Input Devices" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Mice" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Bluetooth Device" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=Virtual DVD-ROM Drive Mounted,Forensic=Virtual DVD-ROM Drive Mounted" groupRelation="and">
+				<TargetObject condition="contains all">Root\InventoryDevicePnp;prod_virtual_dvd-rom</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
+			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Interactive Logon Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
+				<TargetObject condition="end with">LoggedOnUser</TargetObject>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
+			<!--MITRE ATT&CK TACTIC: Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
+			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Suspicious Set Value of MSDT in Registry: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\ms-msdt\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Scripted Diagnostics Turn Off Check Enabled: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
+			<!--MITRE ATT&CK TECHNIQUE: Native API-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: System Services-->
+			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</TargetObject>
+				<TargetObject condition="excludes">\print\</TargetObject>
+				<TargetObject condition="excludes">\AzureAttestService\CoInitializeSecurityParam</TargetObject>
+				<Image condition="excludes">C:\$WINDOWS.~BT\</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project Object Model Macro Settings,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\AccessVBOM</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
+				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
+				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
+				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Potential Office Macro Execution Detected" groupRelation="and">
+				<Image condition="contains any">EXCEL.exe;WINWORD.exe</Image>
+				<TargetObject condition="contains any">{8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B}</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
+			<Rule name="Attack=T0000,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
+				<TargetObject condition="is">HKCU\di</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lokibot Detection" groupRelation="and">
+				<TargetObject condition="contains">HKCU\�</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
+				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
+				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
+
+			<!--MITRE ATT&CK TACTIC: Persistence-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
+				<TargetObject condition="end with">update_url</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Forced password reset detected" groupRelation="and">
+				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Machine Password Change Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Last Password Changed" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Last Password Change</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Account Expiration" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Account Expiration</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Failed Logon" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
+				<TargetObject condition="end with">Last Failed Logon</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
+				<Image condition="excludes">Add_exclusions_here</Image>
+			</Rule>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: Boot" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: System" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: Automatic" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000002)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Service Start Mode Changed to: Manual" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000003)</Details>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Service Start Mode Changed to: Disabled" groupRelation="and">
+				<TargetObject condition="end with">\Start</TargetObject>
+				<Details condition="contains">DWORD (0x00000004)</Details>
+			</Rule>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
+			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification" condition="contains">\Print\Monitors</TargetObject>
+			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
+			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
+			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=New user created,Risk=40" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<TargetObject condition="excludes">$</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
+			</Rule>
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Creation,Level=0,Desc=Hidden New user created,Risk=40" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<TargetObject condition="contains">$</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
+				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Endpoint Protocol Handlers" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\</TargetObject>
+				<TargetObject condition="end with">(Default)</TargetObject>
+				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
+				<Details condition="begin with">URL:</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor User Protocol Handlers" groupRelation="and">
+				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
+				<TargetObject condition="end with">(Default)</TargetObject>
+				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
+				<Details condition="begin with">URL:</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Endpoint File Associations" groupRelation="and">
+				<TargetObject condition="begin with">HKCR\</TargetObject>
+				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
+				<Details condition="contains">%1</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor User Default File Associations" groupRelation="and">
+				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
+				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
+				<Details condition="contains">%1</Details>
+			</Rule>
+			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor COM Hijacking" groupRelation="and">
+				<TargetObject condition="end with">\shell\open\command\DelegateExecute</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Accessibility Features-->
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=sethc.exe Priv Escalation,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Outlook Addins" groupRelation="and">
+				<TargetObject condition="contains">Outlook\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Word Addins" groupRelation="and">
+				<TargetObject condition="contains">Word\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Excel Addins" groupRelation="and">
+				<TargetObject condition="contains">Excel\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Powerpoint Addins" groupRelation="and">
+				<TargetObject condition="contains">Powerpoint\Addins</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft VSTO Inclusions" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\VSTO\Security\Inclusion\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft VSTO Solution Metadata" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\VSTO\SolutionMetadata\</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CMSTPLUA UAC Bypass" groupRelation="and">
+				<TargetObject condition="contains any">cmmgr32.exe</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
+			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
+			<!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
+				<Details condition="contains any">C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\</Details>
+				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
+			</Rule>
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
+				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
+			</Rule>
+			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
+				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Image File Execution Options,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
+				<TargetObject condition="contains any">Debugger;ReportingMode;MonitorProcess</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Globalflag Set,Risk=75" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
+				<TargetObject condition="contains">GlobalFlag</TargetObject>
+				<Details condition="contains">DWORD (0x00000200)</Details> <!--SilentProcessExit Dword Value-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Process Execution entry,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
+				<TargetObject condition="contains">MonitorProcess</TargetObject> <!--SilentProcessExit Monitor Process from werfault-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Reporting Mode Enabled,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
+				<TargetObject condition="contains">ReportingMode</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details> <!--SilentProcessExit Reporting Mode Enabled-->
+			</Rule>
+			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Process Added,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
+				<EventType condition="is">CreateKey</EventType>
+			</Rule>
+			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Monitor Runtime Exception Handler execution on crash,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\</TargetObject>
+				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
+				<Image condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image>
+				<Image condition="excludes">C:\Program Files\Microsoft Office\root\integration\integrator.exe</Image>
+				<Image condition="excludes all">C:\Program Files\Google\Chrome Beta\Application\;\Installer\setup.exe</Image>
+				<Image condition="excludes all">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\;\OfficeClickToRun.exe</Image>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
+			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
+				<TargetObject condition="end with">SD</TargetObject>
+				<TargetObject condition="is not">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Per-Machine Standalone Update Task\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates Logon\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
+				<TargetObject condition="excludes">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
+				<TargetObject condition="end with">ID</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Author</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Path</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
+				<TargetObject condition="end with">Date</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+
+			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
+			<Rule name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Environment Value Modification" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
+			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=ConsentPromptBehaviorAdmin Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
+			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
+			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
+			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
+			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
+			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
+			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
+				<TargetObject condition="end with">$</TargetObject>
+ 				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
+				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
+				<!--Customize: Add your configuration directory above-->
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Modification to Per-Process Exploit Protection,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions</TargetObject>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmwp.exe\0\MitigationOptions</TargetObject>
+				<Image condition="excludes">msiexec.exe</Image>
+				<Image condition="excludes">TiWorker.exe</Image>
+			</Rule>
+			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Modification to WOW64 Per-Process Exploit Protection Mitigation Options,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
+				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
+				<Image condition="excludes">C:\Program Files\Microsoft Office 15\root\integration\integrator.exe</Image>
+				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
+				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
+				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
+				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\</TargetObject>
+				<TargetObject condition="contains all">\Instances\;Altitude</TargetObject>
+				<TargetObject condition="is not">HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
+			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Notifications for all macros,Risk=50" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000002)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Notifications for digitally signed macros - all other macros disabled,Risk=0" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000003)</Details>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=All Office Macros Disabled without notification,Risk=0" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level</TargetObject>
+				<Details condition="contains">DWORD (0x00000004)</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Outlook Security Changes" groupRelation="and">
+				<TargetObject condition="contains">\Outlook\Security</TargetObject>
+				<!--Allow Outlook Details rules to fire-->
+				<TargetObject condition="excludes">\Security\Level</TargetObject>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft:Windows:Security Center: HideSCAHealth" condition="end with">\HideSCAHealth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="end with">\Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="end with">\Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
+				<TargetObject condition="excludes">\Enabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Change Winevt Event Access Permission Via Registry,Author=frack113" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\</TargetObject>
+				<TargetObject condition="end with">\ChannelAccess</TargetObject>
+				<Details condition="contains any">(A;;0x1;;;SY);(A;;0x5;;;BA);(A;;0x1;;;LA)</Details>
+				<Image condition="excludes any">C:\Windows\servicing\TrustedInstaller.exe;\TiWorker.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
+				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
+				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
+				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
+				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
+				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
+				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Eventlog Security Descriptor Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
+				<TargetObject condition="end with">\CustomSD</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Eventlog Size Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
+				<TargetObject condition="end with">\MaxSize</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
+				<TargetObject condition="contains">globallyopenports</TargetObject>
+			</Rule>
+			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
+
+			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\.NETFramework\ETWEnabled</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Usagelog Tampering,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\.NETFramework\NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="and">
+				<EventType condition="is">SetValue</EventType>
+				<TargetObject condition="contains">\Environment\COMPlus_ETWEnabled</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\LastKey</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
+				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
+				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
+				<TargetObject condition="contains">&#x202e;</TargetObject>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
+
+			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
+				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
+				<EventType condition="is not">CreateKey</EventType>
+				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\Sysmon.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\certsrv.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\CompatTelRunner.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
+				<Image condition="excludes">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+				<Image condition="excludes">C:\Windows\system32\SearchProtocolHost.exe</Image>
+				<Image condition="excludes">C:\Windows\system32\taskhost.exe</Image>
+				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
+				<Image condition="excludes">C:\WINDOWS\System32\DriverStore\FileRepository\asus</Image>
+				<Image condition="excludes">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
+				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
+				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
+			</Rule>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
+			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
+				<TargetObject condition="contains">&#xfffd;</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
+				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
+			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
+			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
+			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
+			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject>
+			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
+			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
+			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
+			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
+			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
+
+			<!--MITRE ATT&CK TACTIC: Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
+			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
+			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
+			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
+			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
+			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials: Credentials in Registry-->
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
+			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
+			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
+			<!--MITRE ATT&CK TACTIC: Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
+			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
+			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
+			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
+			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
+
+			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
+			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
+			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
+			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
+			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
+			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
+
+			<!--MITRE ATT&CK TACTIC: Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
+			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
+			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
+			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
+			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
+			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
+
+			<!--MITRE ATT&CK TACTIC: Command and Control-->
+			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
+			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
+			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
+			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
+			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
+			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
+			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
+			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
+
+			<!--MITRE ATT&CK TACTIC: Exfiltration-->
+
+			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
+			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
+			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			<!--MITRE ATT&CK TACTIC: Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
+			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,DS=Windows Registry: Windows Registry Key Deletion,Level=1,Desc=User Account Deleted" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
+				<EventType condition="is">DeleteKey</EventType>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Bitlocker Drive Encryption Enabled on System Drive" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Bitlocker Drive Encryption Disabled on System Drive" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
+				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
+			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
+			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
+			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
+			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
+			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
+			<Rule name="Attack=T1485,Technique=Inhibit System Recovery,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=VSS Disablement Detection,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Services\VSS\Diag\(Default)</TargetObject>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
+			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
+			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
+			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
+			<!-- UEBA/Uncategorized Detections-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
+				<TargetObject condition="end with">\LastKey</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
+				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
+				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=IE history Detection" groupRelation="and">
+				<TargetObject condition="end with">\TypedURLs</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
+				<Details condition="excludes">Binary Data</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Network Card Changes detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
+				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Adobe Recent File List History" groupRelation="and">
+				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
+				<TargetObject condition="end with">tDIText</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History MRU" groupRelation="and">
+				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
+			</Rule>
+			<!--Common Malware Persistence locations-->
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
+			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
+			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			<!--CLSID launch commands and file association changes-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject>
+			<!--Windows shell hijack-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
+			<!--AppPaths hijacking-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject>
+			<!--Terminal service boobytraps-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<!--Group Policy interity-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
+			<!--Winsock and Winsock2-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>
+			<!--Credential providers-->
+			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject>
+			<!--Networking-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<!--DLLs that get injected into every process launch-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
+			<!--Office-->
+			<!--Microsoft Office-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40,Author=Hexacorn" condition="contains">Office Test\</TargetObject>
+			<!--IE-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject>
+			<!--Magic registry keys-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject>
+			<!--Infection artifacts-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject>
+			<!--Windows internals integrity monitoring-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
+			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Path Changes,Risk=100" condition="contains">\Exclusions\Paths</TargetObject>
+			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Extension Changes,Risk=100" condition="contains">\Exclusions\Extensions</TargetObject>
+			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Processes Changes,Risk=100" condition="contains">\Exclusions\Processes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
+			<!--Group Policy Scripts-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<!--Detect Network History-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
+			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History" condition="contains">\Place MRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Package Info" condition="contains">Root\InventoryDriverPackage</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache PNP Device Info,Desc=Services: New or Updated Drivers" condition="contains">Root\InventoryDevicePnp</TargetObject>
+			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
+				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
+			</Rule>			
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application File Info" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
+				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Office Information" groupRelation="and">
+				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=ISO Drive Mounted" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume</TargetObject>
+				<TargetObject condition="end with">Drive Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000011)</Details>
+			</Rule>
+			<TargetObject name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Set for Deletion" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DeleteFlag</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New Kernel Device Driver" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New File System Driver" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000002)</Details>
+			</Rule>
+			<Rule name="Attack=Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New Adapter Driver" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000004)</Details>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Own Process" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000020)</Details>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Share Process" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000020)</Details>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Interactive" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000100)</Details>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver Group" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Group</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DependOnService" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DependOnService</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver BinaryPathName" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\BinaryPathName</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver RequiredPrivileges" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\RequiredPrivileges</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver Owners: Correlation to Amcache" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Owners</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ObjectName: User Service Runs as specified in ServiceStartName" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\ObjectName</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ObjectName: User Service Runs as" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\ServiceStartName</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ErrorControl" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\ErrorControl</TargetObject>
+				<!--<Details name="Critical if lastknown good fails bugcheck" condition="contains">DWORD (0x00000003)</Details>
+				<Details name="Severe last known good" condition="contains">DWORD (0x00000002)</Details>
+				<Details name="Normal Boot on failure" condition="contains">DWORD (0x00000001)</Details>
+				<Details name="Ignore Failure"condition="contains">DWORD (0x00000000)</Details>
+				<Details condition="contains">DWORD (0x00000001)</Details>-->
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DependOnGroup" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DependOnGroup</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DisplayName" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\DisplayName</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Group Order Modifications" groupRelation="and">
+				<TargetObject condition="contains">HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder</TargetObject>
+				<TargetObject condition="end with">\List</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Set for Deletion" groupRelation="and">
+				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
+				<TargetObject condition="end with">\Type</TargetObject>
+				<Details condition="contains">DWORD (0x00000001)</Details>
+			</Rule>
+			<!--Detect User Activity-->
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject>
+			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject>
+			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
+				<Details condition="contains any">ndis;rndis</Details>
+			</Rule>
+			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
+				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
+				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
+			</Rule>
+			<Rule name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=NetNTLM downgrade attack" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
+				<Details name="You should have this set to 5" condition="excludes">DWORD (0x00000005)</Details>
+			</Rule>
+			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
+			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
+			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
+			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
+			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
+			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
+			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
+			<TargetObject name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
+			<TargetObject name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
+			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
+			<Rule name="Antivirus" groupRelation="or">
+				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
+				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
+				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
+				<Image condition="begin with">C:\Program Files\ESET</Image>
+			</Rule>
+		</RegistryEvent>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
+	<!--EVENT 15: "File stream created"-->
+	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
+		<FileCreateStreamHash onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Metadata,Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
+				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
+				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Metadata,Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
+				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
+				<Contents condition="contains any">blob:;about:internet</Contents>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Metadata,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
+				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Metadata,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
+				<Hash condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hash><!--Exchange Zero Day Dropped DLL-->
+				<Hash condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hash><!--Exchange Zero Day Dropped DLL-->
+			</Rule>
+			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,DS=File: File Metadata,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
+				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonEnte Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonQuiet Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hash>
+			</Rule>
+			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SharpEvtMute Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
+				<Hash condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hash>
+			</Rule>
+		</FileCreateStreamHash>
+	</RuleGroup>
+	<RuleGroup name="RG=ADS Exclude Group" groupRelation="or">
+		<FileCreateStreamHash onmatch="exclude">
+			<Hash condition="contains">IMPHASH=00000000000000000000000000000000</Hash>
+			<TargetFilename condition="contains">AppData\Local\Microsoft\Windows\AppCache\</TargetFilename>
+			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename>
+			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> 
+			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
+			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename>
+			<TargetFilename condition="end with">Microsoft\Windows\Start Menu\Programs\Startup</TargetFilename>
+		</FileCreateStreamHash>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
+	<!--EVENT 16: "Sysmon config state changed"-->
+	<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
+	<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
+	<!--Cannot be filtered.-->
+
+	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
+	<!--EVENT 17: "Pipe Created"-->
+	<!--EVENT 18: "Pipe Connected"-->
+	<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
+	<RuleGroup name="RG=PipeEvent Include Group" groupRelation="or">
+		<PipeEvent onmatch="include">
+			<Rule name="Attack=T1071,Technique=Application Layer Protocol,Tactic=Command and Control,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike named pipe detected,Risk=100" groupRelation="and">
+				<PipeName condition="contains any">msagent_;\MSSE-;postex;\status_</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=NA,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Turla Advanced Persistent Threat Named Pipe Detection,Risk=100" groupRelation="and">
+				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			</Rule>
+			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lateral movement: psexec named pipe detected" groupRelation="or">
+				<PipeName condition="contains">\PSEXESVC</PipeName>
+				<PipeName condition="end with">-stdin</PipeName>
+				<PipeName condition="end with">-stdout</PipeName>
+			</Rule>
+			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Impacket PSExec.py Named Pipe Detected" groupRelation="and">
+				<PipeName condition="contains">RemCom_</PipeName>
+				<PipeName condition="contains any">stdin;stdout;stderr;communication</PipeName>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
+				<PipeName condition="contains">\svcctl</PipeName>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=3,Alert=NTSVCS Execution" groupRelation="or">
+				<PipeName condition="contains">\ntsvcs</PipeName>
+				<EventType condition="is">ConnectPipe</EventType>
+			</Rule>
+			<PipeName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">tssmp_endpoint</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\NamePipe_MoreWindows</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=WCEServicePipe detected,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\WCEServicePipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=ahexec Named Pipe Detection,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\ahexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=cachedump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\cachedumppipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=csexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\csexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_dg</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsadump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\lsadump</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10,Author=@Cyb3rops/@olafhartong" condition="contains">\lsassw</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=paexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\paexec</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=pcheap_reuse Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\pcheap_reuse</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Covanant C2 Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\gruntsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=remcom Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\remcom</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\rpchlp_3</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\sdlrpc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=winsession Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\winsession</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Turla HyperStack Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\adschemerpc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Hidden Cobra Hoplight Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\AnonymousPipe</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc367</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc31a7</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Emissary Panda Hyerbri Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\testPipe</PipeName>
+			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike Named Pipe Detection 1" groupRelation="and">
+				<PipeName condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester;demoagent_</PipeName>
+				<PipeName condition="is not">\wkssvc</PipeName>
+				<PipeName condition="is not">\spoolss</PipeName>
+				<PipeName condition="is not">\scerpc</PipeName>
+				<PipeName condition="is not">\ntsvcs</PipeName>
+				<PipeName condition="is not">\SearchTextHarvester</PipeName>
+				<PipeName condition="is not">\PGMessagePipe</PipeName>
+				<PipeName condition="is not">\MsFteWds</PipeName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=4,Forensic=Detect suspicious named pipe connections to an AD FS WID,Author=Florian Roth" groupRelation="and"> 
+				<EventType condition="is">ConnectPipe</EventType>
+				<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike Named Pipe Detection 2" groupRelation="and">
+				<PipeName condition="begin with">\Winsock2\CatalogChangeListener-</PipeName>
+				<PipeName condition="end with">-0,</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
+				<PipeName condition="contains any">\pipe\</PipeName>
+				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
+			</Rule>
+			<!-- Noisy
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
+			-->
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName>
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName>
+			<!--Include Everything else to mark above rules-->
+			<!-- Disabled for now
+			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
+			-->
+		</PipeEvent>
+	</RuleGroup>
+	<RuleGroup name="RG=PipeEvent Exclude Group" groupRelation="or">
+		<PipeEvent onmatch="exclude">
+		<EventType name="Exclude ConnectPipe for noise reduction" condition="is">ConnectPipe</EventType>
+		<!--COMMENT: Exclude known-good pipe users-->
+				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+			<!--SECTION: Microsoft-->
+			<PipeName condition="contains">lsass</PipeName>
+			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
+			<PipeName condition="is">\spoolss</PipeName>
+			<Image name="This is noisy" condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image>
+			<Image name="WSL" condition="image">C:\Windows\System32\LxRun.exe</Image>
+			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
+			<Image condition="image">C:\Windows\System32\smss.exe</Image>
+			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
+			<Image condition="image">C:\Windows\System32\wininit.exe</Image>
+			<Image condition="image">C:\Windows\system32\DFSRs.exe</Image>
+			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
+			<Rule name="ngen excludes" groupRelation="and">
+				<Image condition="begin with">C:\Windows\Microsoft.NET\Framework</Image>
+				<Image condition="image">ngen.exe</Image>
+			</Rule>
+			<Rule name="ShellExperienceHost excludes" groupRelation="and">
+				<Image condition="begin with">C:\Windows\SystemApps\ShellExperienceHost_</Image>
+				<Image condition="image">ShellExperienceHost.exe</Image>
+			</Rule>
+			<Image condition="image">C:\Windows\system32\SearchProtocolHost.exe</Image>
+			<Image condition="image">\System</Image>
+			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
+			<!--SECTION: Microsoft Exchange Server -->
+			<Image condition="contains">Exchange Server</Image>
+			<!--SECTION: Microsoft IIS -->
+			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
+			<Image condition="image">C:\Windows\syswow64\snmp.exe</Image>
+			<Image condition="image">c:\windows\system32\inetsrv\w3wp.exe</Image>
+			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
+			<!--SECTION: Microsoft DNS Server -->
+			<Image condition="image">C:\Windows\system32\dns.exe</Image>
+			<!--SECTION: Microsoft SQL Server -->
+			<PipeName condition="is">\sql\query</PipeName>
+			<Image condition="image">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
+			<PipeName condition="contains">\TDLN-</PipeName>
+			<PipeName condition="contains">vmware-</PipeName>
+			<PipeName condition="is">\InitShutdown</PipeName>
+			<PipeName condition="is">\MsFteWds</PipeName>
+			<PipeName condition="is">\W32TIME_ALT</PipeName>
+			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
+			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
+			<PipeName condition="is">\browser</PipeName>
+			<PipeName condition="is">\epmapper</PipeName>
+			<PipeName condition="is">\eventlog</PipeName>
+			<PipeName condition="is">\scerpc</PipeName>
+			<PipeName condition="is">\wkssvc</PipeName>
+			<PipeName condition="is">\ntapvsrq</PipeName>
+			<PipeName condition="contains">Anonymous Pipe</PipeName>
+		</PipeEvent>
+	</RuleGroup>
+	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
+	<!--EVENT 19: "WmiEventFilter activity detected"-->
+	<!--EVENT 20: "WmiEventConsumer activity detected"-->
+	<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
+	<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
+	<RuleGroup name="RG=WmiEvent Include Group" groupRelation="or">
+		<WmiEvent onmatch="include">
+			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=WMI: WMI Creation" condition="is">Created</Operation>
+		</WmiEvent>
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 22 : DNS Queries-->
+	<RuleGroup name="RG=DNS Query Includes" groupRelation="or">
+		<DnsQuery onmatch="include">
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Powershell TXT Record exfiltration" groupRelation="and">
+				<QueryResults condition="contains any">type: 16;type:  16</QueryResults>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Powershell,Tactic=Execution,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Powershell Connection to github" groupRelation="and">
+				<QueryName condition="contains">github</QueryName>
+				<Image condition="image">powershell.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
+				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
+				<QueryName condition="contains">.</QueryName>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="end with">dropboxapi.com</QueryName>
+				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains">1drv</QueryName>
+				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains all">.box.com;upload</QueryName>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains any">mega.nz;mega.co.nz</QueryName>
+			</Rule>
+			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
+				<QueryName condition="contains any">privatlab.com</QueryName>
+			</Rule>
+			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
+				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Social Networking" groupRelation="or">
+				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
+				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
+				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Advanced IP scanner Detected,Risk=90"  groupRelation="or">
+				<QueryName condition="contains any">advanced-ip-scanner.com</QueryName>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Kali Linux Distribution Download/Apt URL,Risk=90"  groupRelation="or">
+				<QueryName condition="contains any">kali.download</QueryName>
+			</Rule>
+			<!--Crypto Currency Mining pools-->
+			<Rule name="Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Crypto Currency Miner Detected,Risk=85"  groupRelation="or">
+				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
+			</Rule>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
+			<!--Public Port Scan Detection-->
+			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content" condition="contains">census</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
+			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
+			<!--Domain TLD's to log-->
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
+			<!--Malware Domains-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
+				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
+			</Rule>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
+			<!--Common Suspicious destinations-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
+			<!-- Malicious/Suspicious hosting domains-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
+			<!--Dynamic DNS Lookups-->
+			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
+			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
+			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
+			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
+				<QueryName condition="begin with">_ldap.</QueryName>
+				<Image condition="excludes">C:\Windows\</Image>
+				<Image condition="excludes">unknown process</Image>
+				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\Windows Defender\MsMpEng.exe;C:\Windows\</Image>
+			</Rule>
+			<!--
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
+			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
+			-->
+			<Image name="Attack=None,Technique=None,Tactic=None,DS=None,Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+		</DnsQuery>
+	</RuleGroup>
+	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
+		<DnsQuery onmatch="exclude">
+			<!-- Image Exclusions -->
+			<Image condition="begin with">C:\Program Files (x86)\Admin Arsenal\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\CheckPoint\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Fortinet\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\OpenDNS\OpenDNS Connector</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Razer\Razer Services\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image>
+			<Image condition="begin with">C:\Program Files (x86)\VMware</Image>
+			<Image condition="begin with">C:\Program Files (x86)\Veeam\</Image>
+			<Image condition="begin with">C:\Program Files\CheckPoint\</Image>
+			<Image condition="begin with">C:\Program Files\Trend Micro\</Image>
+			<Image condition="image">Slack.exe</Image>
+			<Image condition="image">ConnectWise.exe</Image>
+			<Image condition="image">git-remote-https.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
+			<Image condition="image">C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe</Image>
+			<Image condition="image">C:\Program Files\VMware\vCenter Server\jre\bin\java.exe</Image>
+			<Image condition="image">C:\Program Files\VMware\vCenter Server\python\python.exe</Image>
+			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
+			<Image condition="image">C:\Windows\System32\dsregcmd.exe</Image>
+			<Image condition="image">C:\Windows\sysmon64.exe</Image>
+			<Image condition="image">C:\Windows\sysmon.exe</Image>
+			<QueryName condition="begin with">brave-sync.s3.dualstack.</QueryName>
+			<QueryName condition="end with">.salesforceliveagent.com</QueryName>
+			<QueryName condition="is">ads-serve.brave.com</QueryName>
+			<!--Network noise-->
+			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
+			<QueryName condition="is">..localmachine</QueryName>
+			<!--Microsoft-->
+			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
+			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
+			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
+			<!--Microsoft:Office365/AzureAD-->
+			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
+			<QueryName condition="end with">.msauth.net</QueryName>
+			<QueryName condition="end with">.msftauth.net</QueryName>
+			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
+			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
+			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<!--3rd-party applications-->
+			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
+			<QueryName condition="end with">googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">cloudsearch.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">id.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">www.googleapis.com</QueryName> <!--Google-->
+			<!--Goodlist CDN-->
+			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.netflix.com</QueryName>
+			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
+			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
+			<QueryName condition="is">ajax.googleapis.com</QueryName>
+			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
+			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
+			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
+			<!--Personal-->
+			<QueryName condition="end with">.steamcontent.com</QueryName> <!--If you seriously host malware C2 in game binaries in Steam, I give up-->
+			<!--Web resources-->
+			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.fontawesome.com</QueryName>
+			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<!--Ads-->
+			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
+			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
+			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
+			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
+			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
+			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
+			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
+			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
+			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
+			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
+			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
+			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
+			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.domdex.com</QueryName> 
+			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
+			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
+			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
+			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
+			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
+			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
+			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
+			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.quantcount.com</QueryName>
+			<QueryName condition="end with">.quantserve.com</QueryName>
+			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
+			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
+			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
+			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
+			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.simpli.fi</QueryName>
+			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.tapad.com</QueryName>
+			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
+			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
+			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
+			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
+			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">ads.yahoo.com</QueryName> <!--Ads: Yahoo-->
+			<QueryName condition="is">1rx.io</QueryName>
+			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
+			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
+			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
+			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">www.googletagservices.com</QueryName>
+			<!--SocialNet-->
+			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
+			<!--OSCP/CRL Common-->
+			<QueryName condition="contains">adsniper.ru</QueryName>
+			<QueryName condition="contains">cdnvideo.ru</QueryName>
+			<QueryName condition="contains">chat.minergate.com</QueryName>
+			<QueryName condition="contains">cwsa.minergate.com</QueryName>
+			<QueryName condition="contains">forum.minergate.com</QueryName>
+			<QueryName condition="contains">leadlab.click</QueryName>
+			<QueryName condition="contains">mc.yandex.ru</QueryName>
+			<QueryName condition="contains">pool.ntp.org</QueryName>
+			<QueryName condition="contains">vmg.host</QueryName>
+			<QueryName condition="contains">yandex.ru</QueryName>
+			<QueryName condition="end with">.adobe.com</QueryName>
+			<QueryName condition="end with">.autodesk.com</QueryName>
+			<QueryName condition="end with">.avast.com</QueryName>
+			<QueryName condition="end with">.avcdn.net</QueryName>
+			<QueryName condition="end with">.cdn.bitdefender.net</QueryName>
+			<QueryName condition="end with">.digicert.com</QueryName>
+			<QueryName condition="end with">.eset.com</QueryName>
+			<QueryName condition="end with">.globalsign.com</QueryName>
+			<QueryName condition="end with">.globalsign.net</QueryName>
+			<QueryName condition="end with">.intuit.com</QueryName>
+			<QueryName condition="end with">.java.com</QueryName>
+			<QueryName condition="end with">.macromedia.com</QueryName>
+			<QueryName condition="end with">.oracle.com</QueryName>
+			<QueryName condition="end with">.quickbooks.com</QueryName>
+			<QueryName condition="end with">.usertrust.com</QueryName>
+			<QueryName condition="end with">amazontrust.com</QueryName>
+			<QueryName condition="end with">ocsp.identrust.com</QueryName>
+			<QueryName condition="end with">pki.goog</QueryName>
+			<QueryName condition="is">ads.playground.xyz</QueryName>
+			<QueryName condition="is">citrixupdates.cloud.com</QueryName>
+			<QueryName condition="is">forticlient.fortinet.net</QueryName>
+			<QueryName condition="is">mft10.onbaseonline.com</QueryName>
+			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
+			<QueryName condition="is">ocsp.comodoca.com</QueryName>
+			<QueryName condition="is">ocsp.cybertrust.ne.jp</QueryName>
+			<QueryName condition="is">ocsp.entrust.net</QueryName>
+			<QueryName condition="is">ocsp.entrust.net</QueryName>
+			<QueryName condition="is">ocsp.godaddy.com</QueryName>
+			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
+			<QueryName condition="is">ocsp.intel.com</QueryName>
+			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
+			<QueryName condition="is">ocsp.quovadisglobal.com</QueryName>
+			<QueryName condition="is">ocsp.quovadisoffshore.com</QueryName>
+			<QueryName condition="is">ocsp.sectigo.com</QueryName>
+			<QueryName condition="is">ocsp.starfieldtech.com</QueryName>
+			<QueryName condition="is">ocsp.thawte.com</QueryName>
+			<QueryName condition="is">ocsp.trustwave.com</QueryName>
+			<QueryName condition="is">ocsp.verisign.com</QueryName>
+			<QueryName condition="is">pki-goog.l.google.com</QueryName>
+			<QueryName condition="is">pki.intel.com</QueryName>
+			<QueryName condition="is">scrootca1.ocsp.secomtrust.net</QueryName>
+			<QueryName condition="is">scrootca2.ocsp.secomtrust.net</QueryName>
+			<QueryName condition="is">stats.anchor.host</QueryName>
+			<QueryName condition="is">status.rapidssl.com</QueryName>
+			<QueryName condition="is">status.thawte.com</QueryName>
+			<QueryName condition="is">ts-ocsp.ws.symantec.com</QueryName>
+			<QueryName condition="is">upgrade.bitdefender.com</QueryName>
+		</DnsQuery>
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 23 : File Delete and overwrite events which saves a copy to the archivedir: Includes -->
+	<!-- Default set to disabled due to disk space implications, enable with care!-->
+	<RuleGroup groupRelation="or">
+	  <FileDelete onmatch="include" />
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 24 : Clipboard change events, only captures text, not files: Includes -->
+	<!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
+	<RuleGroup groupRelation="or">
+	  <ClipboardChange onmatch="include" />
+	</RuleGroup>
+	<!--SYSMON EVENT ID 25 : Process tampering events-->
+	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
+		<ProcessTampering onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Process Tampering Detected" groupRelation="and">
+				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
+				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
+				<Image condition="excludes">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
+				<Image condition="excludes">C:\Program Files\Symantec\</Image>
+			</Rule>
+		</ProcessTampering>
+	</RuleGroup>
+	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
+		<ProcessTampering onmatch="exclude">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=exclude common noise" groupRelation="and">
+				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
+			</Rule>
+		</ProcessTampering>
+	</RuleGroup>
+	<!-- SYSMON EVENT ID 26 : File Delete and overwrite events, does NOT save the file: Includes -->
+	<RuleGroup groupRelation="or">
+		<FileDeleteDetected onmatch="include">
+		</FileDeleteDetected>
+	</RuleGroup>
+	<RuleGroup groupRelation="or">
+		<FileDeleteDetected onmatch="exclude">
+			<Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
+		</FileDeleteDetected>
+	</RuleGroup>
+	</EventFiltering>
+</Sysmon>
\ No newline at end of file

From f93cc992d3281039b2f88041737997266af23db3 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 27 Jun 2023 16:53:25 -0400
Subject: [PATCH 438/471] Updates from @NerbalOne

---
 sysmonconfig-export.xml | 5076 +++++++++++++++++++++++++++++----------
 1 file changed, 3828 insertions(+), 1248 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 30796a47..f37910c1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4,15 +4,16 @@
 	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
 	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
 		/___/                                                           
-	author:	ionstorm
-	project:	https://github.com/ion-storm/sysmon-config
-	license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
-	Methodology: Detect the Most Techniques per Data source in MITRE ATT&CK.
-				 Provide Visibility into Forensic Artifact Events for UEBA.
-				 Detect Exploitation events with wide CVE Coverage.
-				 Risk Scoring of CVE, UEBA, Forensic, MITRE ATT&CK Events.
+	Author:	ionstorm
+	Contributors: NerbalOne
+	Project:	https://github.com/ion-storm/sysmon-config
+	License:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+	Methodology: Detect the most Techniques per data source in MITRE ATT&CK.
+				 Provide visibility into forensic artifact events for UEBA.
+				 Detect exploitation events with wide CVE coverage.
+				 Risk scoring of CVE, UEBA, Forensic, MITRE ATT&CK events.
 				 
-				 Primary Tags:
+				 PRIMARY TAGS:
 				 Attack: Mitre ATT&CK Identifier
 				 Technique: Mitre ATT&CK Technique
 				 Tactic: Mitre ATT&CK Tactic
@@ -28,7 +29,7 @@
 				 FP: False Positive Rate
 				 Author: Author of rule
 				 
-				 Additional Tag Details:
+				 ADDITIONAL TAG DETAILS:
 				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
 				 kp=y 	Kill process with child processes
 				 kpp=y 	Kill Parent Processes & all Child Processes
@@ -125,12 +126,16 @@
 			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,DS=Process: Process Creation,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
+			<Rule name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,DS=Process: Process Creation,Level=4,Alert=DNSCMD DLL exec" groupRelation="and">
+				<CommandLine condition="contains">/serverlevelplugindll</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
 			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Level=3,DS=Process: Process Creation,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
 				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
 			</Rule>
-			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
+			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=netsh removing SSL Certificate,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">http del sslcert</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
 			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
 			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
@@ -153,6 +158,7 @@
 				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
 				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
 				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
+				<CommandLine condition="excludes">SentinelBrowserNativeHost.exe</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
 				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
@@ -259,6 +265,7 @@
 				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
 				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
 				<Image condition="image">conhost.exe</Image>
+				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
@@ -342,11 +349,21 @@
 				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
 				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
 			</Rule>
-			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from 7z Archive File,Risk=50" condition="contains">\Temp\7z</CommandLine><!-- exec from 7zip -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Explorer Archive File,Risk=50" condition="contains">\Temp\Temp1_</CommandLine><!-- exec from explorer -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from winrar Archive File,Risk=50" condition="contains">\Temp\Rar$</CommandLine><!-- exec from winrar -->
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Metasploit Detection,Risk=90" groupRelation="and">
+				<ParentCommandLine condition="contains">COMSPEC</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=ScriptFile execution" groupRelation="and">
+				<CommandLine condition="contains">ScriptFile</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from 7z Archive File,Risk=50" groupRelation="and">
+				<CommandLine condition="contains">\Temp\7z</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Explorer Archive File,Risk=50" groupRelation="and">
+				<CommandLine condition="contains">\Temp\Temp1_</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from winrar Archive File,Risk=50" groupRelation="and">
+				<CommandLine condition="contains">\Temp\Rar$</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
 			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
@@ -354,13 +371,23 @@
 				<ParentImage condition="excludes">Microsoft VS Code\Code.exe</ParentImage>
 				<ParentImage condition="excludes">\Deployment tool extract\setupodt.exe</ParentImage>
 			</Rule>
-			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
+			<Rule name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=invoke-shellcode,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">Shellcode</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=IronPython,Tactic=Privilege Escalation" groupRelation="and">
+				<Image condition="image">ipy.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Python Execution,Tactic=Privilege Escalation" groupRelation="and">
+				<Image condition="image">python.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
+			<Rule name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" groupRelation="and">
+				<CommandLine condition="contains">-agentpath:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" groupRelation="and">
+				<CommandLine condition="contains">-agentlib:</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
@@ -474,21 +501,31 @@
 				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
 				<Image condition="image">msdt.exe</Image>
 			</Rule>
-			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882" groupRelation="and"> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
+				<ParentImage condition="image">EQNEDT32.EXE</ParentImage>
+			</Rule>
 			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
 				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
 				<Image condition="image">FLTLDR.EXE</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution,DS=Process: Process Creation," condition="contains any">/dde;-dde</CommandLine>
+			<Rule name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<CommandLine condition="contains any">/dde;-dde</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Native API-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
 				<Image condition="image">schtasks.exe</Image>
 				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
 				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
+				<ParentImage condition="excludes">C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe</ParentImage>
+				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
+				<CommandLine condition="excludes">Update_Sysmon_Rules</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">taskeng.exe</OriginalFileName>
+				<FileVersion condition="excludes">6.3.9600.20773 (winblue_ltsb_escrow.221219-1740)</FileVersion>
 			</Rule>
-			<OriginalFileName name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
 				<Image condition="image">schtasks.exe</Image>
 				<CommandLine condition="contains any">/Run;-run</CommandLine>
@@ -498,10 +535,14 @@
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
 				<ParentImage condition="image">schtasks.exe</ParentImage>
 				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
-				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create</ParentCommandLine>
+				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" groupRelation="and">
+				<Image condition="image">at.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Execution/Persistence/Privledge Escalation,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" groupRelation="and">
+				<ParentImage condition="image">at.exe</ParentImage>
 			</Rule>
-			<Image name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
-			<ParentImage name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Execution/Persistence/Privledge Escalation,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
 				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
 				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
@@ -539,13 +580,18 @@
 			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
 				<Image condition="image">sc.exe</Image>
 				<CommandLine condition="contains all">config;binpath</CommandLine>
+				<ParentCommandLine condition="excludes">Ecosystem.AgentSetup.tmp</ParentCommandLine>
 			</Rule>
 			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
 				<Image condition="contains any">cmd.exe;powershell.exe</Image>
 				<ParentImage condition="image">services.exe</ParentImage>
 			</Rule>
-			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
+			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Service added via Powershell,Risk=50" groupRelation="and">
+				<CommandLine condition="contains">new-service</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSEXESVC Child Process,Risk=100" groupRelation="and">
+				<ParentImage condition="image">psexesvc.exe</ParentImage>
+			</Rule>
 			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
 				<Description condition="contains">Execute processes remotely</Description>
 				<Image condition="contains">psexe</Image>
@@ -559,9 +605,15 @@
 				<Description condition="contains">Execute processes remotely</Description>
 				<CommandLine condition="contains any">-s;/s</CommandLine>
 			</Rule>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
-			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=PsKill Command" condition="contains">pskill</Image>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Child Process,Risk=100" groupRelation="and">
+				<ParentImage condition="image">psexec.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=2,Alert=PSKill Execution,Risk=100" groupRelation="and">
+				<ParentImage condition="image">pskill.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=PsKill Command" groupRelation="and">
+				<Image condition="contains">pskill</Image>
+			</Rule>
 			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
 				<ParentCommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k NetworkService -p</ParentCommandLine>
 			</Rule>
@@ -586,21 +638,36 @@
 			</Rule>
 			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
 				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s;export-mft;ApplicationImpersonation</CommandLine>
+				<Image condition="excludes">C:\Program Files (x86)\mRemoteNG\PuTTYNG.exe</Image> <!--Remove this exclusion if mRemoteNG is not allowed in your environment-->
 			</Rule>
 			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
 				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
 				<ParentCommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</ParentCommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
-			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Ramnit Banker Malware,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">--disable-http2 --disable-quic</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=DNSpionage Link click,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">/Client/Login?id=</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Emotet Child Process Detected" groupRelation="and">
+				<ParentCommandLine condition="contains">JABzA</ParentCommandLine>
+			</Rule>
 			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
 				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
 			</Rule>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
+			<Rule name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
+			</Rule>
+			<Rule name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" groupRelation="and"> <!-- https://securelist.com/project-tajmahal/90240/ -->
+				<Hashes condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
+			</Rule>
+			<Rule name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" groupRelation="and"> <!-- https://securelist.com/project-tajmahal/90240/ -->
+				<Hashes condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Emotet Execution Detected,Risk=100" groupRelation="and">
+				<Image condition="contains">serialfunc.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
 				<CommandLine condition="contains any">e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA</CommandLine>
 			</Rule>
@@ -626,11 +693,17 @@
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
 				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=QBot Process Creation,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">ping.exe -n 6 127.0.0.1 &amp;ping.exe /n 6 127.0.0.1 &amp; type</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell RAW ping,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">System.Net.Networkinformation.ping</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
-
+			<Rule name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Mofcomp execution or persistence,Risk=50" groupRelation="and">
+				<Image condition="image">mofcomp.exe</Image>
+			</Rule>
+			
 			<!--MITRE ATT&CK TACTIC: Persistence-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,DS=Process: Process Creation,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
@@ -651,8 +724,12 @@
 				<CommandLine condition="contains any">add</CommandLine>
 				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
 			</Rule>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" condition="image">dsmod.exe</Image>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Process: Process Creation,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" groupRelation="and">
+				<Image condition="image">dsmod.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Process: Process Creation,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" groupRelation="and">
+				<Image condition="image">dsadd.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
 			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,DS=Process: Process Creation,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
@@ -669,7 +746,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
+			
 			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
 			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
 				<Image condition="image">cmd.exe</Image>
@@ -711,21 +788,41 @@
 				<ParentImage condition="image">eventvwr.exe</ParentImage>
 				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
 			</Rule>
-			<ParentImage name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation," condition="image">fodhelper.exe</ParentImage>
-			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
-			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
-			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="is">computerdefaults.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="is">dism.exe</OriginalFileName>
-			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="image">fodhelper.exe</ParentImage>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation," groupRelation="and">
+				<ParentImage condition="image">fodhelper.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=InstallUtil" groupRelation="and">
+				<Image condition="image">InstallUtil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" groupRelation="and">
+				<CommandLine condition="contains">Invoke-PsUaCme</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" groupRelation="and">
+				<CommandLine condition="contains">BypassUAC</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powerup Command Line events" groupRelation="and">
+				<CommandLine condition="contains">PowerUp</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">computerdefaults.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">dism.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">fodhelper.exe</ParentImage>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<Rule name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Risk=90,DS=Process: Process Creation,Level=3,Alert=Priv Escalation to System" groupRelation="and">
 				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
 				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
 			</Rule>
-			<ParentCommandLine name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=1,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
-			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,DS=Process: Process Creation,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
+			<Rule name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=1,Desc=Possible Token manipulation" groupRelation="and">
+				<ParentCommandLine condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,DS=Process: Process Creation,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" groupRelation="and">
+				<Image condition="image">runas.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
@@ -746,14 +843,28 @@
 				<ParentImage condition="image">utilman.exe</ParentImage>
 				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
 			</Rule>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">osk.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">Magnify.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">Narrator.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">AtBroker.exe</ParentImage>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=SETHC Priv Escalation" groupRelation="and">
+				<ParentImage condition="image">sethc.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">osk.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">Magnify.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">DisplaySwitch.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">Narrator.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">AtBroker.exe</ParentImage>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
-			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
+			<Rule name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=3,Desc=Application Shimming" groupRelation="and"> <!--To noisy and rule is not specfic enough. Won't alert on this for now-->
+				<Image condition="image">sdbinst.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
 			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
 				<ParentImage condition="image">dwm.exe</ParentImage>
@@ -772,11 +883,17 @@
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
+			
 			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<Image condition="contains">unknown process</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Image Condition Contains 'unknown process'" groupRelation="and">
+				<Image condition="contains">unknown process</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" groupRelation="and">
+				<Image condition="contains">\LocalState\rootfs\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" groupRelation="and">
+				<ParentImage condition="contains">\LocalState\rootfs\</ParentImage>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
@@ -804,7 +921,7 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Desc=Stealth Sysmon Change Detected,Risk=100" groupRelation="and"> <!--Will be nosiy with hourly scheduled task updating the config. Won't alert on this.-->
 				<Product condition="is">Sysinternals Sysmon</Product>
 				<CommandLine condition="contains any">/u;/c;-u;-c</CommandLine>
 				<CurrentDirectory condition="excludes">C:\ProgramdData\sysmon\</CurrentDirectory>
@@ -824,20 +941,38 @@
 				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Image condition="image" name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=PSTools PSKill,Risk=80">PsKill.exe</Image>
+			<Rule name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=PSTools PSKill,Risk=80" groupRelation="and">
+				<Image condition="image">PsKill.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Disabling of Windows Defender Features,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
 				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
-			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
+			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv6 modification,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">interface ipv6 set</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv4 modification,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">interface ipv4 set</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Command Line task kill 2,Risk=30" groupRelation="and">
+				<Image condition="image">taskkill.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
+			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">firewall delete</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">firewall add</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">firewall set opmode disable</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Possible Arp Spoofing attacks" groupRelation="and">
+				<CommandLine condition="contains">Core Networking - Router Solicitation</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Windows Firewall Modifications,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">netsh advfirewall firewall</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
 				<Image condition="image">wevtutil.exe</Image>
@@ -872,25 +1007,46 @@
 				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
 				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp;~ -d;~ /d</CommandLine>
 			</Rule>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
-			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Windows Subsystem For Linux,Risk=100" condition="contains any">distro-id;vm-id</CommandLine>
-
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
-			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation" condition="end with">.com</Image>
-			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
-
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" groupRelation="or">
+				<Image condition="image">wsl.exe</Image>
+				<ParentImage condition="image">wsl.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" groupRelation="and">
+				<Image condition="image">wslhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" groupRelation="and">
+				<ParentImage condition="image">wslhost.exe</ParentImage>
+				<ParentUser condition="excludes">ntsirlemes_deadpool</ParentUser>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" groupRelation="or">
+				<Image condition="image">ubuntu.exe</Image>
+				<ParentImage condition="image">ubuntu.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" groupRelation="or">
+				<Image condition="image">kali.exe</Image>
+				<ParentImage condition="image">kali.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Windows Subsystem For Linux,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">distro-id;vm-id</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" groupRelation="or">
+				<Image condition="image">pcalua.exe</Image>
+				<ParentImage condition="image">pcalua.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on Windows Execution,Risk=30" groupRelation="or">
+				<Image condition="image">bash.exe</Image>
+				<ParentImage condition="image">bash.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect Command Execution with forfiles" groupRelation="or">
+				<Image condition="image">forfiles.exe</Image>
+				<ParentImage condition="image">forfiles.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<Image condition="end with">.com</Image>
+			</Rule>
+			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scriptrunner exec" groupRelation="and">
+				<CommandLine condition="contains">-appvscript</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
 				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
@@ -918,9 +1074,15 @@
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">reg add hkcu\software\classes\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">reg.exe add hkcu\software\classes\</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Registry Activity,Risk=39" groupRelation="and">
+				<ParentCommandLine condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
+			</Rule>
 			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
 				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
 				<CommandLine condition="contains">:</CommandLine>
@@ -965,6 +1127,8 @@
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
 				<CommandLine condition="contains any">-ex;/ex</CommandLine>
 				<CommandLine condition="contains">bypass</CommandLine>
+				<CommandLine condition="excludes">C:\Programdata\Sysmon\SysmonUpdateConfig.ps1</CommandLine>
+				<ParentImage condition="excludes">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
 				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
@@ -983,16 +1147,25 @@
 			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
 				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Base 64 encoded cmds" groupRelation="and">
+				<CommandLine condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Alert=Obfuscated Hidden Powershell,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Command Line Obfuscation,Risk=75" groupRelation="and">
+				<CommandLine condition="contains">^</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Type CON Command Line Redirection" groupRelation="and">
+				<CommandLine condition="contains">TYPE CON &gt;</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Copy CON Command Line Redirection" groupRelation="and">
+				<CommandLine condition="contains">copy CON &gt;</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Obfuscated Commands,Risk=100" groupRelation="and">
 				<CommandLine condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
 				<CommandLine condition="excludes all">ngen.exe;install</CommandLine>
 			</Rule>
-
 			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
 				<OriginalFileName condition="contains">certutil</OriginalFileName>
 				<CommandLine condition="contains any">decode;encode</CommandLine>
@@ -1024,7 +1197,9 @@
 				<ParentImage condition="image">csc.exe</ParentImage>
 				<CommandLine condition="contains any">out:;target:library</CommandLine>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Workflow Compiler" groupRelation="and"> <!--https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb-->
+				<Image condition="contains">Microsoft.Workflow.Compiler.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
@@ -1108,7 +1283,7 @@
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe</ParentImage>
-				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe</Image>
+				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe;\NGenTask.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
 				<ParentImage condition="image">autochk.exe</ParentImage>
@@ -1175,51 +1350,128 @@
 			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
 				<CommandLine condition="contains all">rundll32.exe;shell32.dll;_RunDLL</CommandLine>
 				<Image condition="is not">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
+				<ParentCommandLine condition="excludes">C:\Windows\System32\appwiz.cpl</ParentCommandLine>
 			</Rule>
 			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
 				<Image condition="image">odbcconf.exe</Image>
 				<CommandLine condition="contains any">/S /A {REGSVR;-S -A {REGSVR</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">bginfo</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">cbd</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">SyncAppvPublishingServer.exe</Image>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">Scriptrunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">ATBroker.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">Appvlp.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">InfDefaultInstall.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">PresentationHost.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">RegisterCimProvider2.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">RegisterCimProvider.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">ScriptRunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">csi.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">extexport.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">msconfig.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">rasdlui.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">tttracer.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">verclsid.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">wab.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">csi.exe</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">bginfo</ParentCommandLine>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">devtoolslauncher.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">wab.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">wsreset.exe</ParentImage>
+			<Rule name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Script:http Detected,Risk=75" groupRelation="and">
+				<CommandLine condition="contains">script:http</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider exec,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">Register-cimprovider</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<CommandLine condition="contains">Scriptrunner.exe -appvscript</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<CommandLine condition="contains">bginfo</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<CommandLine condition="contains">cbd</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=runscripthelper LOLBAS,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">runscripthelper.exe surfacecheck</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=xwizard LOLBAS,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">xwizard RunWizard</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=PresentationHost exec,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">PresentationHost</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">driver executeinf</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" groupRelation="and">
+				<CommandLine condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" groupRelation="and">
+				<CommandLine condition="contains">Control_RunDLL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<Image condition="is">SyncAppvPublishingServer.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="contains">Scriptrunner.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">ATBroker.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">Appvlp.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">InfDefaultInstall.EXE</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">PresentationHost.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">RegisterCimProvider2.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">RegisterCimProvider.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">ScriptRunner.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">csi.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">extexport.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">msconfig.EXE</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">rasdlui.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">tttracer.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">verclsid.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<OriginalFileName condition="is">wab.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider.exe,Risk=100" groupRelation="and">
+				<OriginalFileName condition="contains">Register-cimprovider.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<ParentCommandLine condition="contains">csi.exe</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<ParentCommandLine condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<ParentCommandLine condition="is">bginfo</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">devtoolslauncher.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">wab.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<ParentImage condition="image">wsreset.exe</ParentImage>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
+			<Rule name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation" groupRelation="and">
+				<CommandLine condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=cmstp" groupRelation="and">
+				<CommandLine condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
-			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
+			<Rule name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" groupRelation="and">
+				<Image condition="image">Mavinject.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" groupRelation="and">
+				<CommandLine condition="contains">INJECTRUNNING</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
 			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
@@ -1234,12 +1486,24 @@
 				<Image condition="image">regsvr32.exe</Image> 
 				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
 			</Rule>
-			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation" condition="contains">Microsoft(C) Register Server</Description>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
+			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation" groupRelation="and">
+				<Description condition="contains">Microsoft(C) Register Server</Description>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" groupRelation="and">
+				<Image condition="image">SyncAppvPublishingServer.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=control panel execution" groupRelation="and">
+				<Image condition="image">control.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=rasautou execution" groupRelation="and">
+				<Image condition="image">rasautou.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" groupRelation="and">
+				<CommandLine condition="contains any">control.exe /name;control.exe -name</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" groupRelation="and">
+				<CommandLine condition="contains">Control_RunDLL</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
 			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
 				<Image condition="image">msiexec.exe</Image>
@@ -1323,20 +1587,48 @@
 				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine>
 				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage>
 			</Rule>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
-			<CommandLine condition="contains">InstallHinfSection</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" groupRelation="and">
+				<CommandLine condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" groupRelation="and">
+				<CommandLine condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" groupRelation="and">
+				<CommandLine condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" groupRelation="and">
+				<CommandLine condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" groupRelation="and">
+				<CommandLine condition="contains">InstallHinfSection</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=infDefaultInstall" groupRelation="and">
+				<Image condition="image">infDefaultInstall.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" groupRelation="and">
+				<CommandLine condition="contains all">shdocvw.dll;OpenURL</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Testing advpack exec,Risk=70" groupRelation="and">
+				<CommandLine condition="contains all">advpack.dll;RegisterOCX</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">OpenURLA;file:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">OpenURL;file:</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MSHTA-->
 			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
 				<ParentImage condition="image">mshta.exe</ParentImage>
@@ -1345,14 +1637,23 @@
 			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
 				<Image condition="image">mshta.exe</Image>
 			</Rule>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
+			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" groupRelation="and">
+				<CommandLine condition="contains">RunHTMLApplication</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" groupRelation="and">
+				<CommandLine condition="contains">mshtml</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" groupRelation="and">
+				<CommandLine condition="contains">vbscript:CreateObject</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Odbcconf-->
-			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
-
+			<Rule name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Possible driver load with odbcconf,Risk=40" groupRelation="and">
+				<Image condition="image">odbcconf.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
+			<Rule name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=manage-bde.wsf exec,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
@@ -1380,15 +1681,22 @@
 				<Image condition="image">msbuild.exe</Image>
 				<CommandLine condition="contains">.lnk</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.csproj execution" groupRelation="and">
+				<CommandLine condition="contains">.csproj</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
 			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
-			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
+			<Rule name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" groupRelation="and">
+				<Image condition="image">msxsl.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" groupRelation="and">
+				<ParentImage condition="image">msxsl.exe</ParentImage>
+			</Rule>
+			
 			<!--MITRE ATT&CK TACTIC: Credential Access-->
 			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
 			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
@@ -1397,11 +1705,21 @@
 			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
 			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
 			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
+			<Rule name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Hawkeye Keylogger Detected" groupRelation="and">
+				<CommandLine condition="contains">/stext</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" groupRelation="and">
+				<CommandLine condition="contains">keylog</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" groupRelation="and">
+				<CommandLine condition="contains">keyscan_</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" groupRelation="and">
+				<CommandLine condition="contains">Get-Keystrokes</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" groupRelation="and">
+				<CommandLine condition="contains">/scomma</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
@@ -1452,51 +1770,116 @@
 			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
 				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
 			</Rule>
-			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" groupRelation="and">
+				<OriginalFileName condition="is">rpcping.exe</OriginalFileName>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">nltest.exe</CommandLine>
+			</Rule>
 			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
 				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,DS=Process: Process Creation,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
-			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
-			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
-			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" condition="image">ProcDump.exe</Image>
-			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" groupRelation="and">
+				<CommandLine condition="contains">VaultCloseVault</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" groupRelation="and">
+				<CommandLine condition="contains">VaultEnumerateItem</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" groupRelation="and">
+				<CommandLine condition="contains">VaultFree</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" groupRelation="and">
+				<CommandLine condition="contains">VaultGetItem</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" groupRelation="and">
+				<CommandLine condition="contains">VaultOpenVault</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" groupRelation="and">
+				<CommandLine condition="contains">Vaultcmd</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" groupRelation="and">
+				<CommandLine condition="contains">vaultcli.dll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping from firefox" groupRelation="and">
+				<CommandLine condition="contains">select * from moz_login</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping" groupRelation="and">
+				<CommandLine condition="contains">Invoke-WinEnum</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Dumping Cached Credentials,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">System.Net.CredentialCache</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=VSS Shadow file Created" groupRelation="and">
+				<CommandLine condition="contains">create shadow</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,DS=Process: Process Creation,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" groupRelation="and">
+				<CommandLine condition="contains all">wlan;export;profile;key=clear</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">dcsync</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" groupRelation="and">
+				<CommandLine condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" groupRelation="and">
+				<CommandLine condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=60" groupRelation="and">
+				<Image condition="image">nltest.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" groupRelation="and">
+				<Image condition="image">ProcDump.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" groupRelation="and">
+				<OriginalFileName condition="contains">ProcDump</OriginalFileName>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
 			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">asktgt;asktgs</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">asreproast</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">impersonateuser:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">kerberoast</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">ptt /ticket:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" groupRelation="and">
+				<Image condition="image">klist.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" groupRelation="and">
+				<Image condition="image">hh.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
 			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
 			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
 				<CommandLine condition="contains all">list;text;password</CommandLine>
 			</Rule>
+			
 			<!--MITRE ATT&CK TACTIC: Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration/Discovery,Risk=30" groupRelation="and">
+				<Image condition="image">quser.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
 				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
 				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
@@ -1522,10 +1905,18 @@
 				<ParentImage condition="contains any">sharphound;bloodhound</ParentImage>
 				<Product condition="contains any">sharphound;bloodhound</Product>
 			</Rule>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" groupRelation="and">
+				<Image condition="image">dsquery.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Query.EXE Discovery,Risk=30" groupRelation="and">
+				<Image condition="image">query.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
@@ -1536,14 +1927,20 @@
 			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
+			<Rule name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=directory structure disclosure,Risk=30" groupRelation="and">
+				<Image condition="end with">tree.com</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
 			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
 				<OriginalFileName condition="contains">auditpol</OriginalFileName>
 				<CommandLine condition="contains any">/get;-get;/list;-list;/backup;-backup</CommandLine>
 			</Rule>
-			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
-			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
+			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with GPResult" groupRelation="and">
+				<Image condition="contains any">gpresult.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with Powershell" groupRelation="and">
+				<CommandLine condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
@@ -1551,16 +1948,29 @@
 			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
+			<Rule name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Process Discovery,Risk=0" groupRelation="and">
+				<Image condition="image">tasklist.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Process Discovery,Risk=0" groupRelation="and">
+				<Image condition="image">qprocess.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Driver Querying" condition="image">driverquery.exe</Image>
-
+			<Rule name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" groupRelation="and">
+				<CommandLine condition="contains">reg query</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" groupRelation="and">
+				<CommandLine condition="contains">reg.exe query</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Driver Querying" groupRelation="and">
+				<Image condition="image">driverquery.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
+			<Rule name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Traceroute Remote System Discovery,Risk=30" groupRelation="and">
+				<Image condition="image">tracert.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Pathping Remote System Discovery,Risk=30" groupRelation="and">
+				<Image condition="image">pathping.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
 			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Alert=Sysmon Detection with driver altitude" groupRelation="or">
@@ -1610,16 +2020,30 @@
 				<CommandLine condition="contains all">find;sidecar</CommandLine>
 				<CommandLine condition="contains all">select-string;sidecar</CommandLine>
 				<CommandLine condition="contains all">process;Description;sidecar</CommandLine>
+				<CommandLine condition="contains all">find;nxlog</CommandLine>
+				<CommandLine condition="contains all">select-string;nxlog</CommandLine>
+				<CommandLine condition="contains all">process;Description;nxlog</CommandLine>
+				<CommandLine condition="contains all">find;lpagent</CommandLine>
+				<CommandLine condition="contains all">select-string;lpagent</CommandLine>
+				<CommandLine condition="contains all">process;Description;lpagent</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation" groupRelation="or">
 				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discover,DS=Process: Process Creationy" condition="is">fltMC.exe</OriginalFileName>
 				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation" condition="contains">misc::mflt</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
+			<Rule name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=AV Product detection via WMI,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">AntiVirusProduct</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Security Settings via WMI,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">root\SecurityCenter2</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
-			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
+			<Rule name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" groupRelation="and">
+				<Image condition="image">sysinfo.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" groupRelation="and">
+				<CommandLine condition="image">systeminfo</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
 			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
@@ -1630,12 +2054,22 @@
 				<Image condition="image">netsh.exe</Image>
 				<CommandLine condition="excludes any">get;list;show</CommandLine>
 			</Rule>
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=ipconfig discovery,Risk=20" groupRelation="and">
+				<Image condition="image">ipconfig.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
+			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System Network Connections Discovery,Risk=0" groupRelation="and">
+				<Image condition="image">netstat.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">arp -a</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">arp.exe -a</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" groupRelation="and">
+				<CommandLine condition="contains">arp  -a</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
 			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
 				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
@@ -1665,9 +2099,12 @@
 				<Image condition="image">route.exe</Image>
 				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
 			</Rule>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
-			
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration with qwinsta" groupRelation="and">
+				<Image condition="image">qwinsta.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=rwinsta" groupRelation="and">
+				<Image condition="image">rwinsta.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
@@ -1688,8 +2125,12 @@
 			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
+			<Rule name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" groupRelation="and">
+				<CommandLine condition="contains any">/shadow;-shadow</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow with no Consent alert" groupRelation="and">
+				<CommandLine condition="contains">noConsentPrompt</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
 			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
 				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
@@ -1764,13 +2205,27 @@
 				<Image condition="image">ping.exe</Image>
 				<Image condition="image">bitsadmin.exe</Image>
 			</Rule>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</ParentImage>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
+			<Rule name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Windows Remote Management Execution" groupRelation="and">
+				<Image condition="end with">winrm.cmd</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" groupRelation="and">
+				<Image condition="image">winrs.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" groupRelation="and">
+				<Image condition="image">winrshost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=2,Alert=Waitfor.exe Execution bypass" groupRelation="and">
+				<Image condition="image">waitfor.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" groupRelation="and">
+				<Image condition="image">wsmprovhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" groupRelation="and">
+				<ParentImage condition="image">winrshost.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" groupRelation="and">
+				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
+			</Rule>
 			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
 				<ParentImage condition="image">wmiprvse.exe</ParentImage>
 				<Image condition="image">mshta.exe</Image>
@@ -1778,7 +2233,9 @@
 			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
 				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image>
 			</Rule>
-			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
+			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Putty utility detected,Risk=60" groupRelation="and">
+				<Product condition="is">PuTTY suite</Product>
+			</Rule>
 			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
 				<Image condition="contains any">sftp;psftp</Image>
 			</Rule>
@@ -1793,38 +2250,90 @@
 				<Image condition="image">rundll32.exe</Image>
 				<CommandLine condition="contains all">,StartW</CommandLine>
 			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
-			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
-			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation" groupRelation="and">
-				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
-				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Shutdown with Psexec" groupRelation="and">
+				<Image condition="contains">psshutdown</Image>
 			</Rule>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
-			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PSService" groupRelation="and">
+				<Image condition="contains">psservice</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PsPasswd" groupRelation="and">
+				<Image condition="contains">PsPasswd</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Desktop" groupRelation="and">
+				<Image condition="image">mstsc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Telnet Terminal Emulator" groupRelation="and">
+				<Image condition="image">telnet.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=TFTP Execution" groupRelation="and">
+				<Image condition="image">tftp.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=IIS powershellcustomhost exec" groupRelation="and">
+				<CommandLine condition="contains">powershellcustomhost</CommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation" groupRelation="and">
+				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
+				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" groupRelation="and">
+				<CommandLine condition="contains all">--execm;atexec</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" groupRelation="and">
+				<CommandLine condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Excel.Application" groupRelation="and">
+				<CommandLine condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: HTML Application" groupRelation="and">
+				<CommandLine condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: MMC20.APPLICATION" groupRelation="and">
+				<CommandLine condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Outlook.Application" groupRelation="and">
+				<CommandLine condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Powerpoint.Application" groupRelation="and">
+				<CommandLine condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Shell.Application" groupRelation="and">
+				<CommandLine condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellBrowserWindow" groupRelation="and">
+				<CommandLine condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellWindows" groupRelation="and">
+				<CommandLine condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Visio.Application" groupRelation="and">
+				<CommandLine condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: WScript.Shell" groupRelation="and">
+				<CommandLine condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Word.Application" groupRelation="and">
+				<CommandLine condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID" groupRelation="and">
+				<CommandLine condition="contains">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll" groupRelation="and">
+				<CommandLine condition="contains">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll" groupRelation="and">
+				<CommandLine condition="contains">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" groupRelation="and">
+				<CommandLine condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" groupRelation="and">
+				<CommandLine condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM Launch" groupRelation="and">
+				<ParentCommandLine condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
+			</Rule>
+			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
@@ -1856,13 +2365,21 @@
 				<CommandLine condition="contains">Compress-Archive</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
+			<Rule name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">SoundRecorder.exe</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data injected into clipboard,Risk=30" condition="image">clip.exe</Image>
-			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
+			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data injected into clipboard,Risk=30" groupRelation="and">
+				<Image condition="image">clip.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data pulled from clipboard,Risk=40" groupRelation="and">
+				<CommandLine condition="contains">get-clipboard</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
 			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
 			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
@@ -1879,10 +2396,18 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">screencapture</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">system.drawing.Imaging</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">system.drawing.bitmap</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">system.windows.forms.screen</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
 			<!--MITRE ATT&CK TACTIC: Command and Control-->
 			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
@@ -1890,9 +2415,10 @@
 			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
 			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
 				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
-				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
-				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI</CommandLine>
+				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe;C:\PROGRA~2\BEANYW~1\GETSUP~1\TCIntegratorCommHelper.exe</Image>
+				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI;NCentralRDLdr.exe</CommandLine>
 				<OriginalFileName condition="excludes any">msedgeupdate.dll</OriginalFileName>
+				<ParentCommandLine condition="excludes any">C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe;NCentralRDLdr.exe</ParentCommandLine>
 			</Rule>
 			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
 				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
@@ -1946,25 +2472,51 @@
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
 				<Image condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</Image>
 			</Rule>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
+				<CommandLine condition="image">start-bitstransfer</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">expand \\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">expand.exe \\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">ieexec http</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">ieexec.exe http</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">powercat</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" groupRelation="and">
+				<CommandLine condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">extrac32 \\</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">extrac32.exe \\</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
 			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
-			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image>
+			<Rule name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=NetSH PortProxy,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">portproxy</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Tor Detected,Risk=100" groupRelation="and">
+				<Image condition="image">tor.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=0,Desc=Teamviewer Unattended Session" groupRelation="and">
+				<Image condition="image">TeamViewer_Desktop.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
 				<OriginalFileName condition="contains any">psexec</OriginalFileName>
 			</Rule>
@@ -2016,7 +2568,6 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
 
@@ -2066,19 +2617,42 @@
 				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
 				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
 			</Rule>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" condition="contains">-nw -exec=</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" condition="contains">-p -nw</CommandLine>
-			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
-			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" groupRelation="and">
+				<CommandLine condition="begin with">format </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">recoveryenabled No</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">Win32_Shadowcopy</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">sdelete</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">delete catalog</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">wbadmin delete catalog</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Data Destruction with erase Detected,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">erase</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
+				<CommandLine condition="contains">-nw -exec=</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
+				<CommandLine condition="contains">-p -nw</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" groupRelation="and">
+				<Image condition="contains">shred</Image>
+			</Rule>
+			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Diskshadow Execution,Risk=70" groupRelation="and">
+				<ParentImage condition="contains">diskshadow</ParentImage>
+			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
 				<CommandLine condition="contains all"> del ; /f </CommandLine>
 				<CommandLine condition="contains all"> del ; -f </CommandLine>
@@ -2088,7 +2662,9 @@
 				<CommandLine condition="contains all"> rd ; -s ; -q </CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Potential Ransomware indicator" groupRelation="and">
+				<CommandLine condition="contains">usn deletejournal</CommandLine>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
 			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
@@ -2104,7 +2680,9 @@
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+			<Rule name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" groupRelation="and">
+			<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+			</Rule>
 			<!--Crypto Currency Miner Detections-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
 				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
@@ -2113,13 +2691,27 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
 			</Rule>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
-			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40" groupRelation="and">
+				<Hashes condition="end with">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40" groupRelation="and">
+				<Hashes condition="end with">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40" groupRelation="and">
+				<Hashes condition="end with">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Generic APT Hash Detection,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
+			</Rule>
+			<Rule name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=Windows Credential Editor Detection,Risk=70" groupRelation="and">
+				<Hashes condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ransomware Hash Detection,Risk=100" groupRelation="and">
+				<Hashes condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ursniff Bank Malware,Risk=100" groupRelation="and">
+				<Hashes condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
+			</Rule>
 			<!--UEBA Activities-->
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
 				<CommandLine condition="contains">zoommtg</CommandLine>
@@ -2157,41 +2749,112 @@
 				<Image condition="contains any">C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\;\Downloads\</Image>
 				<CommandLine condition="contains any">.html;.hta;.iso;.js;.bat;.cmd;.cmdline;.vbs;.vb;.vbe;.reg;.com</CommandLine>
 			</Rule>
-			<CommandLine condition="contains">listena</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
-			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
-			<ParentImage name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
-			<ParentImage name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" groupRelation="and">
+				<CommandLine condition="contains any">-s -n -u -i:http:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" groupRelation="and">
+				<CommandLine condition="contains any">/s /n /u /i:http:</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="contains">listena</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">assoc </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">del </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">expand </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">md </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">move </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">rd </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">ren </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">set </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="begin with">setx </CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" groupRelation="and">
+				<CommandLine condition="image">find.exe</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" groupRelation="and">
+				<CommandLine condition="contains">grabff</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" groupRelation="and">
+				<CommandLine condition="contains">routerscan</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Hacking with python,Risk=70" groupRelation="and">
+				<CommandLine condition="contains">pythonEngine.Execute</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Hacking with session hijacking,Risk=100" groupRelation="and">
+				<CommandLine condition="contains">sesshijack</CommandLine>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=File Protocol Handler Execution" groupRelation="and">
+				<CommandLine condition="contains">file://</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=HTML APP Host" groupRelation="and">
+				<Description condition="end with">HTML Application host</Description>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Manager Profile Installer" groupRelation="and">
+				<Description condition="end with">Manager Profile Installer</Description>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Microsoft Application Virtualization Injector" groupRelation="and">
+				<Description condition="contains">Microsoft Application Virtualization Injector</Description>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=App Compat Database installer" groupRelation="and">
+				<Description condition="contains">Application Compatibility Database Installer</Description>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" groupRelation="and">
+				<Image condition="image">popd.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" groupRelation="and">
+				<Image condition="image">pushd.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" groupRelation="and">
+				<Image condition="image">subst.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect aliases" groupRelation="and">
+				<Image condition="image">doskey.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect cls in batch scripts" groupRelation="and">
+				<Image condition="image">cls.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" groupRelation="and">
+				<Image condition="begin with">\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=IIS Child Processes" groupRelation="and">
+				<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" groupRelation="and">
+				<ParentImage condition="begin with">\</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Acrobat" groupRelation="and">
+				<ParentImage condition="image">acrobat.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Adobe Reader" groupRelation="and">
+				<ParentImage condition="image">acrord32.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" groupRelation="and">
+				<ParentImage condition="image">java.exe</ParentImage>
+				<ParentImage condition="excludes">C:\ProgramData\Cavelo\jre\bin\java.exe</ParentImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" groupRelation="and">
+				<ParentImage condition="image">javaw.exe</ParentImage>
+			</Rule>
 			<!--Detection of Output Redirection-->
 			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
 			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
@@ -2202,29 +2865,67 @@
 			<Rule  name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SVCHost Processes" groupRelation="and">
 				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
 			</Rule>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Permission Modifications with icacls or cacls" condition="image">cacls.exe</Image>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Ownership Permission Modifications with takeown" condition="image">takeown.exe</Image>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
+			<Rule name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Permission Modifications with icacls or cacls" groupRelation="and">
+				<Image condition="image">cacls.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Ownership Permission Modifications with takeown" groupRelation="and">
+				<Image condition="image">takeown.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec" groupRelation="and">
+				<CommandLine condition="contains">/x Macro</CommandLine>
+			</Rule>
 			<Rule  name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
 				<CommandLine condition="contains">\pipe\</CommandLine>
 				<CommandLine condition="excludes">&gt;</CommandLine>
 			</Rule>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: RDP Port" groupRelation="and">
+				<CommandLine condition="contains">/noprofile</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: Schtasks" groupRelation="and">
+				<CommandLine condition="contains">/sc ONEVENT</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=Execution run from \\VBOXSVR share" groupRelation="and">
+				<CommandLine condition="contains">\\VBOXSVR</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" groupRelation="and">
+				<CommandLine condition="contains">| more</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" groupRelation="and">
+				<CommandLine condition="contains">|more</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Execution from \\tsclient share" groupRelation="and">
+				<CommandLine condition="contains">\\tsclient</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Processor ARCH command Line" groupRelation="and">
+				<CommandLine condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SysNative detected" groupRelation="and">
+				<CommandLine condition="contains">sysnative</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=AutoIT Application Detected" groupRelation="and">
+				<Description condition="contains">AutoIt</Description>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Windows Filter loader" groupRelation="and">
+				<Description condition="contains">Microsoft Filter Loader</Description>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" groupRelation="and">
+				<Image condition="is">more.com</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" groupRelation="and">
+				<Image condition="contains">:\Windows\Microsoft.NET\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Acrobat Reader Launches" groupRelation="and">
+				<Image condition="image">acrord32.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Gpupdate Launched" groupRelation="and">
+				<Image condition="image">gpupdate.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" groupRelation="and">
+				<ParentImage condition="contains">:\Windows\Microsoft.NET\</ParentImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=System Child Processes" groupRelation="and">
+				<ParentImage condition="is">System</ParentImage>
+			</Rule>
 			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Generic User Execution,Risk=0" groupRelation="and">
 				<ParentImage condition="image">explorer.exe</ParentImage>
 				<Image name="Allow other rules to fire" condition="excludes any">\regedit.exe;\cmd.exe;terminal;\powershell</Image>
@@ -2270,11 +2971,21 @@
 		<NetworkConnect onmatch="include">
 			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
+			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Census Network Connection,Risk=40" groupRelation="and">
+				<DestinationHostname condition="contains">census</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=ResearchScan Network Connection,Risk=70" groupRelation="and">
+				<DestinationHostname condition="contains">researchscan</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Scanhub Network Connection,Risk=70" groupRelation="and">
+				<DestinationHostname condition="contains">scanhub</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shadow Network Connection,Risk=50" groupRelation="and">
+				<DestinationHostname condition="contains">shadow</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shodan Network Connection,Risk=50" groupRelation="and">
+				<DestinationHostname condition="contains">shodan</DestinationHostname>
+			</Rule>
 			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Exchange 0day Attackers from September 2022,Risk=100" groupRelation="or">
 				<DestinationIp condition="is any">137.184.67.33;206.188.196.77;125.212.220.48;5.180.61.17;47.242.39.92;61.244.94.85;86.48.6.69;86.48.12.64;94.140.8.48;94.140.8.113;103.9.76.208;103.9.76.211;104.244.79.6;112.118.48.186;122.155.174.188;125.212.241.134;185.220.101.182;194.150.167.88;212.119.34.11</DestinationIp>
 				<DestinationIp condition="begin with">137.184.67.</DestinationIp>
@@ -2286,7 +2997,6 @@
 			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Kali Linux Distribution Download/Apt URL,Risk=90"  groupRelation="or">
 				<DestinationHostname condition="contains any">kali.download</DestinationHostname>
 			</Rule>
-			<DestinationHostname condition="contains">shodan</DestinationHostname>
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
@@ -2328,8 +3038,12 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
 			<!--MITRE ATT&CK TECHNIQUE: Native API-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" groupRelation="and">
+				<Image condition="image">at.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" groupRelation="and">
+				<Image condition="image">schtasks.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: System Services-->
@@ -2399,25 +3113,63 @@
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
 				<Image condition="contains">\wwwroot\</Image>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in addins" groupRelation="and">
+				<Image condition="contains">\Windows\addins\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" groupRelation="and">
+				<Image condition="begin with">C:\Windows\repair\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from htdocs folder,Risk=70" groupRelation="and">
+				<Image condition="contains">\htdocs\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" groupRelation="and">
+				<Image condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Intel logs,Risk=100" groupRelation="and">
+				<Image condition="begin with">C:\Intel\Logs\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" groupRelation="and">
+				<Image condition="begin with">C:\Windows\addins\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" groupRelation="and">
+				<Image condition="begin with">C:\Windows\security\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from windows help folder,Risk=70" groupRelation="and">
+				<Image condition="begin with">C:\Windows\Help\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" groupRelation="and">
+				<Image condition="contains">$RECYCLE.BIN</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" groupRelation="and">
+				<Image condition="begin with">C:\Windows\Debug\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Font folder,Risk=100" groupRelation="and">
+				<Image condition="begin with">C:\Windows\Fonts\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Perflogs unusual network connection,Risk=70" groupRelation="and">
+				<Image condition="begin with">C:\PerfLogs\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" groupRelation="and">
+				<Image condition="contains">:\$Recycle.bin\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from Default User folder,Risk=30" groupRelation="and">
+				<Image condition="contains">:\Users\Default\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" groupRelation="and">
+				<Image condition="begin with">C:\Users\NetworkService\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection from Public User folder,Risk=30" groupRelation="and">
+				<Image condition="begin with">C:\Users\Public\</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection within Media Folder,Risk=30" groupRelation="and">
+				<Image condition="begin with">C:\Windows\Media\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Input Method Network Connection" groupRelation="and">
+				<Image condition="contains">\Windows\IME\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Programdata Network Connection" groupRelation="and">
+				<Image condition="begin with">C:\ProgramData</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
@@ -2435,19 +3187,29 @@
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
-			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=infDefaultInstall Network Connection" groupRelation="and">
+				<Image condition="image">infDefaultInstall.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Control Panel network connection" groupRelation="and">
+				<Image condition="image">SyncAppvPublishingServer.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Installutil-->
-			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
+			<Rule name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=InstallUtil network connection" groupRelation="and">
+				<Image condition="image">InstallUtil.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Msiexec-->
-			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
+			<Rule name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=MSIExec Network connection,Risk=70" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvcs/regasm-->
 			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
 				<Image condition="contains any">regasm.exe;regsvcs.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
+			<Rule name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Mavinject detected,Risk=80" groupRelation="and">
+				<Image condition="image">Mavinject.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
@@ -2491,7 +3253,9 @@
 			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
+			<Rule name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" groupRelation="and">
+				<Image condition="image">dsquery.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
@@ -2504,17 +3268,29 @@
 			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
+			<Rule name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DriverQuery Network Connection" groupRelation="and">
+				<Image condition="image">driverquery.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=NBTSTAT Query,Risk=30" condition="image">nbtstat.exe</Image>
+			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=NBTSTAT Query,Risk=30" groupRelation="and">
+				<Image condition="image">nbtstat.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
+			<Rule name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" groupRelation="and">
+				<Image condition="image">net.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" groupRelation="and">
+				<Image condition="image">net1.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=2,Alert=QWinsta User enumeration,Risk=30" groupRelation="and">
+				<Image condition="image">qwinsta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" groupRelation="and">
+				<Image condition="image">rwinsta.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
@@ -2552,6 +3328,9 @@
 				<Image condition="excludes">svchost.exe</Image>
 				<Image condition="excludes">thor64.exe</Image>
 				<Image condition="excludes">thor.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</Image>
+				<Image condition="excludes">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</Image>
+				<Image condition="excludes">SentinelRanger.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
 				<Initiated>true</Initiated>
@@ -2585,6 +3364,7 @@
 				<Initiated>true</Initiated>
 				<DestinationPort condition="is">3389</DestinationPort>
 				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
+				<Image condition="excludes">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
 				<Initiated>true</Initiated>
@@ -2600,25 +3380,63 @@
 			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
 				<Image condition="image">psftp.exe</Image>
 			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" condition="image">omniinet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" condition="image">hpsmhd.exe</Image>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=30" groupRelation="and">
+				<Image condition="image">reg.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=80" groupRelation="and">
+				<Image condition="contains">psshutdown</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote password change with PSPasswd,Risk=80" groupRelation="and">
+				<Image condition="contains">PsPasswd</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote querying of services,Risk=80" groupRelation="and">
+				<Image condition="contains">psservice</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" groupRelation="and">
+				<Image condition="image">ssh.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" groupRelation="and">
+				<Image condition="contains">psexe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=TSFTP Connection,Risk=70" groupRelation="and">
+				<Image condition="image">tftp.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Telnet Connection,Risk=30" groupRelation="and">
+				<Image condition="image">telnet.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=MSTSC Remote Desktop Connection" groupRelation="and">
+				<Image condition="image">mstsc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote WMIC commands,Risk=30" groupRelation="and">
+				<Image condition="image">wmic.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SC.exe Network Connection" groupRelation="and">
+				<Image condition="image">sc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" groupRelation="and">
+				<Image condition="contains">pskill</Image>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" groupRelation="and">
+				<Image condition="image">dsquery.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" groupRelation="and">
+				<Image condition="image">plink.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC" groupRelation="and">
+				<Image condition="image">vnc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Viewer" groupRelation="and">
+				<Image condition="image">vncviewer.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Service" groupRelation="and">
+				<Image condition="image">vncservice.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" groupRelation="and">
+				<Image condition="image">omniinet.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" groupRelation="and">
+				<Image condition="image">hpsmhd.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
@@ -2665,22 +3483,42 @@
 				<Image condition="image">powershell.exe</Image>
 				<DestinationIp condition="excludes any">0:0:0:0:0:0:0:;127.0.0.1</DestinationIp>
 			</Rule>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=MSHTA Network Connection,Risk=100" groupRelation="and">
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=CMD Prompt network Connection,Risk=20" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Certutil Connecting to network,Risk=20" groupRelation="and">
+				<Image condition="image">certutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" groupRelation="and">
+				<Image condition="image">bitsadmin.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Notepad Network Connection" groupRelation="and">
+				<Image condition="image">notepad.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVCS Network Connection,Risk=30" groupRelation="and">
+				<Image condition="image">regsvcs.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVR32 Network Connection,Risk=30" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RunDLL32 Network Connection,Risk=30" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
 			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
-			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
+			<Rule name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor Connection" groupRelation="and">
+				<Image condition="image">tor.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor2Web,Risk=100" groupRelation="and">
+				<DestinationHostname condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
@@ -2689,16 +3527,25 @@
 			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DNS Over HTTPS" groupRelation="and">
+				<DestinationHostname condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=privatlab.com Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains all">privatlab.com</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PCloud Cloud storage Exfiltration" groupRelation="and">
+				<DestinationHostname condition="contains any">.pcloud.com</DestinationHostname>
+			</Rule>
+			
 			<!--MITRE ATT&CK TACTIC: Impact-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
@@ -2711,7 +3558,9 @@
 			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" groupRelation="and">
+				<DestinationHostname condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<!--UEBA Rules-->
@@ -2758,8 +3607,12 @@
 				<DestinationPort condition="is not">443</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" groupRelation="and">
+				<DestinationHostname condition="contains">github</DestinationHostname>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" groupRelation="and">
+				<DestinationHostname condition="contains">githubusercontent.com</DestinationHostname>
+			</Rule>
 			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=Dropbox Cloud Exfiltration" groupRelation="and">
 				<DestinationHostname condition="end with">dropboxapi.com</DestinationHostname>
 				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
@@ -2778,10 +3631,10 @@
 			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
 				<DestinationHostname condition="contains any">privatlab.com</DestinationHostname>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Social Networking" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Social Networking" groupRelation="and">
 				<DestinationHostname condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</DestinationHostname>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="and">
 				<DestinationHostname condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</DestinationHostname>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
@@ -2818,52 +3671,110 @@
 				<Image condition="image">inetinfo.exe</Image>
 			</Rule>
 			<!--3rd Party tools-->
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Netcat network connection Detected" groupRelation="and">
+				<Image condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Procdump Detected" groupRelation="and">
+				<Image condition="contains any">procdump</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=PSExec Network Connection" groupRelation="and">
+				<Image condition="contains any">psexe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Network Connection" groupRelation="and">
+				<Image condition="contains any">vnc;vncs;vncv</Image>
+			</Rule>
 			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
 				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
 			</Rule>
 			<!--Destination Ports to Monitor-->
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" groupRelation="and">
+				<DestinationPort condition="is">0</DestinationPort>
+			</Rule>
+			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" groupRelation="and">
+				<DestinationPort condition="is">5985</DestinationPort>
+			</Rule>
+			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" groupRelation="and">
+				<DestinationPort condition="is">5986</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=IPSec" groupRelation="and">
+				<DestinationPort condition="is">1293</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=L2TP" groupRelation="and">
+				<DestinationPort condition="is">1701</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=OpenVPN,Risk=39" groupRelation="and">
+				<DestinationPort condition="is">1194</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Assistance Connection,Risk=20" groupRelation="and">
+				<DestinationPort condition="is">3540</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Desktop Connection,Risk=20" groupRelation="and">
+				<DestinationPort condition="is">3389</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SSH Port,Risk=30" groupRelation="and">
+				<DestinationPort condition="is">22</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 1080" groupRelation="and">
+				<DestinationPort condition="is">1080</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 3128" groupRelation="and">
+				<DestinationPort condition="is">3128</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 8080" groupRelation="and">
+				<DestinationPort condition="is">8080</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=TOR Port" groupRelation="and">
+				<DestinationPort condition="is">1723</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Telnet Port,Risk=30" groupRelation="and">
+				<DestinationPort condition="is">23</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port" groupRelation="and">
+				<DestinationPort condition="is">4500</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" groupRelation="and">
+				<DestinationPort condition="is">9001</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" groupRelation="and">
+				<DestinationPort condition="is">9030</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Port" groupRelation="and">
+				<DestinationPort condition="is">5900</DestinationPort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC,Risk=50" groupRelation="and">
+				<DestinationPort condition="is">5800</DestinationPort>
+			</Rule>
 			<!--Source Ports to Monitor-->
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTP" condition="is">80</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=LDAPS" condition="is">636</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC" condition="is">5900</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" groupRelation="and">
+				<SourcePort condition="is">0</SourcePort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTP" groupRelation="and">
+				<SourcePort condition="is">80</SourcePort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" groupRelation="and">
+				<SourcePort condition="is">443</SourcePort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=LDAPS" groupRelation="and">
+				<SourcePort condition="is">636</SourcePort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC" groupRelation="and">
+				<SourcePort condition="is">5900</SourcePort>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" groupRelation="and">
+				<SourcePort condition="is">443</SourcePort>
+			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
 				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
 				<DestinationPort condition="is">80</DestinationPort>
 				<Initiated>true</Initiated>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
-				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;C:\Program Files\Cavelo\Cavelo Agent\cavelo_windows_amd64.exe;C:\PROGRA~2\BEANYW~1\GETSUP~1\TCIntegratorCommHelper.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe</Image>
 				<DestinationPortName condition="is">https</DestinationPortName>
 				<Initiated>true</Initiated>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
-				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
+				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</Image>
 				<DestinationPortName condition="is">http</DestinationPortName>
 				<Initiated>true</Initiated>
 			</Rule>
@@ -2873,7 +3784,9 @@
 				<Initiated>true</Initiated>
 			</Rule>
 			<!--Suspicious network connections-->
-			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
+			<Rule name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Dynamic DNS Connection" groupRelation="and">
+				<DestinationHostname condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
+			</Rule>
 		</NetworkConnect>
 	</RuleGroup>
 	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
@@ -3016,6 +3929,7 @@
 				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
 				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
 				<Image condition="begin with">C:\Program Files\ESET</Image>
+				<Image condition="begin with">C:\Program Files\SentinelOne</Image>
 			</Rule>
 		</NetworkConnect>
 	</RuleGroup>
@@ -3061,27 +3975,41 @@
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
 				<Image condition="begin with">C:\ProgramData\</Image>
-				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
+				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe;C:\ProgramData\Cavelo\jre\bin\java.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
 				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
+				<Image condition="not begin with">C:\Program Files\SentinelOne\</Image>
+				<Image condition="excludes any">C:\Program Files (x86)\N-Able Technologies\AutomationManagerEngine\2.70.0.4\AutomationManager.ScriptRunner64.exe;C:\PROGRA~2\BEANYW~1\GETSUP~1\TCIntegratorCommHelper.exe;C:\Program Files\Cavelo\Cavelo Agent\osqueryi.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\NASafeExec.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
 				<Image condition="begin with">C:\inetpub\</Image>
 			</Rule>
 		<!-- Useful data in building infection timelines.-->
-			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,DS=Process: Process Termination,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Termination,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
-			<Image condition="contains">\Temp\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
-		</ProcessTerminate>
-	</RuleGroup>
-	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
-			<ProcessTerminate onmatch="exclude">
-			<Image condition="end with">Microsoft\Teams\current\Teams.exe</Image>
-			<Image condition="end with">\git.exe</Image>
+			<Rule name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,DS=Process: Process Termination,Level=4,Alert=Process Termination in Recyclebin,Risk=100" groupRelation="and">
+				<Image condition="contains">$RECYCLE.BIN</Image>
+			</Rule>
+			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Termination,Level=0,Desc=Process Terminate: Killing of Log Shippers" groupRelation="and">
+				<Image condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent;lpagent.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" groupRelation="and">
+				<Image condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" groupRelation="and">
+				<Image condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in Temp Folder" groupRelation="and">
+				<Image condition="contains">\Temp\</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=User Process Terminations" groupRelation="and">
+				<Image condition="contains">C:\Users\</Image>
+			</Rule>
+		</ProcessTerminate>
+	</RuleGroup>
+	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
+			<ProcessTerminate onmatch="exclude">
+			<Image condition="end with">Microsoft\Teams\current\Teams.exe</Image>
+			<Image condition="end with">\git.exe</Image>
 			<Image condition="end with">Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe</Image>
 			<Image condition="begin with">C:\ProgramData\Lenovo\ImController\</Image>
 		</ProcessTerminate>
@@ -3095,19 +4023,45 @@
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
 				<Hashes condition="contains any">0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244</Hashes><!-- exclude non executable files -->
 			</Rule>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,DS=Driver: Driver Load,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
-			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
-			<SignatureStatus condition="contains">?</SignatureStatus>
-			<SignatureStatus condition="contains">Revoked</SignatureStatus>
-			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
-			<SignatureStatus condition="contains">Valid</SignatureStatus>
-			<Signed name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains">DumpExt.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=Mimikatz driver loaded,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains">mimidrv</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=PWDump6 driver loaded,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains">lsremora</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=wceaux.dll driver loaded,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains">wceaux.dll</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,DS=Driver: Driver Load,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" groupRelation="and">
+				<ImageLoaded condition="contains">npcap</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Temp" groupRelation="and">
+				<ImageLoaded condition="contains">\Temp</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Users Directories" groupRelation="and">
+				<ImageLoaded condition="contains">:\Users</ImageLoaded>
+			</Rule>
+			<Rule name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=UEFI Rootkit detection,Risk=100" groupRelation="and">
+				<Signature condition="contains">ChongKim Chan</Signature>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unknown Signature Driver Loaded" groupRelation="and">
+				<SignatureStatus condition="contains">?</SignatureStatus>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Revoked Signature Driver Loaded" groupRelation="and">
+				<SignatureStatus condition="contains">Revoked</SignatureStatus>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unavailable Signature Driver Loaded" groupRelation="and">
+				<SignatureStatus condition="contains">Unavailable</SignatureStatus>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Valid Signature Driver Loaded" groupRelation="and">
+				<SignatureStatus condition="contains">Valid</SignatureStatus>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unsigned Driver Loaded" groupRelation="and">
+				<Signed condition="contains">false</Signed>
+			</Rule>
 			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Driver Loaded,Risk=100,Author=Nasreddine Bencherchali,Risk=75" groupRelation="or">
 				<!--# List below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT-->
 				<Hashes condition="contains">SHA1=2261198385d62d2117f50f631652eded0ecc71db</Hashes>
@@ -3632,10 +4586,13 @@
 			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Module: Module Load,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
 				<Image condition="contains any">C:\Users;\Temp\;\ProgramData\</Image>
+				<Image condition="excludes">ConnectWise.exe</Image>
+				<Image condition="excludes">\MSP Anywhere for N-central\Viewer\tkcuploader.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Module: Module Load,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
 				<Image condition="contains any">\wscript.exe;\cscript.exe;\powershell.exe;\powershell_ise.exe;\rundll32.exe;\msbuild.exe;\csc.exe</Image>
+				<FileVersion condition="excludes">6.3.9600.20566 (winblue_ltsb_escrow.220812-1741)</FileVersion>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
@@ -3673,6 +4630,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
 				<Image condition="excludes">powershell</Image>
 				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
+				<Image condition="excludes any">C:\Program Files (x86)\N-Able Technologies\AutomationManagerEngine\2.70.0.4\AutomationManager.ScriptRunner64.exe;C:\Program Files\Cavelo\Cavelo Agent\osqueryi.exe;C:\Program Files (x86)\Duo Device Health\Duo Device Health.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Monitor logoncli.dll dll loads for injection - potential qbot activity" groupRelation="and">
 				<ImageLoaded condition="end with">logoncli.dll</ImageLoaded>
@@ -3705,6 +4663,7 @@
 				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
 				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
+				<Image condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\AutomationManager.AgentService.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
 				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
@@ -3730,6 +4689,7 @@
 			</Rule>
 			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
 				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
+				<Image condition="excludes any">C:\Program Files\Cavelo\Cavelo Agent\osqueryi.exe;C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
 				<Image condition="image">rundll32.exe</Image>
@@ -3757,9 +4717,10 @@
 				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
 				<ImageLoaded condition="end with">.exe</ImageLoaded>
 				<Company condition="excludes">Adobe</Company>
-				<Image condition="excludes">C:\ProgramData\Lenovo\</Image>
+				<Image condition="excludes any">C:\ProgramData\Lenovo\;C:\ProgramData\Cavelo\jre\bin\java.exe</Image>
 				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
 				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
+				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon.exe</ImageLoaded>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Module: Module Load,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
@@ -3827,6 +4788,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Signed Global Assembly Cache Load" groupRelation="and">
 				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
 				<Signed condition="is">true</Signed>
+				<Image condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\AutomationManager.AgentService.exe;C:\Program Files (x86)\Duo Device Health\Duo Device Health.exe</Image>
 			</Rule>
 		</ImageLoad>
 	</RuleGroup>
@@ -3950,10 +4912,18 @@
 				<SourceImage condition="image">c:\windows\system32\csrss.exe</SourceImage>
 				<StartFunction condition="contains">CrtlRoutine</StartFunction>
 			</Rule>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
-			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" groupRelation="and">
+				<StartAddress condition="end with">0B80</StartAddress>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" groupRelation="and">
+				<StartAddress condition="end with">0C7C</StartAddress>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" groupRelation="and">
+				<StartAddress condition="end with">0C88</StartAddress>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Remote Desktop injection,Risk=30" groupRelation="and">
+				<TargetImage condition="image">c:\windows\system32\mstsc.exe</TargetImage>
+			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Modification,Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
 				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
 				<StartFunction condition="contains">EtwEventWrite</StartFunction>
@@ -4056,6 +5026,7 @@
 				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
 				<GrantedAccess>0x1F3FFF</GrantedAccess>
 				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
+				<SourceImage condition="excludes">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</SourceImage>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
 				<SourceImage condition="end with">.exe</SourceImage>
@@ -4102,6 +5073,7 @@
 				<CallTrace condition="contains">System.Management.Automation</CallTrace>
 				<CallTrace condition="excludes">C:\ProgramData\Microsoft\Windows Defender\platform\</CallTrace>
 				<CallTrace condition="excludes">ctiuser.dll</CallTrace>
+				<SourceImage condition="excludes">AutomationManager.ScriptRunner64.exe</SourceImage>
 				<SourceImage condition="is not">C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe</SourceImage>
 				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe</SourceImage>
 				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe</SourceImage>
@@ -4142,14 +5114,17 @@
 				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
 				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
 			</Rule>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" groupRelation="and">
+				<CallTrace condition="begin with">UNKNOWN</CallTrace>
+			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
 				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
 				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
 				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
 				<CallTrace condition="end with">)</CallTrace>
+				<CallTrace condition="excludes">C:\Program Files\SentinelOne\</CallTrace>
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
-				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe</SourceImage>
+				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\;C:\Program Files (x86)\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\ProgramData\Cavelo\jre\bin\java.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files\Cavelo\Cavelo Agent\parser.exe</SourceImage>
 				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
 				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
 				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
@@ -4169,23 +5144,46 @@
 				<SourceImage condition="is not">C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe</SourceImage>
 				<SourceImage condition="excludes any">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
 				<GrantedAccess condition="contains">0x1400</GrantedAccess>
+				<CallTrace condition="excludes">C:\Program Files\SentinelOne\</CallTrace>
 			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
-			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,DS=Process: Process Access,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
+			<Rule name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,DS=Process: Process Access,Level=4,Alert=Process Hollowing Detected,Risk=100" groupRelation="and">
+				<GrantedAccess condition="is">0x0800</GrantedAccess>
+			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator" groupRelation="and">
+				<GrantedAccess condition="is">0x0810</GrantedAccess>
+			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Access,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Access,Level=0,Desc=Possible Memory Dump,Risk=70" groupRelation="and">
+				<GrantedAccess condition="is">0x0820</GrantedAccess>
+			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70" groupRelation="and">
+				<GrantedAccess condition="is">0x810</GrantedAccess>
+			</Rule>
 			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Modification,Risk=70">0x820</GrantedAccess>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
-			<SourceImage condition="end with">jjs.exe</SourceImage>
-			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
-			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Modification,Risk=70" groupRelation="and">
+				<GrantedAccess condition="is">0x820</GrantedAccess>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=CScript accessing another process memory,Risk=30" groupRelation="and">
+				<SourceImage condition="end with">cscript.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=WScript accessing another process memory,Risk=30" groupRelation="and">
+				<SourceImage condition="end with">wscript.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Java Script accessing another process memory,Risk=30" groupRelation="and">
+				<SourceImage condition="end with">jjs.exe</SourceImage>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" groupRelation="and">
+				<CallTrace condition="contains">dump</CallTrace>
+			</Rule>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" groupRelation="and">
+				<CallTrace condition="contains">mimikatz</CallTrace>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" groupRelation="and">
+				<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
+			</Rule>
 		</ProcessAccess>
 	</RuleGroup>
 	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
@@ -4228,7 +5226,9 @@
 		<FileCreate onmatch="include">
 			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=File: File Creation,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=File: File Creation,Level=4,Alert=Nessus Temp Files Created,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains">\TEMP\nessus_</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
 			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
@@ -4265,7 +5265,7 @@
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
-				<TargetFilename condition="is not">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe</TargetFilename>
+				<TargetFilename condition="not begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
@@ -4282,55 +5282,133 @@
 			
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File scripting: Batch scripts" groupRelation="and">
+				<TargetFilename condition="end with">.bat</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy btm Extension" groupRelation="and">
+				<TargetFilename condition="end with">.btm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy cmd Extension" groupRelation="and">
+				<TargetFilename condition="end with">.cmd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy com Extension" groupRelation="and">
+				<TargetFilename condition="end with">.com</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=CMDLine File Created" groupRelation="and">
+				<TargetFilename condition="end with">.cmdline</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File Created" groupRelation="and">
+				<TargetFilename condition="end with">.bas</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" groupRelation="and">
+				<TargetFilename condition="end with">.bin</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WS Scripting" groupRelation="and">
+				<TargetFilename condition="end with">.ws</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSC Scripting" groupRelation="and">
+				<TargetFilename condition="end with">.wsc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSF Scripting" groupRelation="and">
+				<TargetFilename condition="end with">.wsf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSH Scripting" groupRelation="and">
+				<TargetFilename condition="end with">.wsh</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=PIF Scripting" groupRelation="and">
+				<TargetFilename condition="end with">.pif</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=MSHTA Scripting" groupRelation="and">
+				<TargetFilename condition="end with">.hta</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
+			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=IronPython,Risk=90" groupRelation="and">
+				<TargetFilename condition="contains">IronPython</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" groupRelation="and">
+				<TargetFilename condition="end with">.py</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" groupRelation="and">
+				<TargetFilename condition="end with">.pyc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" groupRelation="and">
+				<TargetFilename condition="end with">.pyd</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="or">
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="and">
 				<TargetFilename condition="end with">.cdxml</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="and">
 				<TargetFilename condition="end with">.ps1</TargetFilename>
+				<Image condition="excludes any">C:\Program Files (x86)\N-Able Technologies\AutomationManagerEngine\2.70.0.4\AutomationManager.ScriptRunner64.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="and">
 				<TargetFilename condition="end with">.ps1xml</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="and">
 				<TargetFilename condition="end with">.psc1</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="and">
 				<TargetFilename condition="end with">.psd1</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="and">
 				<TargetFilename condition="end with">.psm1</TargetFilename>
+				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="and">
 				<TargetFilename condition="end with">.pssc</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell Creating Files,Risk=10" groupRelation="and">
 				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
 				<TargetFilename condition="excludes">\Recent\CustomDestinations\</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" groupRelation="and">
+				<TargetFilename condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" groupRelation="and">
+				<TargetFilename condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell Console History" groupRelation="and">
+				<TargetFilename condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
+			<Rule name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=vbs script created" groupRelation="and">
+				<TargetFilename condition="end with">.vbs</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Java JRE Timestamp usage for DFIR" groupRelation="and">
+				<TargetFilename condition="contains">.oracle_jre_usage\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" groupRelation="and">
+				<TargetFilename condition="end with">.js</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" groupRelation="and">
+				<TargetFilename condition="end with">.jse</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" groupRelation="and">
+				<TargetFilename condition="end with">.vb</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" groupRelation="and">
+				<TargetFilename condition="end with">.vbe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" groupRelation="and">
+				<TargetFilename condition="end with">.vbsript</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
 			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
@@ -4362,29 +5440,66 @@
 				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains">crackmapexec</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">\crackmapexec.exe.manifest</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">\greenlet.pyd</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">BootStrapDLL.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=MegaCortex Ransomware,Risk=100" groupRelation="and">
+				<TargetFilename condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Mimikatz Files" groupRelation="and">
+				<TargetFilename condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=RDP Wrapper,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">rdpwrap.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=winspool.drv dropped" groupRelation="and">
+				<TargetFilename condition="end with">winspool.drv</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" groupRelation="and">
+				<Image condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
+			</Rule>
+			
 			<!--MITRE ATT&CK TACTIC: Persistence-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
+			<Rule name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" groupRelation="and">
+				<TargetFilename condition="contains">\Programs\Startup\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" groupRelation="and">
+				<TargetFilename condition="contains">\Startup\</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
 			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
@@ -4396,14 +5511,26 @@
 			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" condition="end with">.dotm</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" condition="end with">.XLSB</TargetFilename>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" groupRelation="and">
+				<TargetFilename condition="contains">\Word\STARTUP\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Templates\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" groupRelation="and">
+				<TargetFilename condition="contains">\Excel\XLSTART\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" groupRelation="and">
+				<TargetFilename condition="end with">.dotm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" groupRelation="and">
+				<TargetFilename condition="end with">.XLSB</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Scheduled Task Modified" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
 			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Exchange 0day from September 2022 overwriting legit file,Risk=80" groupRelation="and">
 				<TargetFilename condition="end with">RedirSuiteServiceProxy.aspx</TargetFilename>
@@ -4464,13 +5591,27 @@
 				<TargetFilename condition="end with">.aspx</TargetFilename>
 				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" groupRelation="and">
+				<TargetFilename condition="contains">\ecp\auth\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" groupRelation="and">
+				<TargetFilename condition="contains">\oab\auth\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" groupRelation="and">
+				<TargetFilename condition="contains">ClientAccess\Owa\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" groupRelation="and">
+				<TargetFilename condition="contains">\owa\auth\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" groupRelation="and">
+				<TargetFilename condition="contains">httpproxy\rpc\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" groupRelation="and">
+				<TargetFilename condition="contains">ClientAccess\ecp\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot htdocs directory" groupRelation="and">
+				<TargetFilename condition="contains">\htdocs\</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
 
@@ -4521,19 +5662,36 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
-
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WSL Locations" groupRelation="and">
+				<TargetFilename condition="contains">\LocalState\rootfs\</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
-				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Temp\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
+				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Temp\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename>
+				<Image condition="not begin with">C:\Program Files\SentinelOne\</Image>
+				<Image condition="excludes any">C:\Program Files\Cavelo\Cavelo Agent\osqueryi.exe;C:\Program Files\Cavelo\Cavelo Agent\parser.exe;C:\Program Files\Cavelo\Cavelo Agent\tesseract\tesseract.exe;AutomationManager.ScriptRunner64.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
 			</Rule>
-			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recycle bin files created" groupRelation="and">
+				<TargetFilename condition="contains">$Recycle.Bin</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files Created from" groupRelation="and">
+				<Image condition="contains">$Recycle.Bin</Image>
+			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Files Created within System Profile" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
 				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
@@ -4542,24 +5700,58 @@
 				<Image condition="begin with">C:\Windows\</Image>
 				<Image condition="contains">\config\systemprofile\</Image>
 			</Rule>
-			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="or">
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">      .exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.7z.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.docx.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.ico.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.rar.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.xls.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">.zip.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="and">
 				<TargetFilename condition="end with">______.exe</TargetFilename>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
@@ -4577,15 +5769,21 @@
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
-			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">.chm</TargetFilename>
+			<Rule name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion,DS=File: File Creation" groupRelation="and">
+				<TargetFilename condition="end with">.chm</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
 			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">proj</TargetFilename>
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">.sln</TargetFilename>
+			<Rule name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" groupRelation="and">
+				<TargetFilename condition="end with">proj</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" groupRelation="and">
+				<TargetFilename condition="end with">.sln</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
 			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
 			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
@@ -4662,32 +5860,84 @@
 			<!--MITRE ATT&CK TACTIC: Collection-->
 			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
 			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tgz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" groupRelation="and">
+				<TargetFilename condition="end with">.7z</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" groupRelation="and">
+				<TargetFilename condition="end with">.7zip</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" groupRelation="and">
+				<TargetFilename condition="end with">.arj</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" groupRelation="and">
+				<TargetFilename condition="end with">.s7z</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=.A Archive" groupRelation="and">
+				<TargetFilename condition="end with">.a</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ACE Archive" groupRelation="and">
+				<TargetFilename condition="end with">.ace</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=AR Archive" groupRelation="and">
+				<TargetFilename condition="end with">.ar</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ARC Archive" groupRelation="and">
+				<TargetFilename condition="end with">.arc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" groupRelation="and">
+				<TargetFilename condition="end with">.bin</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" groupRelation="and">
+				<TargetFilename condition="end with">.cab</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Game PAK Archive" groupRelation="and">
+				<TargetFilename condition="end with">.pak</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Gzip Archive" groupRelation="and">
+				<TargetFilename condition="end with">.gz</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=IMG Archive" groupRelation="and">
+				<TargetFilename condition="end with">.img</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ISO Archive" groupRelation="and">
+				<TargetFilename condition="end with">.iso</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZM Archive" groupRelation="and">
+				<TargetFilename condition="end with">.lzm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZMA Archive" groupRelation="and">
+				<TargetFilename condition="end with">.lzma</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR Archive Extraction" groupRelation="and">
+				<TargetFilename condition="contains">Temp\Rar$</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=RAR Archive" groupRelation="and">
+				<TargetFilename condition="end with">.rar</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR SFX Archive Extraction" groupRelation="and">
+				<TargetFilename condition="contains">RarSFX</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SFX Archive" groupRelation="and">
+				<TargetFilename condition="end with">.sfx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SZ Archive" groupRelation="and">
+				<TargetFilename condition="end with">.sz</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR Archive" groupRelation="and">
+				<TargetFilename condition="end with">.tar</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" groupRelation="and">
+				<TargetFilename condition="end with">.tar.gz</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" groupRelation="and">
+				<TargetFilename condition="end with">.tgz</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=XZ Archive" groupRelation="and">
+				<TargetFilename condition="end with">.xz</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ZIP Archive" groupRelation="and">
+				<TargetFilename condition="end with">.zip</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
 			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
@@ -4700,10 +5950,18 @@
 			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
 			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.ost</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.eml</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.msg</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.pst</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
 			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
@@ -4720,16 +5978,36 @@
 			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
 			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created by Teamviewer" condition="image">Teamviewer.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created by rundll32" condition="image">rundll32.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created with Remote Desktop Client" condition="image">mstsc.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created with command shell,Risk=30" condition="image">cmd.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="image">WScript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="image">cscript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="image">mshta.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="image">python.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="image">wmic.exe</Image>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created by Teamviewer" groupRelation="and">
+				<Image condition="image">Teamviewer.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created by rundll32" groupRelation="and">
+				<Image condition="image">rundll32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created with Remote Desktop Client" groupRelation="and">
+				<Image condition="image">mstsc.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created with command shell,Risk=30" groupRelation="and">
+				<Image condition="image">cmd.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" groupRelation="and">
+				<Image condition="image">ipy.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with WScript.exe,Risk=30" groupRelation="and">
+				<Image condition="image">WScript.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with cscript.exe,Risk=30" groupRelation="and">
+				<Image condition="image">cscript.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with mshta.exe,Risk=100" groupRelation="and">
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with python.exe,Risk=30" groupRelation="and">
+				<Image condition="image">python.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with wmic.exe,Risk=30" groupRelation="and">
+				<Image condition="image">wmic.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
 				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
 				<TargetFilename condition="end with">.dll</TargetFilename>
@@ -4743,17 +6021,24 @@
 			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
 			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
 			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
+			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy--> 
+			<Rule name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Hidden Service,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains">HiddenService</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">torrc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains">\tor.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" groupRelation="and">
+				<TargetFilename condition="contains">tor-gencert</TargetFilename>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
 			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
 			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
 
 			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-
 			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
@@ -4763,10 +6048,19 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible rclone Exfiltration,Risk=30" groupRelation="and">
+				<TargetFilename condition="contains">rclone</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" groupRelation="and">
+				<TargetFilename condition="contains">s3browser</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" groupRelation="and">
+				<TargetFilename condition="contains">grabff.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" groupRelation="and">
+				<TargetFilename condition="contains">grabff.exe</TargetFilename>
+			</Rule>
+			
 			<!--MITRE ATT&CK TACTIC: Impact-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
@@ -4817,10 +6111,13 @@
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
 				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
+				<TargetFilename condition="excludes">C:\Program Files\WindowsApps\</TargetFilename> 
+				<Image condition="excludes any">C:\Program Files (x86)\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
 				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
+				<Image condition="excludes">C:\Users\*\AppData\Local\Microsoft\Teams\Update.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
 				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
@@ -4878,274 +6175,779 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
 				<Image condition="image">VirtualboxVM.exe</Image>
 			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
-			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,DS=File: File Creation,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=URL">.url</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files edited with Notepad Plus Plus" groupRelation="and">
+				<Image condition="is">notepad++.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,DS=File: File Creation,Level=4,Alert=Potential LNK Malware File Downloaded" groupRelation="and">
+				<TargetFilename condition="end with">.lnk:Zone.Identifier</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\regsvr32.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" groupRelation="and">
+				<TargetFilename condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Link" groupRelation="and">
+				<TargetFilename condition="end with">.lnk</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=URL" groupRelation="and">
+				<TargetFilename condition="end with">.url</TargetFilename>
+			</Rule>
 			<!--Drivers dropped-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
-			<TargetFilename condition="end with">.drv</TargetFilename> 
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver" groupRelation="and">
+				<TargetFilename condition="end with">.sys</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver INF" groupRelation="and">
+				<TargetFilename condition="end with">.inf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" groupRelation="and">
+				<TargetFilename condition="contains">\Drivers\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" groupRelation="and">
+				<TargetFilename condition="end with">.drv</TargetFilename>
+			</Rule>
 			<!--Microsoft Office File Monitoring-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Jumplist Custom Destinations" condition="contains">\Recent\CustomDestinations\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="or">
-				<TargetFilename condition="end with">.accdb</TargetFilename>
-				<TargetFilename condition="end with">.accde</TargetFilename>
-				<TargetFilename condition="end with">.accdr</TargetFilename>
-				<TargetFilename condition="end with">.accdt</TargetFilename>
-				<TargetFilename condition="end with">.mdb</TargetFilename>
-				<TargetFilename condition="end with">.mde</TargetFilename>
-				<TargetFilename condition="end with">.msc</TargetFilename>
-				<TargetFilename condition="end with">.mst</TargetFilename>
-				<TargetFilename condition="end with">.potx</TargetFilename>
-				<TargetFilename condition="end with">.ppam</TargetFilename>
-				<TargetFilename condition="end with">.ppsm</TargetFilename>
-				<TargetFilename condition="end with">.ppsx</TargetFilename>
-				<TargetFilename condition="end with">.ppt</TargetFilename>
-				<TargetFilename condition="end with">.pptm</TargetFilename>
-				<TargetFilename condition="end with">.pptx</TargetFilename>
-				<TargetFilename condition="end with">.pub</TargetFilename>
-				<TargetFilename condition="end with">.sldm</TargetFilename>
-				<TargetFilename condition="end with">.sldx</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.xlam</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.xlsm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" groupRelation="and">
+				<TargetFilename condition="end with">.xla</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" groupRelation="and">
+				<TargetFilename condition="end with">.xll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" groupRelation="and">
 				<TargetFilename condition="end with">.xls</TargetFilename>
-				<TargetFilename condition="end with">.xps</TargetFilename>
 			</Rule>
-			<!--SECTION: Certificates -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="or">
-				<TargetFilename condition="end with">.pem</TargetFilename>
-				<TargetFilename condition="end with">.crt</TargetFilename>
-				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
-				<TargetFilename condition="end with">.cer</TargetFilename>
-				<TargetFilename condition="end with">.csr</TargetFilename>
-				<TargetFilename condition="end with">.der</TargetFilename>
-				<TargetFilename condition="end with">.p7b</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" groupRelation="and">
+				<TargetFilename condition="end with">.xlsb</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" groupRelation="and">
+				<TargetFilename condition="end with">.xlsx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" groupRelation="and">
+				<TargetFilename condition="end with">.xlt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" groupRelation="and">
+				<TargetFilename condition="end with">.xltm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" groupRelation="and">
+				<TargetFilename condition="end with">.xlw</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office Template created" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Templates\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook EML" groupRelation="and">
+				<TargetFilename condition="end with">.eml</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook MSG" groupRelation="and">
+				<TargetFilename condition="end with">.msg</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.potm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.pptm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint OpenXML Filetype" groupRelation="and">
+				<TargetFilename condition="end with">.sldm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recent Office Files" groupRelation="and">
+				<TargetFilename condition="contains">\Microsoft\Office\Recent</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Office History" groupRelation="and">
+				<TargetFilename condition="contains">oleObject</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Jumplist Custom Destinations" groupRelation="and">
+				<TargetFilename condition="contains">\Recent\CustomDestinations\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Downloaded Files" groupRelation="and">
+				<TargetFilename condition="contains">\Downloads\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Outlook Attachments" groupRelation="and">
+				<TargetFilename condition="contains">\Content.Outlook\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.docb</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" groupRelation="and">
+				<TargetFilename condition="end with">.wbk</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Perfect" groupRelation="and">
+				<TargetFilename condition="end with">.ped</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" groupRelation="and">
+				<TargetFilename condition="end with">.dot</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" groupRelation="and">
+				<TargetFilename condition="end with">.dotx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" groupRelation="and">
+				<TargetFilename condition="end with">.doc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" groupRelation="and">
+				<TargetFilename condition="end with">.docm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" groupRelation="and">
+				<TargetFilename condition="end with">.docx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.accdb</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.accde</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.accdr</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.accdt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.mdb</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.mde</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.msc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.mst</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.potx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.ppam</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.ppsm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.ppsx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.ppt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.pptm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.pptx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.pub</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.sldm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.sldx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.xls</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="and">
+				<TargetFilename condition="end with">.xps</TargetFilename>
+			</Rule>
+			<!--SECTION: Certificates -->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
+				<TargetFilename condition="end with">.pem</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
+				<TargetFilename condition="end with">.crt</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
+				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
+				<TargetFilename condition="end with">.cer</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
+				<TargetFilename condition="end with">.csr</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
+				<TargetFilename condition="end with">.der</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
+				<TargetFilename condition="end with">.p7b</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
 				<TargetFilename condition="end with">.p7r</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
 				<TargetFilename condition="end with">.p7s</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
 				<TargetFilename condition="end with">.pfx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
 				<TargetFilename condition="end with">.sto</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
 				<TargetFilename condition="end with">.p12</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
 				<TargetFilename condition="end with">.crl</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
 				<TargetFilename condition="end with">.sst</TargetFilename>
+				<Image condition="excludes">SentinelAgent.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="and">
 				<TargetFilename condition="end with">.key</TargetFilename>
 			</Rule>
 			<!-- side loading -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="or">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">.hlp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">AFLogVw.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">AShld.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">AShldRes.DLL.asr</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">AShldRes.DLL</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">AhnI2.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">CamMute.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">CommFunc.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">CommFunc.jax</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">DESqmWrapper.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">DESqmWrapper.wrapper</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">FSPMAPI.dll.fsp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">FSPMAPI.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">Gadget.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">LoLTWLauncher.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">Mc.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">McUtil.dll.ping</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">McUtil.dll.url</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">McUtil.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">MpSvc.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">MsMpEng.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">NvSmart.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">NvSmartMaxapp.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">OInfo11.ISO</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">OInfo11.ocx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">OInfoP11.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">OleView.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">OleView.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">POETWLauncher.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">RasTls.dll.config</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">RasTls.dll.msc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">RasTls.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">RasTls.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">RunHelp.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">Sidebar.dll.doc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">Sidebar.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">Ushata.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">Ushata.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">Ushata.fox</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">VeetlePlayer.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">boot.ldr</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">chrome_frame_helper.dll.rom</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">chrome_frame_helper.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">chrome_frame_helper.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">dvcemumanager.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">fsguidll.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">fslapi.dll.gui</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">fslapi.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">fsstm.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">hccutils.dll.res</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">hccutils.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">hha.dll.bak</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">hha.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">hhc.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">hkcmd.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">iviewers.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">jli.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">libvlc.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">mPclient.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">mcf.ep</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">mcf.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">mcupdui.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">mcut.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">mcutil.dll.bbc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">mcvsmap.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">msi.dll.dat</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">msi.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">msseces.asm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">msseces.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">mtcReport.ktc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">rc.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">rc.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">rc.hlp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">sep_NE.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">sep_NE.slf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">tplcdclr.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">winmm.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">wts.chm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="and">
 				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
 			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
-			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=File: File Creation,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
-			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=File: File Creation,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Set" condition="end with">.set</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" groupRelation="and">
+				<TargetFilename condition="end with">ssMUIDLL.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" groupRelation="and">
+				<TargetFilename condition="end with">aepic.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" groupRelation="and">
+				<TargetFilename condition="end with">ftllib.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" groupRelation="and">
+				<TargetFilename condition="end with">userenv.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" groupRelation="and">
+				<TargetFilename condition="contains">\Terminal Server Client\Cache\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=File: File Creation,Forensic=Windows Prefetch Exec History" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\Prefetch</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious TSClient share file creation,Risk=30" groupRelation="and">
+				<TargetFilename condition="begin with">\\tsclient</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WebDav Cache Files Created" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=File: File Creation,Level=4,Alert=SharpDump bin,Risk=100" groupRelation="and">
+				<TargetFilename condition="end with">\Temp\debug.bin</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=7zip Archive Extraction" groupRelation="and">
+				<TargetFilename condition="contains">Temp\7z</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Appcompat Shims" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CHM Filetype" groupRelation="and">
+				<TargetFilename condition="end with">.chm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" groupRelation="and">
+				<TargetFilename condition="end with">.cpl</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" groupRelation="and">
+				<TargetFilename condition="contains">.mht</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
+				<TargetFilename condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" groupRelation="and">
+				<TargetFilename condition="end with">.crx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" groupRelation="and">
+				<TargetFilename condition="end with">.appref-ms</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Desktop Gadget File" groupRelation="and">
+				<TargetFilename condition="end with">.gadget</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Encrypted JScript File type" groupRelation="and">
+				<TargetFilename condition="end with">.JSE</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Executable file" groupRelation="and">
+				<TargetFilename condition="end with">.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Explorer Command" groupRelation="and">
+				<TargetFilename condition="end with">.scf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" groupRelation="and">
+				<TargetFilename condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to shadow copy" groupRelation="and">
+				<TargetFilename condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File created/accessed from Zip File" groupRelation="and">
+				<TargetFilename condition="contains">.zip\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" groupRelation="and">
+				<TargetFilename condition="end with">.FON</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" groupRelation="and">
+				<TargetFilename condition="end with">.FOT</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=IQY file used to pull down dropper" groupRelation="and">
+				<TargetFilename condition="end with">.iqy</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Icon" groupRelation="and">
+				<TargetFilename condition="end with">.ico</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Internet settings" groupRelation="and">
+				<TargetFilename condition="end with">.isp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=MMC Snapin" groupRelation="and">
+				<TargetFilename condition="end with">.msc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Manifest File Crated" groupRelation="and">
+				<TargetFilename condition="end with">.manifest</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Memory dump" groupRelation="and">
+				<TargetFilename condition="end with">MEMORY.dmp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft Installer" groupRelation="and">
+				<TargetFilename condition="end with">.msi</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" groupRelation="and">
+				<TargetFilename condition="end with">.cs</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" groupRelation="and">
+				<TargetFilename condition="end with">.customDestinations-ms</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Minidump Crash dump created" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Windows\Minidump</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=PAF" groupRelation="and">
+				<TargetFilename condition="end with">.PAF</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" groupRelation="and">
+				<TargetFilename condition="end with">.bmc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP" groupRelation="and">
+				<TargetFilename condition="end with">.rdp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" groupRelation="and">
+				<TargetFilename condition="end with">.rtf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Registry file" groupRelation="and">
+				<TargetFilename condition="end with">.reg</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SHS Office File for copy pastes" groupRelation="and">
+				<TargetFilename condition="end with">.SHS</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SLK file used for command execution" groupRelation="and">
+				<TargetFilename condition="end with">.slk</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver" groupRelation="and">
+				<TargetFilename condition="end with">.SCR</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Set" groupRelation="and">
+				<TargetFilename condition="end with">.set</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SettingContent-ms" groupRelation="and">
+				<TargetFilename condition="end with">.SettingContent-ms</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" groupRelation="and">
+				<TargetFilename condition="end with">.SHD</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" groupRelation="and">
+				<TargetFilename condition="end with">.SPL</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver file created" groupRelation="and">
+				<TargetFilename condition="end with">.scr</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Vault7 file" groupRelation="and">
+				<TargetFilename condition="end with">HammerDrillStatus.dll</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Error Dumps" groupRelation="and">
+				<TargetFilename condition="contains">Microsoft\Windows\WER\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Icon" groupRelation="and">
+				<TargetFilename condition="end with">.ICL</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Registry Database" groupRelation="and">
+				<TargetFilename condition="end with">.sdb</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Script File Component File" groupRelation="and">
+				<TargetFilename condition="end with">.SCT</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Shell Scrap Object Handler File" groupRelation="and">
+				<TargetFilename condition="end with">.SHB</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Zip File Extraction from explorer" groupRelation="and">
+				<TargetFilename condition="contains">Temp\Temp1_</TargetFilename>
+			</Rule>
 			<!--Uncategorized-->
-			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
-			<TargetFilename condition="end with">.ade</TargetFilename>
-			<TargetFilename condition="end with">.adp</TargetFilename>
-			<TargetFilename condition="end with">.application</TargetFilename>
-			<TargetFilename condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename condition="end with">.asc</TargetFilename>
-			<TargetFilename condition="end with">.bmf</TargetFilename>
-			<TargetFilename condition="end with">.cer</TargetFilename>
-			<TargetFilename condition="end with">.dmp</TargetFilename>
-			<TargetFilename condition="end with">.gpg</TargetFilename>
-			<TargetFilename condition="end with">.htm</TargetFilename>
-			<TargetFilename condition="end with">.html</TargetFilename>
-			<TargetFilename condition="end with">.json</TargetFilename>
-			<TargetFilename condition="end with">.jsp</TargetFilename>
-			<TargetFilename condition="end with">.key</TargetFilename>
-			<TargetFilename condition="end with">.mof</TargetFilename>
-			<TargetFilename condition="end with">.ocx</TargetFilename>
-			<TargetFilename condition="end with">.p7b</TargetFilename>
-			<TargetFilename condition="end with">.p12</TargetFilename>
-			<TargetFilename condition="end with">.pem</TargetFilename>
-			<TargetFilename condition="end with">.pfx</TargetFilename>
-			<TargetFilename condition="end with">.pgp</TargetFilename>
-			<TargetFilename condition="end with">.php</TargetFilename>
-			<TargetFilename condition="end with">.ppk</TargetFilename>
-			<TargetFilename condition="end with">.war</TargetFilename>
-			<TargetFilename condition="end with">.xml</TargetFilename>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.ade</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.adp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.application</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.appref-ms</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.asc</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.bmf</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.cer</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.dmp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.gpg</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.htm</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.html</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.json</TargetFilename>
+				<Image condition="excludes">SentinelRanger.exe</Image>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.jsp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.key</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.mof</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.ocx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.p7b</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.p12</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.pem</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.pfx</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.pgp</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.php</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.ppk</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.war</TargetFilename>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+				<TargetFilename condition="end with">.xml</TargetFilename>
+				<Image condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\NableUpdateService.exe;C:\Program Files (x86)\N-able Technologies\Reactive\bin\NableReactiveManagement.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\Program Files (x86)\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe;AutomationManager.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</Image>
+			</Rule>
 		</FileCreate>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
@@ -5153,7 +6955,7 @@
 		<RegistryEvent onmatch="include">
 			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<Rule name="ttack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=indows Registry: Windows Registry Key Modification,Level=4,Alert=Advanced IP Scanner Scan Detected" groupRelation="and">
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=indows Registry: Windows Registry Key Modification,Level=4,Alert=Advanced IP Scanner Scan Detected" groupRelation="and">
 				<TargetObject condition="contains">Software\Famatech\advanced_ip_scanner\State</TargetObject>
 				<TargetObject condition="end with">LastRangeUsed</TargetObject>
 				<EventType condition="is">SetValue</EventType>
@@ -5198,7 +7000,7 @@
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" groupRelation="and">
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
@@ -5206,15 +7008,15 @@
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" groupRelation="and">
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" groupRelation="and">
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" groupRelation="and">
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
@@ -5222,9 +7024,15 @@
 				<TargetObject condition="contains all">Root\InventoryDevicePnp;prod_virtual_dvd-rom</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" groupRelation="and">
+				<TargetObject condition="contains">MountedDevices</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" groupRelation="and">
+				<TargetObject condition="contains">Mountpoints2</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Active Setup Installed Components" groupRelation="and">
+				<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
@@ -5234,8 +7042,13 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
 				<TargetObject condition="end with">LoggedOnUser</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on User modification" groupRelation="and">
+				<TargetObject condition="contains">LastLoggedOnUser</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on Provider modification" groupRelation="and">
+				<TargetObject condition="contains">LastLoggedOnProvider</TargetObject>
+			</Rule>
+			
 			<!--MITRE ATT&CK TACTIC: Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
 			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
@@ -5324,15 +7137,23 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" groupRelation="and">
+				<TargetObject condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject>
+			</Rule>
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
-				<Image condition="excludes">Add_exclusions_here</Image>
+				<Image condition="excludes any">C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe;\AppData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" groupRelation="and">
+				<TargetObject condition="contains">\Windows\System\Scripts</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Command Line parameters" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: Boot" groupRelation="and">
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
@@ -5353,17 +7174,37 @@
 				<TargetObject condition="end with">\Start</TargetObject>
 				<Details condition="contains">DWORD (0x00000004)</Details>
 			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Services and autoruns imagepath" groupRelation="and">
+				<TargetObject condition="end with">\ImagePath</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Service DLL changes" groupRelation="and">
+				<TargetObject condition="end with">\ServiceDll</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Manifest pointing to service's DLL" groupRelation="and">
+				<TargetObject condition="end with">\ServiceManifest</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" groupRelation="and">
+				<TargetObject condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" groupRelation="and">
+				<TargetObject condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" groupRelation="and">
+				<TargetObject condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" groupRelation="and">
+				<TargetObject condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" groupRelation="and">
+				<TargetObject condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" groupRelation="and">
+				<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
-			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification" condition="contains">\Print\Monitors</TargetObject>
+			<Rule name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification" groupRelation="and">
+				<TargetObject condition="contains">\Print\Monitors</TargetObject>
+			</Rule>
 			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
 			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
@@ -5426,7 +7267,9 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
 			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=KnownDLLs" groupRelation="and">
+				<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
 			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
@@ -5461,30 +7304,73 @@
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">UserInitMprLogonScript</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=BootVerificationProgram Autorun" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Authentication Packages" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Notification Packages" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Security Packages" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Authentication Packages" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Notification Packages" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Security Packages" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
 			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
 			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
@@ -5594,10 +7480,16 @@
 			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
+			</Rule>	
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect UAC Tampering" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" groupRelation="and">
+				<TargetObject condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" groupRelation="and">
+				<TargetObject condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
-			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
-			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
 			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
 			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
 			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
@@ -5610,7 +7502,9 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
 			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
 			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" groupRelation="and">
+				<TargetObject condition="end with">\Hidden</TargetObject>
+			</Rule>
 			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
 				<TargetObject condition="end with">$</TargetObject>
@@ -5623,6 +7517,8 @@
 				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
 				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
 				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
+				<Image condition="excludes">C:\Programdata\sysmon\sysmon.exe</Image>
+				<Image condition="excludes">C:\Windows\TEMP\sysmon.exe</Image>
 				<!--Customize: Add your configuration directory above-->
 			</Rule>
 			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
@@ -5676,27 +7572,67 @@
 				<TargetObject condition="contains">\Outlook\Security</TargetObject>
 				<!--Allow Outlook Details rules to fire-->
 				<TargetObject condition="excludes">\Security\Level</TargetObject>
+			</Rule>	
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Word Security Changes" groupRelation="and">
+				<TargetObject condition="contains">\Word\Security</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Excel Security Changes" groupRelation="and">
+				<TargetObject condition="contains">\Excel\Security</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Unauthorized changes to Office Security" groupRelation="and">
+				<TargetObject condition="contains">\Security\Level1Remove</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft:Windows:Security Center: HideSCAHealth" groupRelation="and">
+				<TargetObject condition="end with">\HideSCAHealth</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center AV Disabled Notifications" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disable UAC Notify Monitoring" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disablement of Update notifications" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Firewall Override Monitoring" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Tampering: All Alerts Disabled" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
+			</Rule>
+			<Rule name="Attack=1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
+			</Rule>
+			<Rule name="Attack=1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected disablement of machine password,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Refuse PW Change for workstations" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft:Windows:Security Center: HideSCAHealth" condition="end with">\HideSCAHealth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
 			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
@@ -5722,6 +7658,7 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
 				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
+				<Image condition="excludes">C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\AutomationManager.AgentService.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
@@ -5750,9 +7687,12 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
 				<TargetObject condition="contains">globallyopenports</TargetObject>
 			</Rule>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
-
+			<Rule name="Technique=Attack=1089,Disabling Security Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Firewall Enablement or Disablement" groupRelation="and">
+				<TargetObject condition="end with">EnableFirewall</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=App added to Firewall Auth list" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
 			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\.NETFramework\ETWEnabled</TargetObject>
@@ -5787,8 +7727,9 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
 				<TargetObject condition="contains">&#x202e;</TargetObject>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
-
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Remote Registry Setting Keys" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
 				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
@@ -5807,10 +7748,18 @@
 				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
 				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
 			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop fDenyTSConnections modification" groupRelation="and">
+				<TargetObject condition="contains">fDenyTSConnections</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop Settings keys" groupRelation="and">
+				<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop port modification" groupRelation="and">
+				<TargetObject condition="end with">RDP-tcp\PortNumber</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enablement of Multiple RDP Sessions" groupRelation="and">
+				<TargetObject condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
 			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
@@ -5825,7 +7774,9 @@
 			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
 			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
 			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject>
+			<Rule name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ACPI Rootkits" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
 			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
@@ -5859,25 +7810,64 @@
 			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
 			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
 			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials: Credentials in Registry-->
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Outlook Profile Artifacts" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Outlook Profile Artifacts" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Outlook Profile Artifacts" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Outlook Profile Artifacts" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Outlook Profile Artifacts" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Outlook Profile Artifacts" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Outlook Profile Artifacts" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Outlook Profile Artifacts" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" groupRelation="and">
+				<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Domain" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Username" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">SecurityPasswordAES</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">OptionsPasswordAES</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">SecurityPasswordExported</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">PermanentPassword</TargetObject>
+			</Rule>
+
 			<!--MITRE ATT&CK TACTIC: Discovery-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
 			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
@@ -5916,7 +7906,6 @@
 			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
 			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-
 			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
 			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
 			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
@@ -5963,7 +7952,6 @@
 			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
 
 			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-
 			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
 			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
@@ -5973,6 +7961,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
 			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
+			
 			<!--MITRE ATT&CK TACTIC: Impact-->
 			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
 			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,DS=Windows Registry: Windows Registry Key Deletion,Level=1,Desc=User Account Deleted" groupRelation="and">
@@ -6018,202 +8007,504 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
 				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=IE history Detection" groupRelation="and">
-				<TargetObject condition="end with">\TypedURLs</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=IE history Detection" groupRelation="and">
+				<TargetObject condition="end with">\TypedURLs</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
+				<Details condition="excludes">Binary Data</Details>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Network Card Changes detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
+				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Adobe Recent File List History" groupRelation="and">
+				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
+				<TargetObject condition="end with">tDIText</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History MRU" groupRelation="and">
+				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
+			</Rule>
+			<!--Common Malware Persistence locations-->
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">CurrentVersion\Windows\Load</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">CurrentVersion\Winlogon\System</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ETW Tampering,Risk=70" groupRelation="and">
+				<TargetObject condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy Scripts" groupRelation="and">
+				<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=2,Alert=AutoRun Keys,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternate Shell AvailableShells Hijack" groupRelation="and">
+				<TargetObject condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternative Shell Policy" groupRelation="and">
+				<TargetObject condition="contains">Policies\System\Shell</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Connect" groupRelation="and">
+				<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Disconnect" groupRelation="and">
+				<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
+			</Rule>
+			<!-- <TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject> Nosiy and doesn't seem to provide helpful information. -->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion URL Key" groupRelation="and">
+				<TargetObject condition="contains">CurrentVersion\URL</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Font Drivers" groupRelation="and">
+				<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy Shutdown scripts" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Icon Service Lib" groupRelation="and">
+				<TargetObject condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installed Components" groupRelation="and">
+				<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" groupRelation="and">
+				<TargetObject condition="contains">NullSessionShares</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" groupRelation="and">
+				<TargetObject condition="end with">NullSessionPipes</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Password Expiry Info" groupRelation="and">
+				<TargetObject condition="contains">PasswordExpiryNotification</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Safeboot Alternative Shell hijack" groupRelation="and">
+				<TargetObject condition="contains">SafeBoot\AlternateShell</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Screen Save on Desktop" groupRelation="and">
+				<TargetObject condition="contains">Desktop\Scrnsave.exe</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or DisplayVersion modified" groupRelation="and">
+				<TargetObject condition="end with">\DisplayVersion</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Modify String modified" groupRelation="and">
+				<TargetObject condition="end with">\ModifyPath</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" groupRelation="and">
+				<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" groupRelation="and">
+				<TargetObject condition="end with">\UninstallString</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Terminal Services Initial Program Key" groupRelation="and">
+				<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Winlogon Taskman Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
+			</Rule>
+			<!--CLSID launch commands and file association changes-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=File Extension Mapping" groupRelation="and">
+				<TargetObject condition="contains">\Explorer\FileExts\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Command Shell install Key" groupRelation="and">
+				<TargetObject condition="contains">\shell\install\command\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=User SID History for Forensics" groupRelation="and">
+				<TargetObject condition="end with">\ProfileImagePath</TargetObject>
+			</Rule>
+			<!--Windows shell hijack-->
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AllFileSystemObjects Classes" groupRelation="and">
+				<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Asterisk Classes" groupRelation="and">
+				<TargetObject condition="contains">\Classes\*\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CFT LangBarAddin" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ContextMenuHandlers" groupRelation="and">
+				<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion Shell Keys" groupRelation="and">
+				<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ShellExecuteHooks" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Directory Classes" groupRelation="and">
+				<TargetObject condition="contains">\Classes\Directory\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Drive Classes" groupRelation="and">
+				<TargetObject condition="contains">\Classes\Drive\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Explorer Shell Execute Hooks" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Folder Classes" groupRelation="and">
+				<TargetObject condition="contains">\Classes\Folder\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" groupRelation="and">
+				<TargetObject condition="end with">\Hidden</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Extensions Explorer Setting modification" groupRelation="and">
+				<TargetObject condition="end with">\HideFileExt</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Internet Explorer Desktop Components" groupRelation="and">
+				<TargetObject condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Filter Classes" groupRelation="and">
+				<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Handler Classes" groupRelation="and">
+				<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=SharedTaskScheduler" groupRelation="and">
+				<TargetObject condition="contains">\SharedTaskScheduler</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Super Hidden File Explorer Setting modification" groupRelation="and">
+				<TargetObject condition="end with">\ShowSuperHidden</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
-				<Details condition="excludes">Binary Data</Details>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ColumnHandlers" groupRelation="and">
+				<TargetObject condition="contains">\ColumnHandlers</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Network Card Changes detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" groupRelation="and">
+				<TargetObject condition="contains">\CopyHookHandlers</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
-				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" groupRelation="and">
+				<TargetObject condition="contains">\ExtShellFolderViews</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Adobe Recent File List History" groupRelation="and">
-				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
-				<TargetObject condition="end with">tDIText</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" groupRelation="and">
+				<TargetObject condition="contains">\PropertySheetHandlers</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History MRU" groupRelation="and">
-				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" groupRelation="and">
+				<TargetObject condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" groupRelation="and">
+				<TargetObject condition="contains">\ShellServiceObjects</TargetObject>
 			</Rule>
-			<!--Common Malware Persistence locations-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
-			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
-			<!--CLSID launch commands and file association changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject>
-			<!--Windows shell hijack-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
 			<!--AppPaths hijacking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject>
+			</Rule>
 			<!--Terminal service boobytraps-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Terminal Services BoobyTraps" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
+			</Rule>
 			<!--Group Policy interity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy interity Detection" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
+			</Rule>
 			<!--Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Popup Blocker Changes" groupRelation="and">
+				<TargetObject condition="end with">\3\1809</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Protected Mode Changes" groupRelation="and">
+				<TargetObject condition="end with">\3\2500</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" groupRelation="and">
+				<TargetObject condition="end with">\3\1206</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Security Setting Check Warning Changes" groupRelation="and">
+				<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Proxy Server Changes" groupRelation="and">
+				<TargetObject condition="end with">\ProxyServer</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Legacy setting modifications" groupRelation="and">
+				<TargetObject condition="end with">SavedLegacySettings</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Proxy setting modifications" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of Console Tracing" groupRelation="and">
+				<TargetObject condition="end with">EnableConsoleTracing</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of File Tracing" groupRelation="and">
+				<TargetObject condition="end with">EnableFileTracing</TargetObject>
+			</Rule>
 			<!--Credential providers-->
-			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject>
+			<Rule name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Detection of Modification of LSASS Protection" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication PLAP Provider Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication Provider Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Credential provider Filter Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect LSA Credential Provider Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect NETSH Helper DLL Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Security Provider Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject>
+			</Rule>
 			<!--Networking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Network Interface Priority ordering" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Monitor Network History" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			</Rule>
 			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
+			</Rule>
 			<!--Office-->
 			<!--Microsoft Office-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40,Author=Hexacorn" condition="contains">Office Test\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40,Author=Hexacorn" groupRelation="and">
+				<TargetObject condition="contains">Office Test\</TargetObject>
+			</Rule>
 			<!--IE-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" groupRelation="and">
+				<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Extensions" groupRelation="and">
+				<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject>
+			</Rule>
 			<!--Magic registry keys-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Browser Helper Object Modifications" groupRelation="and">
+				<TargetObject condition="contains">\Browser Helper Objects\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Thumbnail cache autostart" groupRelation="and">
+				<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject>
+			</Rule>
 			<!--Infection artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ClickOnce URL Update Artifact" groupRelation="and">
+				<TargetObject condition="end with">\UrlUpdateInfo</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installer Source Artifact" groupRelation="and">
+				<TargetObject condition="end with">\InstallSource</TargetObject>
+			</Rule>
 			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
-			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Path Changes,Risk=100" condition="contains">\Exclusions\Paths</TargetObject>
-			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Extension Changes,Risk=100" condition="contains">\Exclusions\Extensions</TargetObject>
-			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Processes Changes,Risk=100" condition="contains">\Exclusions\Processes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Legacy Drivers Loaded" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Policy Changes" groupRelation="and">
+				<TargetObject condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Policy Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Path Changes,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Exclusions\Paths</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Extension Changes,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Exclusions\Extensions</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Processes Changes,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">\Exclusions\Processes</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" groupRelation="and">
+				<TargetObject condition="begin with">TamperProtection</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect malware changes to UAC prompt level" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
+			</Rule>
 			<!--Group Policy Scripts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" groupRelation="and">
+				<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" groupRelation="and">
+				<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
+			</Rule>
 			<!--Detect Network History-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Package Info" condition="contains">Root\InventoryDriverPackage</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache PNP Device Info,Desc=Services: New or Updated Drivers" condition="contains">Root\InventoryDevicePnp</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AD Domain Change" groupRelation="and">
+				<TargetObject condition="end with">Domain</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Default Gateway" groupRelation="and">
+				<TargetObject condition="end with">DHCPDefaultGateway</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP IP Address" groupRelation="and">
+				<TargetObject condition="end with">DhcpIPAddress</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Name Server Changes" groupRelation="and">
+				<TargetObject condition="end with">DhcpNameserver</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Server Change" groupRelation="and">
+				<TargetObject condition="end with">Dhcpserver</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Subnet mask Change" groupRelation="and">
+				<TargetObject condition="end with">DhcpSubnetMask</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DNS Server Changes" groupRelation="and">
+				<TargetObject condition="end with">Nameserver</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Default Gateway" groupRelation="and">
+				<TargetObject condition="end with">\DefaultGateway</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Persistent Route Change" groupRelation="and">
+				<TargetObject condition="end with">PersistentRoutes</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Type Change" groupRelation="and">
+				<TargetObject condition="end with">}\Category</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network profile Changes" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Subnet Mask Change" groupRelation="and">
+				<TargetObject condition="end with">SubnetMask</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">\Trusted Documents\TrustRecords</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro trusted certificate,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Security Settings: Monitor changes of security prompts" groupRelation="and">
+				<TargetObject condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Trusted Location Changes" groupRelation="and">
+				<TargetObject condition="contains">\Security\Trusted Locations</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" groupRelation="and">
+				<TargetObject condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" groupRelation="and">
+				<TargetObject condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" groupRelation="and">
+				<TargetObject condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=WinRAR History" groupRelation="and">
+				<TargetObject condition="contains">Software\WinRAR\ArcHistory</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Winzip History" groupRelation="and">
+				<TargetObject condition="contains">WinZip\mru\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Misc Recent File List History" groupRelation="and">
+				<TargetObject condition="contains">Recent File List</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">Outlook\WebView\Inbox</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">Outlook\WebView\Calendar</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History" groupRelation="and">
+				<TargetObject condition="contains">\Place MRU</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" groupRelation="and">
+				<TargetObject condition="end with">\LinkDate</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" groupRelation="and">
+				<TargetObject condition="end with">\DriverVerVersion</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" groupRelation="and">
+				<TargetObject condition="end with">\DriverVersion</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Path" groupRelation="and">
+				<TargetObject condition="end with">\LowerCaseLongPath</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Pub" groupRelation="and">
+				<TargetObject condition="end with">\Publisher</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Store" groupRelation="and">
+				<TargetObject condition="contains">Compatibility Assistant\Store\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Ver" groupRelation="and">
+				<TargetObject condition="end with">\BinProductVersion</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Shortcuts" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryDriverBinary</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Package Info" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryDriverPackage</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache PNP Device Info,Desc=Services: New or Updated Drivers" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryDevicePnp</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" groupRelation="and">
+				<TargetObject condition="contains">Root\InventoryDeviceContainer</TargetObject>
+			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
 				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
@@ -6221,6 +8512,7 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application File Info" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
 				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
+				<TargetObject condition="excludes">pingsender.exe</TargetObject> <!--Related to Firefox-->
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
 				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
@@ -6233,8 +8525,12 @@
 				<TargetObject condition="end with">Drive Type</TargetObject>
 				<Details condition="contains">DWORD (0x00000011)</Details>
 			</Rule>
-			<TargetObject name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Mount Points" groupRelation="and">
+				<TargetObject condition="end with">\Explorer\MountPoints2</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
+			</Rule>
 			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Set for Deletion" groupRelation="and">
 				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
 				<TargetObject condition="end with">\DeleteFlag</TargetObject>
@@ -6325,38 +8621,94 @@
 				<Details condition="contains">DWORD (0x00000001)</Details>
 			</Rule>
 			<!--Detect User Activity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Bluetooth Audio Capture" groupRelation="and">
+				<TargetObject condition="contains">\ConsentStore\bluetooth</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Contacts Accesses" groupRelation="and">
+				<TargetObject condition="contains">\ConsentStore\contacts</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" groupRelation="and">
+				<TargetObject condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Location Accesses" groupRelation="and">
+				<TargetObject condition="contains">\ConsentStore\location</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Microphone Accesses" groupRelation="and">
+				<TargetObject condition="contains">\ConsentStore\microphone</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect USB Accesses" groupRelation="and">
+				<TargetObject condition="contains">\ConsentStore\usb\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Webcam Accesses" groupRelation="and">
+				<TargetObject condition="contains">\ConsentStore\webcam</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect humanInterfaceDevice Accesses" groupRelation="and">
+				<TargetObject condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Explorer Last Visited MRU" groupRelation="and">
+				<TargetObject condition="contains">LastVisitedMRU</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Regedit Applets" groupRelation="and">
+				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Run MRU" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=USBStor USB Device History" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Safeboot Service Added" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: Dns Server dll injection" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: UAC Bypass" groupRelation="and">
+				<TargetObject condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=New Device Connected" groupRelation="and">
+				<TargetObject condition="end with">\FriendlyName</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Providers notified by Winlogon" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Proxy Autoconfig URL" groupRelation="and">
+				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Shell Service Object Delay Load" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Installer Engaged" groupRelation="and">
+				<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Process Tracing Modifications,Risk=30" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject>
+			</Rule>
 			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
 				<Details condition="contains any">ndis;rndis</Details>
 			</Rule>
-			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
+			<Rule name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetSH PortProxy Detected" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
+			</Rule>
 			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
 				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
 				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
@@ -6365,42 +8717,112 @@
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
 				<Details name="You should have this set to 5" condition="excludes">DWORD (0x00000005)</Details>
 			</Rule>
-			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
-			<TargetObject name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<Rule name="Antivirus" groupRelation="or">
+			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Office Persistence Location,Risk=70" groupRelation="and">
+				<TargetObject condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" groupRelation="and">
+				<TargetObject condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" groupRelation="and">
+				<TargetObject condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC File Transfer History,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC Guest Invite,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">GoToMyPc\GuestInvite</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn File Transfer Recipient" groupRelation="and">
+				<TargetObject condition="contains">Filesharing</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn Guest Recipient" groupRelation="and">
+				<TargetObject condition="contains">DesktopSharing</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogIncomingConnections Registry Key modification" groupRelation="and">
+				<TargetObject condition="contains">LogIncomingConnections</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" groupRelation="and">
+				<TargetObject condition="contains">LogOutgoingConnections</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer Password Registry Key date" groupRelation="and">
+				<TargetObject condition="contains">PermanentPasswordDate</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">Security_Adminrights</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VNC Incoming Connection History,Risk=70" groupRelation="and">
+				<TargetObject condition="contains">vncviewer\MRU</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Autostart Key modification" groupRelation="and">
+				<TargetObject condition="contains">Autostart_GUI</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" groupRelation="and">
+				<TargetObject condition="end with">Meeting_UserName</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Login Name" groupRelation="and">
+				<TargetObject condition="end with">BuddyLoginName</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Token ID modification" groupRelation="and">
+				<TargetObject condition="end with">BuddyLoginTokenID</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer persistence Key modification" groupRelation="and">
+				<TargetObject condition="contains">Always_Online</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" groupRelation="and">
+				<TargetObject condition="contains">Software\recfg</TargetObject>
+			</Rule>
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
+				<TargetObject condition="contains">\Keyboard Layout\Preload\</TargetObject>
+			</Rule>
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
+				<TargetObject condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
+				<TargetObject condition="end with">\Client\Enabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
+				<TargetObject condition="end with">\Server\Enabled</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Kitty Sessions,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">Kitty\Sessions</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Putty Sessions,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">PuTTY\Sessions</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=RDP History,Risk=10" groupRelation="and">
+				<TargetObject condition="contains">Terminal Server Client\Servers</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" groupRelation="and">
+				<TargetObject condition="contains">WinSCP 2\Sessions</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Desc=Antivirus Registry Moninitoring" groupRelation="or">
 				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
 				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
 				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
@@ -6490,37 +8912,99 @@
 				<PipeName condition="contains">\ntsvcs</PipeName>
 				<EventType condition="is">ConnectPipe</EventType>
 			</Rule>
-			<PipeName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">tssmp_endpoint</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\NamePipe_MoreWindows</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=WCEServicePipe detected,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\WCEServicePipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=ahexec Named Pipe Detection,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\ahexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=cachedump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\cachedumppipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=csexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\csexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_dg</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsadump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\lsadump</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10,Author=@Cyb3rops/@olafhartong" condition="contains">\lsassw</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=paexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\paexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=pcheap_reuse Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\pcheap_reuse</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Covanant C2 Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\gruntsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=remcom Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\remcom</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\rpchlp_3</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\sdlrpc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=winsession Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\winsession</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Turla HyperStack Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\adschemerpc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Hidden Cobra Hoplight Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\AnonymousPipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc367</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc31a7</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Emissary Panda Hyerbri Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\testPipe</PipeName>
-			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
+				<PipeName condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" groupRelation="and">
+				<PipeName condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" groupRelation="and">
+				<PipeName condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">tssmp_endpoint</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\NamePipe_MoreWindows</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=WCEServicePipe detected,Risk=,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\WCEServicePipe</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=ahexec Named Pipe Detection,Risk=,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\ahexec</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=cachedump detected,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\cachedumppipe</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=csexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\csexec</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\isapi_dg</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\isapi_http</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\isapi_http</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsadump detected,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\lsadump</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsassw Named Pipe Detection,Risk=10,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\lsassw</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=paexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\paexec</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=pcheap_reuse Named Pipe Detection,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\pcheap_reuse</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Covanant C2 Named Pipe Detection,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\gruntsvc</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=remcom Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\remcom</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\rpchlp_3</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\sdlrpc</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=winsession Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="contains">\winsession</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Turla HyperStack Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="begin with">\adschemerpc</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Hidden Cobra Hoplight Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="begin with">\AnonymousPipe</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="begin with">\bc367</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="begin with">\bc31a7</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Emissary Panda Hyerbri Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" groupRelation="and">
+				<PipeName condition="begin with">\testPipe</PipeName>
+			</Rule>
+			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Alert=lateral movement -meterpreter named pipe detected,Risk=100" groupRelation="and">
+				<PipeName condition="contains">msf-pipe</PipeName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=LM or EXEC over atsvc named pipe" groupRelation="and">
+				<PipeName condition="contains">\atsvc</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 1" groupRelation="and">
+				<PipeName condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+			</Rule>
+			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 2" groupRelation="and">
+				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+			</Rule>
 			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike Named Pipe Detection 1" groupRelation="and">
 				<PipeName condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester;demoagent_</PipeName>
 				<PipeName condition="is not">\wkssvc</PipeName>
@@ -6546,8 +9030,12 @@
 			<!-- Noisy
 			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
 			-->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Remote Registry access and enumeration" groupRelation="and">
+				<PipeName condition="contains">\winreg</PipeName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Anonymous Named Pipe Detected" groupRelation="and">
+				<PipeName condition="contains">Anonymous Pipe</PipeName>
+			</Rule>
 			<!--Include Everything else to mark above rules-->
 			<!-- Disabled for now
 			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
@@ -6675,60 +9163,148 @@
 			<Rule name="Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Crypto Currency Miner Detected,Risk=85"  groupRelation="or">
 				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
 			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Microsoft Graph API Lookup" groupRelation="and">
+				<QueryName condition="is">graph.microsoft.com</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Download Detected" groupRelation="and">
+				<QueryName condition="is">dl.dropboxusercontent.com</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive API Lookup" groupRelation="and">
+				<QueryName condition="is">api.onedrive.com</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Zoom Hostname Lookup" groupRelation="and">
+				<QueryName condition="contains">zoom.us</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Teamviewer Hostname Lookup" groupRelation="and">
+				<QueryName condition="contains">teamviewer</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Screenconnect Hostname Lookup" groupRelation="and">
+				<QueryName condition="contains">Screenconnect</QueryName>
+			</Rule>
 			<!--Public Port Scan Detection-->
 			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content" condition="contains">census</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content" groupRelation="and">
+				<QueryName condition="contains">census</QueryName>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ResearchScan DNS Query" groupRelation="and">
+				<QueryName condition="contains">researchscan</QueryName>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ScanHub DNS Query" groupRelation="and">
+				<QueryName condition="contains">scanhub</QueryName>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shadow DNS Query,Risk=20" groupRelation="and">
+				<QueryName condition="contains">shadow</QueryName>
+			</Rule>
+			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shodan.IO DNS Query,Risk=20" groupRelation="and">
+				<QueryName condition="contains">shodan</QueryName>
+			</Rule>
 			<!--Domain TLD's to log-->
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Download TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.download</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=North Korea TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.kp</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Soviet Union TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.su</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Sudan TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.ss</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .xn DNS Query" groupRelation="and">
+				<QueryName condition="end with">.xn</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Syria TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.sy</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Venezuela TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.ve</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XXX TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.xxx</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=China TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.cn</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Click TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.click</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Club TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.club</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=IRAN TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.ir</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Russian TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.ru</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .Host DNS Query" groupRelation="and">
+				<QueryName condition="end with">.host</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ICU DNS Query" groupRelation="and">
+				<QueryName condition="end with">.icu</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .PW DNS Query" groupRelation="and">
+				<QueryName condition="end with">.pw</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" groupRelation="and">
+				<QueryName condition="end with">.website</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ninja DNS Query" groupRelation="and">
+				<QueryName condition="end with">.ninja</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .rocks DNS Query" groupRelation="and">
+				<QueryName condition="end with">.rocks</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Top TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.top</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Ukraine TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.ua</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XYZ TLD DNS Query" groupRelation="and">
+				<QueryName condition="end with">.xyz</QueryName>
+			</Rule>
 			<!--Malware Domains-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
 				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
 			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Query to Github,Risk=20" groupRelation="and">
+				<QueryName condition="contains any">githubusercontent.com;github.com</QueryName>
+			</Rule>
 			<!--Common Suspicious destinations-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
+			<Rule name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Malware IP Check,Risk=30" groupRelation="and">
+				<QueryName condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
+			</Rule>
 			<!-- Malicious/Suspicious hosting domains-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
+			<Rule name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" groupRelation="and">
+				<QueryName condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
+			</Rule>
 			<!--Dynamic DNS Lookups-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
-			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
-			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
+			<Rule name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=3,Alert=Dynamic DNS Query" groupRelation="and">
+				<QueryName condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
+			</Rule>
+			<Rule name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Tor2Web,Risk=100" groupRelation="and">
+				<QueryName condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
+			</Rule>
+			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Over HTTPS Detected" groupRelation="and">
+				<QueryName condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DC Global Catalog Lookup" groupRelation="and">
+				<QueryName condition="begin with">gc._msdcs.</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" groupRelation="and">
+				<QueryName condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" groupRelation="and">
+				<QueryName condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Primary DC Lookup" groupRelation="and">
+				<QueryName condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" groupRelation="and">
+				<QueryName condition="begin with">wpad</QueryName>
+			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
 				<QueryName condition="begin with">_ldap.</QueryName>
 				<Image condition="excludes">C:\Windows\</Image>
@@ -6745,7 +9321,10 @@
 			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
 			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
 			-->
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=None,Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Information=Uncategorized Events" groupRelation="and">
+				<Image condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
+				<Image condition="excludes any">C:\Program Files\Cavelo\Cavelo Agent\cavelo_windows_amd64.exe;C:\PROGRA~2\BEANYW~1\GETSUP~1\TCIntegratorCommHelper.exe;C:\ProgramData\Cavelo\jre\bin\java.exe;C:\Program Files\SentinelOne\;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\NableUpdateService.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe;C:\Program Files (x86)\lpagent\lpagent.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AgentMaint.exe;C:\Program Files (x86)\N-able Technologies\Reactive\bin\NableReactiveManagement.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\AutomationManager.AgentService.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerEngine\2.70.0.4\AutomationManager.ScriptRunner64.exe</Image>
+			</Rule>
 		</DnsQuery>
 	</RuleGroup>
 	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
@@ -6754,6 +9333,7 @@
 			<Image condition="begin with">C:\Program Files (x86)\Admin Arsenal\</Image>
 			<Image condition="begin with">C:\Program Files (x86)\CheckPoint\</Image>
 			<Image condition="begin with">C:\Program Files (x86)\Fortinet\</Image>
+			<Image condition="begin with">C:\Program Files\SentinelOne\</Image>
 			<Image condition="begin with">C:\Program Files (x86)\OpenDNS\OpenDNS Connector</Image>
 			<Image condition="begin with">C:\Program Files (x86)\Razer\Razer Services\</Image>
 			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image>

From d5382ff813a582a628b83e6de2103f640815c439 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 27 Jun 2023 17:24:24 -0400
Subject: [PATCH 439/471] Sysmon v15 update schema + 1 test rule for
 C:\users\*\Downloads

---
 sysmonconfig-export.xml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f37910c1..00d7df85 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -85,7 +85,7 @@
 					<Your Rule Here/>
 				</Rule> 
 -->
-<Sysmon schemaversion="4.83">
+<Sysmon schemaversion="4.90">
 	<HashAlgorithms>md5,sha1,sha256,imphash</HashAlgorithms>
 	<CheckRevocation/>
 	<EventFiltering>
@@ -9625,5 +9625,19 @@
 			<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
 		</FileDeleteDetected>
 	</RuleGroup>
+	<!-- SYSMON EVENT ID 29 : File Executable Detected -->
+	<!--Fields: ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes -->
+	<RuleGroup name="RG=FileExecutable Includes" groupRelation="or">
+		<FileExecutableDetected onmatch="include">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Exe created within Downloads Folder,Risk=10" groupRelation="and">
+				<TargetFilename condition="begin with">C:\Users\</TargetFilename>
+				<TargetFilename condition="contains">\Downloads</TargetFilename>
+			</Rule>
+		</FileExecutableDetected>
+	</RuleGroup>
+	<RuleGroup name="RG=FileExecutable Excludes" groupRelation="or">
+		<FileExecutableDetected onmatch="exclude">
+		</FileExecutableDetected>
+	</RuleGroup>
 	</EventFiltering>
 </Sysmon>
\ No newline at end of file

From aa679c7ba5bbac9497d4e66effe284e3b282328d Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 27 Jun 2023 17:51:43 -0400
Subject: [PATCH 440/471] Added Potential Noisy Rule, exclusions need to be
 added under global as its an or rule.

---
 sysmonconfig-export.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 00d7df85..665c854a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -9633,6 +9633,22 @@
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename>
 				<TargetFilename condition="contains">\Downloads</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Desc=Exe created within Downloads Folder,Risk=10" groupRelation="or">
+				<TargetFilename condition="not end with">.exe</TargetFilename>
+				<TargetFilename condition="not end with">.dll</TargetFilename>
+				<TargetFilename condition="not end with">.sys</TargetFilename>
+				<TargetFilename condition="not end with">.ocx</TargetFilename>
+				<TargetFilename condition="not end with">.scr</TargetFilename>
+				<TargetFilename condition="not end with">.cpl</TargetFilename>
+				<TargetFilename condition="not end with">.efi</TargetFilename>
+				<TargetFilename condition="not end with">.drv</TargetFilename>
+				<TargetFilename condition="not end with">.ax</TargetFilename>
+				<TargetFilename condition="not end with">.com</TargetFilename>
+				<TargetFilename condition="not end with">.acm</TargetFilename>
+				<TargetFilename condition="not end with">.mui</TargetFilename>
+				<TargetFilename condition="not end with">.ime</TargetFilename>
+				<TargetFilename condition="not end with">.tsp</TargetFilename>
+			</Rule>
 		</FileExecutableDetected>
 	</RuleGroup>
 	<RuleGroup name="RG=FileExecutable Excludes" groupRelation="or">

From 306a62802a3dad97403ab7cb935cd0c4e22f4f7c Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Tue, 27 Jun 2023 17:53:32 -0400
Subject: [PATCH 441/471] Unusual File extension written as PE, enabled
 alerting

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 665c854a..f439018a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -9633,7 +9633,7 @@
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename>
 				<TargetFilename condition="contains">\Downloads</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Desc=Exe created within Downloads Folder,Risk=10" groupRelation="or">
+			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected under Unusual File extension,Risk=10" groupRelation="or">
 				<TargetFilename condition="not end with">.exe</TargetFilename>
 				<TargetFilename condition="not end with">.dll</TargetFilename>
 				<TargetFilename condition="not end with">.sys</TargetFilename>

From 6a5df4c6cf03448c80c83b9bc672e67273bdd1d7 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Jul 2023 09:55:14 -0400
Subject: [PATCH 442/471] Big update thanks to Florian Roth, Majority of
 updates are mirrored and MITRE Tagged from Florian's Sysmon config here:
 https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml

---
 sysmonconfig-export.xml | 962 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 962 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f439018a..bc2cee26 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -9627,6 +9627,7 @@
 	</RuleGroup>
 	<!-- SYSMON EVENT ID 29 : File Executable Detected -->
 	<!--Fields: ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes -->
+	<!-- Key Authors in this section are Florian Roth as a majority Contributer from: https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml -->
 	<RuleGroup name="RG=FileExecutable Includes" groupRelation="or">
 		<FileExecutableDetected onmatch="include">
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Exe created within Downloads Folder,Risk=10" groupRelation="and">
@@ -9649,6 +9650,967 @@
 				<TargetFilename condition="not end with">.ime</TargetFilename>
 				<TargetFilename condition="not end with">.tsp</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected within Unusual Location,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> <!-- often used staging directories; could cause false positives --> 
+				<TargetFilename condition="begin with">C:\Perflogs\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Fonts\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\debug\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\tracing\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Logs\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\System32\spool\SERVERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
+				<TargetFilename condition="begin with">C:\Windows\System32\spool\PRINTERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
+				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="contains all">C:\Users\;\Music\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Pictures\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Videos\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Contacts\</TargetFilename> <!-- often used staging directories in User folders -->
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Double File Extension Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="end with">.7z.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+				<TargetFilename condition="end with">.docm.exe</TargetFilename>
+				<TargetFilename condition="end with">.docx.exe</TargetFilename>
+				<TargetFilename condition="end with">.htm.exe</TargetFilename>
+				<TargetFilename condition="end with">.html.exe</TargetFilename>
+				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+				<TargetFilename condition="end with">.lnk.exe</TargetFilename>				
+				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
+				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
+				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
+				<TargetFilename condition="end with">.rar.exe</TargetFilename>
+				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
+				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+				<TargetFilename condition="end with">.xls.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsm.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
+				<TargetFilename condition="end with">.zip.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="end with">\EntenLoader.exe</TargetFilename>
+				<TargetFilename condition="end with">\SysmonQuiet.exe</TargetFilename>
+				<TargetFilename condition="end with">\SharpEvtMute.exe</TargetFilename>
+				<TargetFilename condition="end with">\EvtMuteHook.dll</TargetFilename>
+				<TargetFilename condition="end with">\SysmonEOP.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=F9A28C458284584A93B14216308D31BD</Hashes> <!-- JuicyPotatoNG -->
+				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
+				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
+				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
+				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
+				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=03866661686829d806989e2fc5a72606</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
+				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
+				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
+				<Hashes condition="contains">IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313</Hashes> <!-- Forkatz -->
+				<Hashes condition="contains">IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC</Hashes> <!-- PPLKiller -->
+				<Hashes condition="contains">IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28</Hashes> <!-- PPLKiller -->
+				<Hashes condition="contains">IMPHASH=96DF3A3731912449521F6F8D183279B1</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=51791678F351C03A0EB4E2A7B05C6E17</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=25CE42B079282632708FC846129E98A5</Hashes> <!-- Forensia -->
+				<Hashes condition="contains">MD5=7B17F15713FCF13C764535AA2BDF52AA</Hashes>													<!-- ShaprEvtMute -->
+				<Hashes condition="contains">SHA1=4E18320493042BCD7D21B53E258974BC460ACC78</Hashes>										<!-- ShaprEvtMute -->
+				<Hashes condition="contains">SHA256=477DFE485F5BD9540CC83E88FC04AAFB6DE49CF1ADC6BD857D5D6F4C1730A6D1</Hashes>	<!-- ShaprEvtMute -->
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Microsoft Office Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Image condition="image">winword.exe</Image>
+				<Image condition="image">excel.exe</Image>
+				<Image condition="image">powerpnt.exe</Image>
+				<Image condition="image">msaccess.exe</Image>
+				<Image condition="image">mspub.exe</Image>
+				<Image condition="image">eqnedt32.exe</Image>
+				<Image condition="image">visio.exe</Image>
+				<Image condition="image">wordpad.exe</Image>
+				<Image condition="image">wordview.exe</Image>
+				<Image condition="image">msohtmed.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=OneNote Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Image condition="image">onenote.exe</Image>
+				<Image condition="image">onenotem.exe</Image>
+				<Image condition="image">onenoteim.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=LOLBin Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<!-- LOLBINs that can be used to download executables -->
+				<Image condition="image">certutil.exe</Image>
+				<Image condition="image">certoc.exe</Image>
+				<Image condition="image">CertReq.exe</Image>
+				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
+				<Image condition="image">Desktopimgdownldr.exe</Image>
+				<Image condition="image">esentutl.exe</Image>
+				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
+				<Image condition="image">finger.exe</Image>
+				<Image condition="image">presentationhost.exe</Image>
+
+				<!-- Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)-->
+				<Image condition="image">notepad.exe</Image>
+				<Image condition="image">AcroRd32.exe</Image>
+				<Image condition="image">RdrCEF.exe</Image> <!-- RdrCEF was seen dropping a DLL in temp (Example: \AppData\Local\Temp\acrocef_low\4616_1623006624_platform_specific\win_x86\widevinecdm.dll). Comment out this entry if you experience issues (https://github.com/Neo23x0/sysmon-config/issues/43) -->
+				<Image condition="image">mshta.exe</Image>
+				<Image condition="image">hh.exe</Image>
+				<Image condition="image">calc.exe</Image>
+				<Image condition="image">mspaint.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=4,Alert=Vulnerable Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+			    <Hashes condition="contains">SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed</Hashes>
+                <Hashes condition="contains">SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb</Hashes>
+                <Hashes condition="contains">SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db</Hashes>
+                <Hashes condition="contains">SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05</Hashes>
+                <Hashes condition="contains">SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d</Hashes>
+                <Hashes condition="contains">SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917</Hashes>
+                <Hashes condition="contains">SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135</Hashes>
+                <Hashes condition="contains">SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1</Hashes>
+                <Hashes condition="contains">SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467</Hashes>
+                <Hashes condition="contains">SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c</Hashes>
+                <Hashes condition="contains">SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c</Hashes>
+                <Hashes condition="contains">SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3</Hashes>
+                <Hashes condition="contains">SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f</Hashes>
+                <Hashes condition="contains">SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c</Hashes>
+                <Hashes condition="contains">SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8</Hashes>
+                <Hashes condition="contains">SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b</Hashes>
+                <Hashes condition="contains">SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff</Hashes>
+                <Hashes condition="contains">SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6</Hashes>
+                <Hashes condition="contains">SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8</Hashes>
+                <Hashes condition="contains">SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf</Hashes>
+                <Hashes condition="contains">SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff</Hashes>
+                <Hashes condition="contains">SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670</Hashes>
+                <Hashes condition="contains">SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd</Hashes>
+                <Hashes condition="contains">SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece</Hashes>
+                <Hashes condition="contains">SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5</Hashes>
+                <Hashes condition="contains">SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0</Hashes>
+                <Hashes condition="contains">SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c</Hashes>
+                <Hashes condition="contains">SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b</Hashes>
+                <Hashes condition="contains">SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a</Hashes>
+                <Hashes condition="contains">SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e</Hashes>
+                <Hashes condition="contains">SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa</Hashes>
+                <Hashes condition="contains">SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a</Hashes>
+                <Hashes condition="contains">SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687</Hashes>
+                <Hashes condition="contains">SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8</Hashes>
+                <Hashes condition="contains">SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219</Hashes>
+                <Hashes condition="contains">SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe</Hashes>
+                <Hashes condition="contains">SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee</Hashes>
+                <Hashes condition="contains">SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961</Hashes>
+                <Hashes condition="contains">SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512</Hashes>
+                <Hashes condition="contains">SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c</Hashes>
+                <Hashes condition="contains">SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501</Hashes>
+                <Hashes condition="contains">SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486</Hashes>
+                <Hashes condition="contains">SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e</Hashes>
+                <Hashes condition="contains">SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a</Hashes>
+                <Hashes condition="contains">SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8</Hashes>
+                <Hashes condition="contains">SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4</Hashes>
+                <Hashes condition="contains">SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30</Hashes>
+                <Hashes condition="contains">SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a</Hashes>
+                <Hashes condition="contains">SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797</Hashes>
+                <Hashes condition="contains">SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d</Hashes>
+                <Hashes condition="contains">SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1</Hashes>
+                <Hashes condition="contains">SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250</Hashes>
+                <Hashes condition="contains">SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14</Hashes>
+                <Hashes condition="contains">SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1</Hashes>
+                <Hashes condition="contains">SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b</Hashes>
+                <Hashes condition="contains">SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d</Hashes>
+                <Hashes condition="contains">SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396</Hashes>
+                <Hashes condition="contains">SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e</Hashes>
+                <Hashes condition="contains">SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8</Hashes>
+                <Hashes condition="contains">SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0</Hashes>
+                <Hashes condition="contains">SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e</Hashes>
+                <Hashes condition="contains">SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae</Hashes>
+                <Hashes condition="contains">SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445</Hashes>
+                <Hashes condition="contains">SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9</Hashes>
+                <Hashes condition="contains">SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25</Hashes>
+                <Hashes condition="contains">SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0</Hashes>
+                <Hashes condition="contains">SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e</Hashes>
+                <Hashes condition="contains">SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46</Hashes>
+                <Hashes condition="contains">SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b</Hashes>
+                <Hashes condition="contains">SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c</Hashes>
+                <Hashes condition="contains">SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5</Hashes>
+                <Hashes condition="contains">SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc</Hashes>
+                <Hashes condition="contains">SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b</Hashes>
+                <Hashes condition="contains">SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f</Hashes>
+                <Hashes condition="contains">SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134</Hashes>
+                <Hashes condition="contains">SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3</Hashes>
+                <Hashes condition="contains">SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4</Hashes>
+                <Hashes condition="contains">SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272</Hashes>
+                <Hashes condition="contains">SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf</Hashes>
+                <Hashes condition="contains">SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c</Hashes>
+                <Hashes condition="contains">SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75</Hashes>
+                <Hashes condition="contains">SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8</Hashes>
+                <Hashes condition="contains">SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5</Hashes>
+                <Hashes condition="contains">SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa</Hashes>
+                <Hashes condition="contains">SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e</Hashes>
+                <Hashes condition="contains">SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6</Hashes>
+                <Hashes condition="contains">SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa</Hashes>
+                <Hashes condition="contains">SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162</Hashes>
+                <Hashes condition="contains">SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2</Hashes>
+                <Hashes condition="contains">SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe</Hashes>
+                <Hashes condition="contains">SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7</Hashes>
+                <Hashes condition="contains">SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae</Hashes>
+                <Hashes condition="contains">SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1</Hashes>
+                <Hashes condition="contains">SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4</Hashes>
+                <Hashes condition="contains">SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e</Hashes>
+                <Hashes condition="contains">SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036</Hashes>
+                <Hashes condition="contains">SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee</Hashes>
+                <Hashes condition="contains">SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba</Hashes>
+                <Hashes condition="contains">SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80</Hashes>
+                <Hashes condition="contains">SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69</Hashes>
+                <Hashes condition="contains">SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748</Hashes>
+                <Hashes condition="contains">SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a</Hashes>
+                <Hashes condition="contains">SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a</Hashes>
+                <Hashes condition="contains">SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe</Hashes>
+                <Hashes condition="contains">SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a</Hashes>
+                <Hashes condition="contains">SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c</Hashes>
+                <Hashes condition="contains">SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921</Hashes>
+                <Hashes condition="contains">SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a</Hashes>
+                <Hashes condition="contains">SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185</Hashes>
+                <Hashes condition="contains">SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3</Hashes>
+                <Hashes condition="contains">SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92</Hashes>
+                <Hashes condition="contains">SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be</Hashes>
+                <Hashes condition="contains">SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3</Hashes>
+                <Hashes condition="contains">SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683</Hashes>
+                <Hashes condition="contains">SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0</Hashes>
+                <Hashes condition="contains">SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2</Hashes>
+                <Hashes condition="contains">SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa</Hashes>
+                <Hashes condition="contains">SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36</Hashes>
+                <Hashes condition="contains">SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50</Hashes>
+                <Hashes condition="contains">SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5</Hashes>
+                <Hashes condition="contains">SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74</Hashes>
+                <Hashes condition="contains">SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63</Hashes>
+                <Hashes condition="contains">SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e</Hashes>
+                <Hashes condition="contains">SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44</Hashes>
+                <Hashes condition="contains">SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a</Hashes>
+                <Hashes condition="contains">SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293</Hashes>
+                <Hashes condition="contains">SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc</Hashes>
+                <Hashes condition="contains">SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492</Hashes>
+                <Hashes condition="contains">SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf</Hashes>
+                <Hashes condition="contains">SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7</Hashes>
+                <Hashes condition="contains">SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7</Hashes>
+                <Hashes condition="contains">SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38</Hashes>
+                <Hashes condition="contains">SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4</Hashes>
+                <Hashes condition="contains">SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c</Hashes>
+                <Hashes condition="contains">SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d</Hashes>
+                <Hashes condition="contains">SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc</Hashes>
+                <Hashes condition="contains">SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357</Hashes>
+                <Hashes condition="contains">SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf</Hashes>
+                <Hashes condition="contains">SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853</Hashes>
+                <Hashes condition="contains">SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7</Hashes>
+                <Hashes condition="contains">SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b</Hashes>
+                <Hashes condition="contains">SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7</Hashes>
+                <Hashes condition="contains">SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21</Hashes>
+                <Hashes condition="contains">SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4</Hashes>
+                <Hashes condition="contains">SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c</Hashes>
+                <Hashes condition="contains">SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f</Hashes>
+                <Hashes condition="contains">SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea</Hashes>
+                <Hashes condition="contains">SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd</Hashes>
+                <Hashes condition="contains">SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd</Hashes>
+                <Hashes condition="contains">SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456</Hashes>
+                <Hashes condition="contains">SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d</Hashes>
+                <Hashes condition="contains">SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7</Hashes>
+                <Hashes condition="contains">SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d</Hashes>
+                <Hashes condition="contains">SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35</Hashes>
+                <Hashes condition="contains">SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457</Hashes>
+                <Hashes condition="contains">SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa</Hashes>
+                <Hashes condition="contains">SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6</Hashes>
+                <Hashes condition="contains">SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2</Hashes>
+                <Hashes condition="contains">SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59</Hashes>
+                <Hashes condition="contains">SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6</Hashes>
+                <Hashes condition="contains">SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9</Hashes>
+                <Hashes condition="contains">SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f</Hashes>
+                <Hashes condition="contains">SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775</Hashes>
+                <Hashes condition="contains">SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9</Hashes>
+                <Hashes condition="contains">SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2</Hashes>
+                <Hashes condition="contains">SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126</Hashes>
+                <Hashes condition="contains">SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c</Hashes>
+                <Hashes condition="contains">SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f</Hashes>
+                <Hashes condition="contains">SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f</Hashes>
+                <Hashes condition="contains">SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00</Hashes>
+                <Hashes condition="contains">SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2</Hashes>
+                <Hashes condition="contains">SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a</Hashes>
+                <Hashes condition="contains">SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184</Hashes>
+                <Hashes condition="contains">SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1</Hashes>
+                <Hashes condition="contains">SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e</Hashes>
+                <Hashes condition="contains">SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7</Hashes>
+                <Hashes condition="contains">SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba</Hashes>
+                <Hashes condition="contains">SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c</Hashes>
+                <Hashes condition="contains">SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c</Hashes>
+                <Hashes condition="contains">SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194</Hashes>
+                <Hashes condition="contains">SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285</Hashes>
+                <Hashes condition="contains">SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4</Hashes>
+                <Hashes condition="contains">SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449</Hashes>
+                <Hashes condition="contains">SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2</Hashes>
+                <Hashes condition="contains">SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395</Hashes>
+                <Hashes condition="contains">SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4</Hashes>
+                <Hashes condition="contains">SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3</Hashes>
+                <Hashes condition="contains">SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5</Hashes>
+                <Hashes condition="contains">SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33</Hashes>
+                <Hashes condition="contains">SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def</Hashes>
+                <Hashes condition="contains">SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374</Hashes>
+                <Hashes condition="contains">SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5</Hashes>
+                <Hashes condition="contains">SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b</Hashes>
+                <Hashes condition="contains">SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56</Hashes>
+                <Hashes condition="contains">SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8</Hashes>
+                <Hashes condition="contains">SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229</Hashes>
+                <Hashes condition="contains">SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9</Hashes>
+                <Hashes condition="contains">SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1</Hashes>
+                <Hashes condition="contains">SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506</Hashes>
+                <Hashes condition="contains">SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6</Hashes>
+                <Hashes condition="contains">SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0</Hashes>
+                <Hashes condition="contains">SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775</Hashes>
+                <Hashes condition="contains">SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0</Hashes>
+                <Hashes condition="contains">SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb</Hashes>
+                <Hashes condition="contains">SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21</Hashes>
+                <Hashes condition="contains">SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c</Hashes>
+                <Hashes condition="contains">SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade</Hashes>
+                <Hashes condition="contains">SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4</Hashes>
+                <Hashes condition="contains">SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097</Hashes>
+                <Hashes condition="contains">SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43</Hashes>
+                <Hashes condition="contains">SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712</Hashes>
+                <Hashes condition="contains">SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970</Hashes>
+                <Hashes condition="contains">SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6</Hashes>
+                <Hashes condition="contains">SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94</Hashes>
+                <Hashes condition="contains">SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb</Hashes>
+                <Hashes condition="contains">SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a</Hashes>
+                <Hashes condition="contains">SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427</Hashes>
+                <Hashes condition="contains">SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192</Hashes>
+                <Hashes condition="contains">SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351</Hashes>
+                <Hashes condition="contains">SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993</Hashes>
+                <Hashes condition="contains">SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3</Hashes>
+                <Hashes condition="contains">SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf</Hashes>
+                <Hashes condition="contains">SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d</Hashes>
+                <Hashes condition="contains">SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb</Hashes>
+                <Hashes condition="contains">SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289</Hashes>
+                <Hashes condition="contains">SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9</Hashes>
+                <Hashes condition="contains">SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e</Hashes>
+                <Hashes condition="contains">SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305</Hashes>
+                <Hashes condition="contains">SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7</Hashes>
+                <Hashes condition="contains">SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0</Hashes>
+                <Hashes condition="contains">SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20</Hashes>
+                <Hashes condition="contains">SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a</Hashes>
+                <Hashes condition="contains">SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e</Hashes>
+                <Hashes condition="contains">SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb</Hashes>
+                <Hashes condition="contains">SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f</Hashes>
+                <Hashes condition="contains">SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89</Hashes>
+                <Hashes condition="contains">SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0</Hashes>
+                <Hashes condition="contains">SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a</Hashes>
+                <Hashes condition="contains">SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26</Hashes>
+                <Hashes condition="contains">SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef</Hashes>
+                <Hashes condition="contains">SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84</Hashes>
+                <Hashes condition="contains">SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005</Hashes>
+                <Hashes condition="contains">SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc</Hashes>
+                <Hashes condition="contains">SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810</Hashes>
+                <Hashes condition="contains">SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba</Hashes>
+                <Hashes condition="contains">SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793</Hashes>
+                <Hashes condition="contains">SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f</Hashes>
+                <Hashes condition="contains">SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5</Hashes>
+                <Hashes condition="contains">SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e</Hashes>
+                <Hashes condition="contains">SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9</Hashes>
+                <Hashes condition="contains">SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a</Hashes>
+                <Hashes condition="contains">SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7</Hashes>
+                <Hashes condition="contains">SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572</Hashes>
+                <Hashes condition="contains">SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495</Hashes>
+                <Hashes condition="contains">SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59</Hashes>
+                <Hashes condition="contains">SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879</Hashes>
+                <Hashes condition="contains">SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289</Hashes>
+                <Hashes condition="contains">SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813</Hashes>
+                <Hashes condition="contains">SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0</Hashes>
+                <Hashes condition="contains">SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf</Hashes>
+                <Hashes condition="contains">SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8</Hashes>
+                <Hashes condition="contains">SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0</Hashes>
+                <Hashes condition="contains">SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57</Hashes>
+                <Hashes condition="contains">SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9</Hashes>
+                <Hashes condition="contains">SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890</Hashes>
+                <Hashes condition="contains">SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2</Hashes>
+                <Hashes condition="contains">SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009</Hashes>
+                <Hashes condition="contains">SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d</Hashes>
+                <Hashes condition="contains">SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1</Hashes>
+                <Hashes condition="contains">SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1</Hashes>
+                <Hashes condition="contains">SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761</Hashes>
+                <Hashes condition="contains">SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4</Hashes>
+                <Hashes condition="contains">SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85</Hashes>
+                <Hashes condition="contains">SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184</Hashes>
+                <Hashes condition="contains">SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524</Hashes>
+                <Hashes condition="contains">SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303</Hashes>
+                <Hashes condition="contains">SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356</Hashes>
+                <Hashes condition="contains">SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9</Hashes>
+                <Hashes condition="contains">SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57</Hashes>
+                <Hashes condition="contains">SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463</Hashes>
+                <Hashes condition="contains">SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085</Hashes>
+                <Hashes condition="contains">SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3</Hashes>
+                <Hashes condition="contains">SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1</Hashes>
+                <Hashes condition="contains">SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0</Hashes>
+                <Hashes condition="contains">SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d</Hashes>
+                <Hashes condition="contains">SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989</Hashes>
+                <Hashes condition="contains">SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a</Hashes>
+                <Hashes condition="contains">SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4</Hashes>
+                <Hashes condition="contains">SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4</Hashes>
+                <Hashes condition="contains">SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882</Hashes>
+                <Hashes condition="contains">SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219</Hashes>
+                <Hashes condition="contains">SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9</Hashes>
+                <Hashes condition="contains">SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc</Hashes>
+                <Hashes condition="contains">SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be</Hashes>
+                <Hashes condition="contains">SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7</Hashes>
+                <Hashes condition="contains">SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0</Hashes>
+                <Hashes condition="contains">SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131</Hashes>
+                <Hashes condition="contains">SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63</Hashes>
+                <Hashes condition="contains">SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e</Hashes>
+                <Hashes condition="contains">SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3</Hashes>
+                <Hashes condition="contains">SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd</Hashes>
+                <Hashes condition="contains">SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb</Hashes>
+                <Hashes condition="contains">SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8</Hashes>
+                <Hashes condition="contains">SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1</Hashes>
+                <Hashes condition="contains">SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280</Hashes>
+                <Hashes condition="contains">SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6</Hashes>
+                <Hashes condition="contains">SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743</Hashes>
+                <Hashes condition="contains">SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88</Hashes>
+                <Hashes condition="contains">SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980</Hashes>
+                <Hashes condition="contains">SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347</Hashes>
+                <Hashes condition="contains">SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9</Hashes>
+                <Hashes condition="contains">SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24</Hashes>
+                <Hashes condition="contains">SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5</Hashes>
+                <Hashes condition="contains">SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d</Hashes>
+                <Hashes condition="contains">SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69</Hashes>
+                <Hashes condition="contains">SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc</Hashes>
+                <Hashes condition="contains">SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa</Hashes>
+                <Hashes condition="contains">SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7</Hashes>
+                <Hashes condition="contains">SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233</Hashes>
+                <Hashes condition="contains">SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b</Hashes>
+                <Hashes condition="contains">SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8</Hashes>
+                <Hashes condition="contains">SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a</Hashes>
+                <Hashes condition="contains">SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0</Hashes>
+                <Hashes condition="contains">SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b</Hashes>
+                <Hashes condition="contains">SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28</Hashes>
+                <Hashes condition="contains">SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba</Hashes>
+                <Hashes condition="contains">SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd</Hashes>
+                <Hashes condition="contains">SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9</Hashes>
+                <Hashes condition="contains">SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52</Hashes>
+                <Hashes condition="contains">SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c</Hashes>
+                <Hashes condition="contains">SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0</Hashes>
+                <Hashes condition="contains">SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c</Hashes>
+                <Hashes condition="contains">SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763</Hashes>
+                <Hashes condition="contains">SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad</Hashes>
+                <Hashes condition="contains">SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92</Hashes>
+                <Hashes condition="contains">SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b</Hashes>
+                <Hashes condition="contains">SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf</Hashes>
+                <Hashes condition="contains">SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af</Hashes>
+                <Hashes condition="contains">SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd</Hashes>
+                <Hashes condition="contains">SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01</Hashes>
+                <Hashes condition="contains">SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba</Hashes>
+                <Hashes condition="contains">SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a</Hashes>
+                <Hashes condition="contains">SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015</Hashes>
+                <Hashes condition="contains">SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461</Hashes>
+                <Hashes condition="contains">SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88</Hashes>
+                <Hashes condition="contains">SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a</Hashes>
+                <Hashes condition="contains">SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880</Hashes>
+                <Hashes condition="contains">SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c</Hashes>
+                <Hashes condition="contains">SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677</Hashes>
+                <Hashes condition="contains">SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782</Hashes>
+                <Hashes condition="contains">SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a</Hashes>
+                <Hashes condition="contains">SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9</Hashes>
+                <Hashes condition="contains">SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad</Hashes>
+                <Hashes condition="contains">SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7</Hashes>
+                <Hashes condition="contains">SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4</Hashes>
+                <Hashes condition="contains">SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c</Hashes>
+                <Hashes condition="contains">SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1</Hashes>
+                <Hashes condition="contains">SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb</Hashes>
+                <Hashes condition="contains">SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52</Hashes>
+                <Hashes condition="contains">SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d</Hashes>
+                <Hashes condition="contains">SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22</Hashes>
+                <Hashes condition="contains">SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109</Hashes>
+                <Hashes condition="contains">SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6</Hashes>
+                <Hashes condition="contains">SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f</Hashes>
+                <Hashes condition="contains">SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2</Hashes>
+                <Hashes condition="contains">SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5</Hashes>
+                <Hashes condition="contains">SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099</Hashes>
+                <Hashes condition="contains">SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5</Hashes>
+                <Hashes condition="contains">SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de</Hashes>
+                <Hashes condition="contains">SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a</Hashes>
+                <Hashes condition="contains">SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b</Hashes>
+                <Hashes condition="contains">SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3</Hashes>
+                <Hashes condition="contains">SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838</Hashes>
+                <Hashes condition="contains">SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca</Hashes>
+                <Hashes condition="contains">SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8</Hashes>
+                <Hashes condition="contains">SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b</Hashes>
+                <Hashes condition="contains">SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6</Hashes>
+                <Hashes condition="contains">SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8</Hashes>
+                <Hashes condition="contains">SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8</Hashes>
+                <Hashes condition="contains">SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48</Hashes>
+                <Hashes condition="contains">SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02</Hashes>
+                <Hashes condition="contains">SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b</Hashes>
+                <Hashes condition="contains">SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c</Hashes>
+                <Hashes condition="contains">SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8</Hashes>
+                <Hashes condition="contains">SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc</Hashes>
+                <Hashes condition="contains">SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf</Hashes>
+                <Hashes condition="contains">SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb</Hashes>
+                <Hashes condition="contains">SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129</Hashes>
+                <Hashes condition="contains">SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8</Hashes>
+                <Hashes condition="contains">SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408</Hashes>
+                <Hashes condition="contains">SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca</Hashes>
+                <Hashes condition="contains">SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60</Hashes>
+                <Hashes condition="contains">SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38</Hashes>
+                <Hashes condition="contains">SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b</Hashes>
+                <Hashes condition="contains">SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d</Hashes>
+                <Hashes condition="contains">SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9</Hashes>
+                <Hashes condition="contains">SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b</Hashes>
+                <Hashes condition="contains">SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6</Hashes>
+                <Hashes condition="contains">SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b</Hashes>
+                <Hashes condition="contains">SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca</Hashes>
+                <Hashes condition="contains">SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229</Hashes>
+                <Hashes condition="contains">SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c</Hashes>
+                <Hashes condition="contains">SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758</Hashes>
+                <Hashes condition="contains">SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40</Hashes>
+                <Hashes condition="contains">SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7</Hashes>
+                <Hashes condition="contains">SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab</Hashes>
+                <Hashes condition="contains">SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba</Hashes>
+                <Hashes condition="contains">SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1</Hashes>
+                <Hashes condition="contains">SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00</Hashes>
+                <Hashes condition="contains">SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0</Hashes>
+                <Hashes condition="contains">SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668</Hashes>
+                <Hashes condition="contains">SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57</Hashes>
+                <Hashes condition="contains">SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347</Hashes>
+                <Hashes condition="contains">SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd</Hashes>
+                <Hashes condition="contains">SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc</Hashes>
+                <Hashes condition="contains">SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4</Hashes>
+                <Hashes condition="contains">SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb</Hashes>
+                <Hashes condition="contains">SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de</Hashes>
+                <Hashes condition="contains">SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a</Hashes>
+                <Hashes condition="contains">SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22</Hashes>
+                <Hashes condition="contains">SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c</Hashes>
+                <Hashes condition="contains">SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f</Hashes>
+                <Hashes condition="contains">SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469</Hashes>
+                <Hashes condition="contains">SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94</Hashes>
+                <Hashes condition="contains">SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675</Hashes>
+                <Hashes condition="contains">SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10</Hashes>
+                <Hashes condition="contains">SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0</Hashes>
+                <Hashes condition="contains">SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5</Hashes>
+                <Hashes condition="contains">SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558</Hashes>
+                <Hashes condition="contains">SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4</Hashes>
+                <Hashes condition="contains">SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79</Hashes>
+                <Hashes condition="contains">SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073</Hashes>
+                <Hashes condition="contains">SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039</Hashes>
+                <Hashes condition="contains">SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659</Hashes>
+                <Hashes condition="contains">SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c</Hashes>
+                <Hashes condition="contains">SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6</Hashes>
+                <Hashes condition="contains">SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91</Hashes>
+                <Hashes condition="contains">SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b</Hashes>
+                <Hashes condition="contains">SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965</Hashes>
+                <Hashes condition="contains">SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c</Hashes>
+                <Hashes condition="contains">SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3</Hashes>
+                <Hashes condition="contains">SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b</Hashes>
+                <Hashes condition="contains">SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06</Hashes>
+                <Hashes condition="contains">SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4</Hashes>
+                <Hashes condition="contains">SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c</Hashes>
+                <Hashes condition="contains">SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf</Hashes>
+                <Hashes condition="contains">SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd</Hashes>
+                <Hashes condition="contains">SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9</Hashes>
+                <Hashes condition="contains">SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d</Hashes>
+                <Hashes condition="contains">SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c</Hashes>
+                <Hashes condition="contains">SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504</Hashes>
+                <Hashes condition="contains">SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587</Hashes>
+                <Hashes condition="contains">SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f</Hashes>
+                <Hashes condition="contains">SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354</Hashes>
+                <Hashes condition="contains">SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805</Hashes>
+                <Hashes condition="contains">SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a</Hashes>
+                <Hashes condition="contains">SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10</Hashes>
+                <Hashes condition="contains">SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a</Hashes>
+                <Hashes condition="contains">SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3</Hashes>
+                <Hashes condition="contains">SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa</Hashes>
+                <Hashes condition="contains">SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3</Hashes>
+                <Hashes condition="contains">SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75</Hashes>
+                <Hashes condition="contains">SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c</Hashes>
+                <Hashes condition="contains">SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82</Hashes>
+                <Hashes condition="contains">SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a</Hashes>
+                <Hashes condition="contains">SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135</Hashes>
+                <Hashes condition="contains">SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f</Hashes>
+                <Hashes condition="contains">SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d</Hashes>
+                <Hashes condition="contains">SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7</Hashes>
+                <Hashes condition="contains">SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9</Hashes>
+                <Hashes condition="contains">SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa</Hashes>
+                <Hashes condition="contains">SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1</Hashes>
+                <Hashes condition="contains">SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8</Hashes>
+                <Hashes condition="contains">SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad</Hashes>
+                <Hashes condition="contains">SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062</Hashes>
+                <Hashes condition="contains">SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc</Hashes>
+                <Hashes condition="contains">SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200</Hashes>
+                <Hashes condition="contains">SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8</Hashes>
+                <Hashes condition="contains">SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df</Hashes>
+                <Hashes condition="contains">SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d</Hashes>
+                <Hashes condition="contains">SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5</Hashes>
+                <Hashes condition="contains">SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3</Hashes>
+                <Hashes condition="contains">SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e</Hashes>
+                <Hashes condition="contains">SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499</Hashes>
+                <Hashes condition="contains">SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9</Hashes>
+                <Hashes condition="contains">SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6</Hashes>
+                <Hashes condition="contains">SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e</Hashes>
+                <Hashes condition="contains">SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526</Hashes>
+                <Hashes condition="contains">SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433</Hashes>
+                <Hashes condition="contains">SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48</Hashes>
+                <Hashes condition="contains">SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4</Hashes>
+                <Hashes condition="contains">SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608</Hashes>
+                <Hashes condition="contains">SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c</Hashes>
+                <Hashes condition="contains">SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b</Hashes>
+                <Hashes condition="contains">SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89</Hashes>
+                <Hashes condition="contains">SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd</Hashes>
+                <Hashes condition="contains">SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a</Hashes>
+                <Hashes condition="contains">SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165</Hashes>
+                <Hashes condition="contains">SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25</Hashes>
+                <Hashes condition="contains">SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833</Hashes>
+                <Hashes condition="contains">SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b</Hashes>
+                <Hashes condition="contains">SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173</Hashes>
+                <Hashes condition="contains">SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058</Hashes>
+                <Hashes condition="contains">SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47</Hashes>
+                <Hashes condition="contains">SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee</Hashes>
+                <Hashes condition="contains">SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa</Hashes>
+                <Hashes condition="contains">SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471</Hashes>
+                <Hashes condition="contains">SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2</Hashes>
+                <Hashes condition="contains">SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399</Hashes>
+                <Hashes condition="contains">SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685</Hashes>
+                <Hashes condition="contains">SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a</Hashes>
+                <Hashes condition="contains">SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508</Hashes>
+                <Hashes condition="contains">SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414</Hashes>
+                <Hashes condition="contains">SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1</Hashes>
+                <Hashes condition="contains">SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29</Hashes>
+                <Hashes condition="contains">SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602</Hashes>
+                <Hashes condition="contains">SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df</Hashes>
+                <Hashes condition="contains">SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d</Hashes>
+                <Hashes condition="contains">SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418</Hashes>
+                <Hashes condition="contains">SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf</Hashes>
+                <Hashes condition="contains">SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c</Hashes>
+                <Hashes condition="contains">SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a</Hashes>
+                <Hashes condition="contains">SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b</Hashes>
+                <Hashes condition="contains">SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a</Hashes>
+                <Hashes condition="contains">SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a</Hashes>
+                <Hashes condition="contains">SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e</Hashes>
+                <Hashes condition="contains">SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5</Hashes>
+                <Hashes condition="contains">SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441</Hashes>
+                <Hashes condition="contains">SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de</Hashes>
+                <Hashes condition="contains">SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e</Hashes>
+                <Hashes condition="contains">SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47</Hashes>
+                <Hashes condition="contains">SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0</Hashes>
+                <Hashes condition="contains">SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867</Hashes>
+                <Hashes condition="contains">SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704</Hashes>
+                <Hashes condition="contains">SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3</Hashes>
+                <Hashes condition="contains">SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa</Hashes>
+                <Hashes condition="contains">SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc</Hashes>
+                <Hashes condition="contains">SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955</Hashes>
+                <Hashes condition="contains">SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3</Hashes>
+                <Hashes condition="contains">SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248</Hashes>
+                <Hashes condition="contains">SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63</Hashes>
+                <Hashes condition="contains">SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f</Hashes>
+                <Hashes condition="contains">SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f</Hashes>
+                <Hashes condition="contains">SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961</Hashes>
+                <Hashes condition="contains">SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c</Hashes>
+                <Hashes condition="contains">SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0</Hashes>
+                <Hashes condition="contains">SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100</Hashes>
+                <Hashes condition="contains">SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2</Hashes>
+                <Hashes condition="contains">SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57</Hashes>
+                <Hashes condition="contains">SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8</Hashes>
+                <Hashes condition="contains">SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8</Hashes>
+                <Hashes condition="contains">SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247</Hashes>
+                <Hashes condition="contains">SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e</Hashes>
+                <Hashes condition="contains">SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9</Hashes>
+                <Hashes condition="contains">SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e</Hashes>
+                <Hashes condition="contains">SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8</Hashes>
+                <Hashes condition="contains">SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924</Hashes>
+                <Hashes condition="contains">SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26</Hashes>
+                <Hashes condition="contains">SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a</Hashes>
+                <Hashes condition="contains">SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc</Hashes>
+                <Hashes condition="contains">SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa</Hashes>
+                <Hashes condition="contains">SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646</Hashes>
+                <Hashes condition="contains">SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2</Hashes>
+                <Hashes condition="contains">SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2</Hashes>
+                <Hashes condition="contains">SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5</Hashes>
+                <Hashes condition="contains">SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada</Hashes>
+                <Hashes condition="contains">SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c</Hashes>
+                <Hashes condition="contains">SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d</Hashes>
+                <Hashes condition="contains">SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c</Hashes>
+                <Hashes condition="contains">SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd</Hashes>
+                <Hashes condition="contains">SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab</Hashes>
+                <Hashes condition="contains">SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612</Hashes>
+                <Hashes condition="contains">SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec</Hashes>
+                <Hashes condition="contains">SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6</Hashes>
+                <Hashes condition="contains">SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8</Hashes>
+                <Hashes condition="contains">SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64</Hashes>
+                <Hashes condition="contains">SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b</Hashes>
+                <Hashes condition="contains">SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb</Hashes>
+                <Hashes condition="contains">SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812</Hashes>
+                <Hashes condition="contains">SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc</Hashes>
+                <Hashes condition="contains">SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2</Hashes>
+                <Hashes condition="contains">SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986</Hashes>
+                <Hashes condition="contains">SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b</Hashes>
+                <Hashes condition="contains">SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190</Hashes>
+                <Hashes condition="contains">SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb</Hashes>
+                <Hashes condition="contains">SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40</Hashes>
+                <Hashes condition="contains">SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b</Hashes>
+                <Hashes condition="contains">SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab</Hashes>
+                <Hashes condition="contains">SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c</Hashes>
+                <Hashes condition="contains">SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889</Hashes>
+                <Hashes condition="contains">SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605</Hashes>
+                <Hashes condition="contains">SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f</Hashes>
+                <Hashes condition="contains">SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9</Hashes>
+                <Hashes condition="contains">SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102</Hashes>
+                <Hashes condition="contains">SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d</Hashes>
+                <Hashes condition="contains">SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0</Hashes>
+                <Hashes condition="contains">SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530</Hashes>
+                <Hashes condition="contains">SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482</Hashes>
+                <Hashes condition="contains">SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2</Hashes>
+                <Hashes condition="contains">SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f</Hashes>
+                <Hashes condition="contains">SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3</Hashes>
+                <Hashes condition="contains">SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3</Hashes>
+                <Hashes condition="contains">SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71</Hashes>
+                <Hashes condition="contains">SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476</Hashes>
+                <Hashes condition="contains">SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2</Hashes>
+                <Hashes condition="contains">SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26</Hashes>
+                <Hashes condition="contains">SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e</Hashes>
+                <Hashes condition="contains">SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d</Hashes>
+                <Hashes condition="contains">SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1</Hashes>
+                <Hashes condition="contains">SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24</Hashes>
+                <Hashes condition="contains">SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d</Hashes>
+                <Hashes condition="contains">SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004</Hashes>
+                <Hashes condition="contains">SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653</Hashes>
+                <Hashes condition="contains">SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98</Hashes>
+                <Hashes condition="contains">SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed</Hashes>
+                <Hashes condition="contains">SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef</Hashes>
+                <Hashes condition="contains">SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258</Hashes>
+                <Hashes condition="contains">SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097</Hashes>
+                <Hashes condition="contains">SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094</Hashes>
+                <Hashes condition="contains">SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8</Hashes>
+                <Hashes condition="contains">SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa</Hashes>
+                <Hashes condition="contains">SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c</Hashes>
+                <Hashes condition="contains">SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5</Hashes>
+                <Hashes condition="contains">SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc</Hashes>
+                <Hashes condition="contains">SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d</Hashes>
+                <Hashes condition="contains">SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578</Hashes>
+                <Hashes condition="contains">SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6</Hashes>
+                <Hashes condition="contains">SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15</Hashes>
+                <Hashes condition="contains">SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22</Hashes>
+                <Hashes condition="contains">SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b</Hashes>
+                <Hashes condition="contains">SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f</Hashes>
+                <Hashes condition="contains">SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6</Hashes>
+                <Hashes condition="contains">SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac</Hashes>
+                <Hashes condition="contains">SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918</Hashes>
+                <Hashes condition="contains">SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd</Hashes>
+                <Hashes condition="contains">SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb</Hashes>
+                <Hashes condition="contains">SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc</Hashes>
+                <Hashes condition="contains">SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036</Hashes>
+                <Hashes condition="contains">SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148</Hashes>
+                <Hashes condition="contains">SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1</Hashes>
+                <Hashes condition="contains">SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53</Hashes>
+                <Hashes condition="contains">SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8</Hashes>
+                <Hashes condition="contains">SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f</Hashes>
+                <Hashes condition="contains">SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48</Hashes>
+                <Hashes condition="contains">SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f</Hashes>
+                <Hashes condition="contains">SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae</Hashes>
+                <Hashes condition="contains">SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90</Hashes>
+                <Hashes condition="contains">SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028</Hashes>
+                <Hashes condition="contains">SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a</Hashes>
+                <Hashes condition="contains">SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4</Hashes>
+                <Hashes condition="contains">SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f</Hashes>
+                <Hashes condition="contains">SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf</Hashes>
+                <Hashes condition="contains">SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2</Hashes>
+                <Hashes condition="contains">SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9</Hashes>
+                <Hashes condition="contains">SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf</Hashes>
+                <Hashes condition="contains">SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa</Hashes>
+                <Hashes condition="contains">SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06</Hashes>
+                <Hashes condition="contains">SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790</Hashes>
+                <Hashes condition="contains">SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293</Hashes>
+                <Hashes condition="contains">SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3</Hashes>
+                <Hashes condition="contains">SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41</Hashes>
+                <Hashes condition="contains">SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3</Hashes>
+                <Hashes condition="contains">SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5</Hashes>
+                <Hashes condition="contains">SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566</Hashes>
+                <Hashes condition="contains">SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c</Hashes>
+                <Hashes condition="contains">SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282</Hashes>
+                <Hashes condition="contains">SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39</Hashes>
+                <Hashes condition="contains">SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7</Hashes>
+                <Hashes condition="contains">SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe</Hashes>
+                <Hashes condition="contains">SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b</Hashes>
+                <Hashes condition="contains">SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850</Hashes>
+                <Hashes condition="contains">SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0</Hashes>
+                <Hashes condition="contains">SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3</Hashes>
+                <Hashes condition="contains">SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b</Hashes>
+                <Hashes condition="contains">SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe</Hashes>
+                <Hashes condition="contains">SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f</Hashes>
+                <Hashes condition="contains">SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1</Hashes>
+                <Hashes condition="contains">SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc</Hashes>
+                <Hashes condition="contains">SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960</Hashes>
+                <Hashes condition="contains">SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c</Hashes>
+                <Hashes condition="contains">SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496</Hashes>
+                <Hashes condition="contains">SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004</Hashes>
+                <Hashes condition="contains">SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439</Hashes>
+                <Hashes condition="contains">SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d</Hashes>
+                <Hashes condition="contains">SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57</Hashes>
+                <Hashes condition="contains">SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af</Hashes>
+                <Hashes condition="contains">SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960</Hashes>
+                <Hashes condition="contains">SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008</Hashes>
+                <Hashes condition="contains">SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145</Hashes>
+                <Hashes condition="contains">SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65</Hashes>
+                <Hashes condition="contains">SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35</Hashes>
+                <Hashes condition="contains">SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13</Hashes>
+                <Hashes condition="contains">SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b</Hashes>
+                <Hashes condition="contains">SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478</Hashes>
+                <Hashes condition="contains">SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573</Hashes>
+                <Hashes condition="contains">SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54</Hashes>
+                <Hashes condition="contains">SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298</Hashes>
+                <Hashes condition="contains">SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b</Hashes>
+                <Hashes condition="contains">SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91</Hashes>
+                <Hashes condition="contains">SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566</Hashes>
+                <Hashes condition="contains">SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22</Hashes>
+                <Hashes condition="contains">SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f</Hashes>
+                <Hashes condition="contains">SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2</Hashes>
+                <Hashes condition="contains">SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c</Hashes>
+                <Hashes condition="contains">SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1</Hashes>
+                <Hashes condition="contains">SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533</Hashes>
+                <Hashes condition="contains">SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c</Hashes>
+                <Hashes condition="contains">SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03</Hashes>
+                <Hashes condition="contains">SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280</Hashes>
+                <Hashes condition="contains">SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7</Hashes>
+                <Hashes condition="contains">SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339</Hashes>
+                <Hashes condition="contains">SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5</Hashes>
+                <Hashes condition="contains">SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f</Hashes>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Malicious Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+                <Hashes condition="contains">SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c</Hashes>
+                <Hashes condition="contains">SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4</Hashes>
+                <Hashes condition="contains">SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62</Hashes>
+                <Hashes condition="contains">SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f</Hashes>
+                <Hashes condition="contains">SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e</Hashes>
+                <Hashes condition="contains">SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1</Hashes>
+                <Hashes condition="contains">SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724</Hashes>
+                <Hashes condition="contains">SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620</Hashes>
+                <Hashes condition="contains">SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc</Hashes>
+                <Hashes condition="contains">SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c</Hashes>
+                <Hashes condition="contains">SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d</Hashes>
+                <Hashes condition="contains">SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7</Hashes>
+                <Hashes condition="contains">SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988</Hashes>
+                <Hashes condition="contains">SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427</Hashes>
+                <Hashes condition="contains">SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e</Hashes>
+                <Hashes condition="contains">SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421</Hashes>
+                <Hashes condition="contains">SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99</Hashes>
+                <Hashes condition="contains">SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a</Hashes>
+                <Hashes condition="contains">SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3</Hashes>
+                <Hashes condition="contains">SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b</Hashes>
+                <Hashes condition="contains">SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5</Hashes>
+                <Hashes condition="contains">SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4</Hashes>
+                <Hashes condition="contains">SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77</Hashes>
+                <Hashes condition="contains">SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f</Hashes>
+                <Hashes condition="contains">SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d</Hashes>
+                <Hashes condition="contains">SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8</Hashes>
+                <Hashes condition="contains">SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1</Hashes>
+                <Hashes condition="contains">SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a</Hashes>
+                <Hashes condition="contains">SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376</Hashes>
+                <Hashes condition="contains">SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc</Hashes>
+                <Hashes condition="contains">SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3</Hashes>
+                <Hashes condition="contains">SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217</Hashes>
+                <Hashes condition="contains">SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a</Hashes>
+                <Hashes condition="contains">SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce</Hashes>
+                <Hashes condition="contains">SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497</Hashes>
+                <Hashes condition="contains">SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931</Hashes>
+                <Hashes condition="contains">SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316</Hashes>
+                <Hashes condition="contains">SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d</Hashes>
+                <Hashes condition="contains">SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12</Hashes>
+                <Hashes condition="contains">SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87</Hashes>
+                <Hashes condition="contains">SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae</Hashes>
+                <Hashes condition="contains">SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e</Hashes>
+                <Hashes condition="contains">SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c</Hashes>
+                <Hashes condition="contains">SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280</Hashes>
+                <Hashes condition="contains">SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51</Hashes>
+                <Hashes condition="contains">SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c</Hashes>
+                <Hashes condition="contains">SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76</Hashes>
+                <Hashes condition="contains">SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677</Hashes>
+                <Hashes condition="contains">SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6</Hashes>
+                <Hashes condition="contains">SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104</Hashes>
+                <Hashes condition="contains">SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330</Hashes>
+                <Hashes condition="contains">SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4</Hashes>
+                <Hashes condition="contains">SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463</Hashes>
+                <Hashes condition="contains">SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c</Hashes>
+                <Hashes condition="contains">SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530</Hashes>
+                <Hashes condition="contains">SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c</Hashes>
+                <Hashes condition="contains">SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d</Hashes>
+                <Hashes condition="contains">SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a</Hashes>
+                <Hashes condition="contains">SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae</Hashes>
+                <Hashes condition="contains">SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df</Hashes>
+                <Hashes condition="contains">SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25</Hashes>
+                <Hashes condition="contains">SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212</Hashes>
+                <Hashes condition="contains">SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a</Hashes>
+			</Rule>
 		</FileExecutableDetected>
 	</RuleGroup>
 	<RuleGroup name="RG=FileExecutable Excludes" groupRelation="or">

From 60f27bb3072ed576f12576addd33bd81e113566b Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Jul 2023 10:19:00 -0400
Subject: [PATCH 443/471] Misc Updates & Tagging

---
 sysmonconfig-export.xml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bc2cee26..7672e447 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -8305,10 +8305,10 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
 			</Rule>
 			<!--DLLs that get injected into every process launch-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Monitoring: DLLs that get injected into every process launch" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Monitoring: DLLs that get injected into every process launch" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			</Rule>
 			<!--Office-->
@@ -8774,10 +8774,10 @@
 			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">Software\recfg</TargetObject>
 			</Rule>
-			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Suspicious Keyboard Layout Load" groupRelation="and">
 				<TargetObject condition="contains">\Keyboard Layout\Preload\</TargetObject>
 			</Rule>
-			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Suspicious Keyboard Layout Load" groupRelation="and">
 				<TargetObject condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
@@ -8828,6 +8828,15 @@
 				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
 				<Image condition="begin with">C:\Program Files\ESET</Image>
 			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Browser Helper Object Contacted Domains" groupRelation="and">
+				<TargetObject condition="end with">\EnableBHO</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Printer Port Changes,CVE=CVE-2020-1048" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports</TargetObject> <!--Microsoft:Windows: Printer port changes as used in CVE-2020-1048 [ https://windows-internals.com/printdemon-cve-2020-1048/ ] -->
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=PrintNightmare Coverage,Author=Florian Roth" groupRelation="and">
+				<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
+			</Rule>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
@@ -8854,7 +8863,7 @@
 				<Hash condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hash><!--Exchange Zero Day Dropped DLL-->
 			</Rule>
 			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,DS=File: File Metadata,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
-				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
+				<TargetFilename condition="contains any">Startup;Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonEnte Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
 				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>

From dac2f473a34493b5fbd2b4d6ec43ebdafd677c96 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Jul 2023 11:01:01 -0400
Subject: [PATCH 444/471] Break out some Pe Executable rules with MITRE Tagging

---
 sysmonconfig-export.xml | 62 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 58 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7672e447..bb73a7e9 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -9659,6 +9659,12 @@
 				<TargetFilename condition="not end with">.ime</TargetFilename>
 				<TargetFilename condition="not end with">.tsp</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=,Risk=10,Alert=Powershell Creating Executables" groupRelation="and">
+				<Image condition="is any">powershell.exe;powershell_ise.exe;pwsh.exe;Sqlps.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.003,Technique=Command and Scripting Interpreter: Windows Command Shell,Tactic=Execution,DS=File: File Creation,Level=0,Alert=Command or consolehost Anomaly,Risk=10" groupRelation="and">
+				<Image condition="is any">cmd.exe;conhost.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected within Unusual Location,Risk=10,Author=Florian Roth" groupRelation="or">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> <!-- often used staging directories; could cause false positives --> 
 				<TargetFilename condition="begin with">C:\Perflogs\</TargetFilename> <!-- often used staging directories --> 
@@ -9671,6 +9677,16 @@
 				<TargetFilename condition="begin with">C:\Windows\System32\spool\SERVERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
 				<TargetFilename condition="begin with">C:\Windows\System32\spool\PRINTERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
 				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Intel</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Mozilla</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\chocolatey\</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\DeviceSync</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\PlayReady</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\User Account Pictures</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Office\Heartbeat</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER</TargetFilename>
+				<TargetFilename condition="contains all">C:\Users\All Users\</TargetFilename> <!-- often used staging directories in User folders --> 
 				<TargetFilename condition="contains all">C:\Users\;\Music\</TargetFilename> <!-- often used staging directories in User folders --> 
 				<TargetFilename condition="contains all">C:\Users\;\Pictures\</TargetFilename> <!-- often used staging directories in User folders --> 
 				<TargetFilename condition="contains all">C:\Users\;\Videos\</TargetFilename> <!-- often used staging directories in User folders --> 
@@ -9829,17 +9845,55 @@
 				<Image condition="image">esentutl.exe</Image>
 				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
 				<Image condition="image">finger.exe</Image>
-				<Image condition="image">presentationhost.exe</Image>
-
 				<!-- Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)-->
 				<Image condition="image">notepad.exe</Image>
 				<Image condition="image">AcroRd32.exe</Image>
 				<Image condition="image">RdrCEF.exe</Image> <!-- RdrCEF was seen dropping a DLL in temp (Example: \AppData\Local\Temp\acrocef_low\4616_1623006624_platform_specific\win_x86\widevinecdm.dll). Comment out this entry if you experience issues (https://github.com/Neo23x0/sysmon-config/issues/43) -->
-				<Image condition="image">mshta.exe</Image>
-				<Image condition="image">hh.exe</Image>
 				<Image condition="image">calc.exe</Image>
 				<Image condition="image">mspaint.exe</Image>
 			</Rule>
+			<Rule name="Attack=T1218.01,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Compiled HTML File Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">hh.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.002,Technique=System Binary Proxy Execution: Control Panel,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Control Panel Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">control.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=System Binary Proxy Execution: CMSTP,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=CMSTP Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">CMSTP.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.004,Technique=System Binary Proxy Execution: InstallUtil,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=InstallUtil Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">installutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.005,Technique=System Binary Proxy Execution: Mshta,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MSHTA Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.007,Technique=System Binary Proxy Execution: MSIExec,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=MSIExec Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.008,Technique=System Binary Proxy Execution: Odbcconf,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Odbcconf Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Odbcconf.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.009,Technique=System Binary Proxy Execution: Regsvcs/Regasm,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvcs/Regasm Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="contains any">Regsvcs.exe;Regasm.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.010,Technique=System Binary Proxy Execution: Regsvr32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvr32 Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=System Binary Proxy Execution: Rundll32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Rundll32 Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Rundll32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.012,Technique=System Binary Proxy Execution: Verclsid,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Verclsid Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Verclsid.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.013,Technique=System Binary Proxy Execution: mavinject,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Mavinject Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="contains any">mavinject.exe;mavinject64.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.014,Technique=System Binary Proxy Execution: MMC,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MMC Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">mmc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Other LOLBins Dropping Executables,Risk=10" groupRelation="or">
+				<Image condition="contains any">Appvlp.exe;InfDefaultInstall.EXE;PresentationHost.exe;Register-cimprovider.exe;RegisterCimProvider2.exe;RegisterCimProvider.exe;ScriptRunner.exe;appcmd.exe;csi.exe;devtoolslauncher.exe;diskshadow.exe;extexport.exe;jjs.exe;msconfig.EXE;msdt.exe;rasautou.exe;rasdlui.exe;replace.exe;tttracer.exe;wab.exe;wsreset.exe</Image>
+			</Rule>
 			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=4,Alert=Vulnerable Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
 			    <Hashes condition="contains">SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed</Hashes>
                 <Hashes condition="contains">SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb</Hashes>

From 30c2337447ef21a1e9481b009c258e7b21da9cbf Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Jul 2023 11:04:27 -0400
Subject: [PATCH 445/471] Add Spear Phishing detection, add @twitter tagging

---
 sysmonconfig-export.xml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index bb73a7e9..7ac39f00 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4,8 +4,8 @@
 	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
 	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
 		/___/                                                           
-	Author:	ionstorm
-	Contributors: NerbalOne
+	Author:	@ionstorm
+	Contributors: @NerbalOne
 	Project:	https://github.com/ion-storm/sysmon-config
 	License:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 	Methodology: Detect the most Techniques per data source in MITRE ATT&CK.
@@ -9643,6 +9643,10 @@
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename>
 				<TargetFilename condition="contains">\Downloads</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
+				<Image condition="begin with">C:\Users\</Image>
+				<Image condition="contains">Content.Outlook</Image>
+			</Rule>
 			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected under Unusual File extension,Risk=10" groupRelation="or">
 				<TargetFilename condition="not end with">.exe</TargetFilename>
 				<TargetFilename condition="not end with">.dll</TargetFilename>

From 0ab30cc1652c88291fe7b270b4ac3e2737c752ea Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Wed, 5 Jul 2023 12:17:33 -0400
Subject: [PATCH 446/471] Add NerbalOne's Powershell Sysmon Installer, add
 exclusions for asus firmware bin file

---
 Sysmon_Installer.ps1    | 82 +++++++++++++++++++++++++++++++++++++++++
 sysmonconfig-export.xml |  3 ++
 2 files changed, 85 insertions(+)
 create mode 100644 Sysmon_Installer.ps1

diff --git a/Sysmon_Installer.ps1 b/Sysmon_Installer.ps1
new file mode 100644
index 00000000..ea837097
--- /dev/null
+++ b/Sysmon_Installer.ps1
@@ -0,0 +1,82 @@
+#Author: NerbalOne
+#This PowerShell script will first create the Sysmon folder if it does not exist. It will then identify which OS architecture the endpoint is running and download the appropriate Sysmon version along with the Sysmon config and Sysmon Update script. It will then install Sysmon with the config and create a Scheduled Task to run hourly to update the Sysmon config.
+#You may have issues while running this script on Windows Server 2012 R2 servers as it seems this server version only works with the Sysmon.exe and not the Sysmon64.exe with the newer Sysmon versions. 
+
+# Define Sysmon URLs
+$sysmon32URL = "https://live.sysinternals.com/sysmon.exe"
+$sysmon64URL = "https://live.sysinternals.com/sysmon64.exe"
+$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
+$sysmonUpdateConfig = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/SysmonUpdateConfig.ps1"
+
+# Define Local Path for Sysmon File and Sysmon Config
+$sysmon32Path = "C:\Programdata\Sysmon\sysmon.exe"
+$sysmon64Path = "C:\Programdata\Sysmon\sysmon64.exe"
+$sysmonConfigPath = "C:\Programdata\Sysmon\sysmonconfig-export.xml"
+$sysmonUpdatePath = "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"
+$sysmonFolderPath = "C:\ProgramData\Sysmon\"
+
+# Create Sysmon Folder if it Doesn't Exist
+if (-not (Test-Path $sysmonFolderPath)) {
+    # Create the Folder
+    try {
+        New-Item -ItemType Directory -Path $sysmonFolderPath -Force
+        Write-Host "Folder created successfully at $folderPath"
+    }
+    catch {
+        Write-Host "Error creating the folder: $_"
+    }
+}
+else {
+    Write-Host "The folder already exists at $folderPath"
+}
+
+# Check OS Architecture
+$OSArchitecture = (Get-WmiObject -Query "Select * from Win32_OperatingSystem").OSArchitecture
+
+# Download Sysmon Update Script
+Invoke-WebRequest -Uri $sysmonUpdateConfig -OutFile $sysmonUpdatePath
+
+# Download Sysmon Config
+Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
+
+# Depending on the OS Architecture, Download and Install Sysmon
+if ($OSArchitecture -eq "32-bit") {
+    # Download Sysmon 32 bit
+    Invoke-WebRequest -Uri $sysmon32URL -OutFile $sysmon32Path
+
+    # Install Sysmon with Config
+    Start-Process -FilePath $sysmon32Path -ArgumentList "-accepteula -i $sysmonConfigPath" -NoNewWindow -Wait
+
+} elseif ($OSArchitecture -eq "64-bit") {
+    # Download Sysmon 64 bit
+    Invoke-WebRequest -Uri $sysmon64URL -OutFile $sysmon64Path
+
+    # Install Sysmon with Config
+    Start-Process -FilePath $sysmon64Path -ArgumentList "-accepteula -i $sysmonConfigPath" -NoNewWindow -Wait
+
+} else {
+    Write-Output "Unsupported architecture: $OSArchitecture"
+}
+
+# Create a New Scheduled Task
+Start-Process schtasks.exe -ArgumentList '/Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR "powershell.exe -ExecutionPolicy Bypass -File "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"" /f' -Wait -WindowStyle Hidden
+Start-Process schtasks.exe -ArgumentList '/Run /TN Update_Sysmon_Rules' -Wait -WindowStyle Hidden
+
+# Define Sysmon service Name Based on OS Architecture
+$sysmonServiceName = if ($OSArchitecture -eq "64-bit") { "Sysmon64" } else { "Sysmon" }
+
+# Check if Sysmon Service Exists
+try {
+    $service = Get-Service -Name $sysmonServiceName -ErrorAction Stop
+    Write-Output "Sysmon service exists"
+} catch {
+    Throw "Sysmon service does not exist"
+}
+
+# Check if Scheduled Task is Created Successfully
+try {
+    $task = Get-ScheduledTask -TaskName "Update_Sysmon_Rules" -ErrorAction Stop
+    Write-Output "Scheduled task created successfully"
+} catch {
+    Throw "Scheduled task creation failed"
+}
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7ac39f00..e012ceca 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -5302,6 +5302,7 @@
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" groupRelation="and">
 				<TargetFilename condition="end with">.bin</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
@@ -5677,6 +5678,7 @@
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename>
@@ -5886,6 +5888,7 @@
 			</Rule>
 			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" groupRelation="and">
 				<TargetFilename condition="end with">.bin</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" groupRelation="and">
 				<TargetFilename condition="end with">.cab</TargetFilename>

From baaf02da504a9c56b419f17f5d04a63107cdd9ca Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Thu, 6 Jul 2023 17:20:31 -0400
Subject: [PATCH 447/471] misc Updates

---
 sysmonconfig-export.xml | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e012ceca..7266ab8b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -265,7 +265,7 @@
 				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
 				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
 				<Image condition="image">conhost.exe</Image>
-				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe</ParentImage>
+				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe;\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
@@ -521,6 +521,7 @@
 				<ParentImage condition="excludes">C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe</ParentImage>
 				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
 				<CommandLine condition="excludes">Update_Sysmon_Rules</CommandLine>
+				<ParentImage condition="excludes">C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">taskeng.exe</OriginalFileName>
@@ -535,7 +536,7 @@
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
 				<ParentImage condition="image">schtasks.exe</ParentImage>
 				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
-				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules</ParentCommandLine>
+				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules;AMDRyzenMasterSDKTask</ParentCommandLine>
 			</Rule>
 			<Rule name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" groupRelation="and">
 				<Image condition="image">at.exe</Image>
@@ -689,6 +690,8 @@
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
 				<CommandLine condition="contains any">..\;\..</CommandLine>
+				<ParentImage condition="excludes all">C:\Program Files;\Razer\Synapse3\Service\Razer Synapse Service.exe</ParentImage>
+				<Image condition="excludes all">C:\Program Files;\Razer\;\UserProcess\Razer Synapse Service Process.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
 				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
@@ -960,9 +963,13 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall delete</CommandLine>
+				<ParentCommandLine condition="excludes all">ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe</ParentCommandLine>
+				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall add</CommandLine>
+				<ParentCommandLine condition="excludes all">cmd.exe;ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe;enable=yes</ParentCommandLine>
+				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall set opmode disable</CommandLine>
@@ -1050,6 +1057,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
 				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
+				<ParentImage condition="excludes all">C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;\CitrixReceiverUpdater.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
 				<Image condition="end with">      .exe</Image>
@@ -2681,7 +2689,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<Rule name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" groupRelation="and">
-			<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+				<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+				<Image condition="excludes all">C:\Program Files;\LightingService\AsusInstallVerifier.exe</Image>
 			</Rule>
 			<!--Crypto Currency Miner Detections-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
@@ -2940,6 +2949,9 @@
 				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
 				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
 			</Rule>
+			<Rule name="exclude armoury Crate from cmdline file deletion rule" groupRelation="and">
+				<ParentImage condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</ParentImage>
+			</Rule>
 		</ProcessCreate>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
@@ -5127,6 +5139,7 @@
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\;C:\Program Files (x86)\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\ProgramData\Cavelo\jre\bin\java.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files\Cavelo\Cavelo Agent\parser.exe</SourceImage>
 				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
 				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
+				<TargetImage condition="excludes any">C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe;C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.UserSessionHelper.exe</TargetImage>
 				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
@@ -5267,6 +5280,7 @@
 				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
 				<TargetFilename condition="not begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="excludes">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
 				<TargetFilename condition="end with">proj</TargetFilename>
@@ -5440,6 +5454,8 @@
 				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
 				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL</TargetFilename>
+				<TargetFilename condition="excludes any">\System.Security.Cryptography</TargetFilename>
+				<Image condition="excludes any">Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains">crackmapexec</TargetFilename>
@@ -6871,7 +6887,7 @@
 				<TargetFilename condition="contains">Temp\Temp1_</TargetFilename>
 			</Rule>
 			<!--Uncategorized-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=DotNet UsageLogs" groupRelation="and">
 				<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
@@ -7147,6 +7163,9 @@
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
 				<Image condition="excludes any">C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe;\AppData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+				<Details condition="excludes all">C:\Program Files\Google\Drive File Stream;\GoogleDriveFS.exe;startup_mode</Details>
+				<Details condition="excludes all">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;no-startup-window;win-session-start;prefetch</Details>
+				<Details condition="excludes all">\Application\chrome.exe;no-startup-window;win-session-start;prefetch</Details>
 			</Rule>
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject>
@@ -7439,7 +7458,8 @@
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
-				<TargetObject condition="excludes">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
+				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator;\AMDInstallLauncher\SD;\SD;ASUS Switch;\PowerToys\Autorun for </TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
@@ -7641,6 +7661,7 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
+				<Image condition="excludes">C:\WINDOWS\system32\DrvInst.exe</Image> <!--Common Driver Installs-->
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
@@ -8523,6 +8544,9 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Office Information" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Registry Hive List" groupRelation="and">
+				<TargetObject condition="contains">\Control\hivelist</TargetObject>
+			</Rule>
 			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=ISO Drive Mounted" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume</TargetObject>
 				<TargetObject condition="end with">Drive Type</TargetObject>
@@ -8840,6 +8864,12 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=PrintNightmare Coverage,Author=Florian Roth" groupRelation="and">
 				<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
 			</Rule>
+			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=NGenAssemblyUsageLog Tampering Detected" groupRelation="and">
+				<TargetObject condition="contains all">\Microsoft\.NETFramework;NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=Winget admin settings Tampering Detected" groupRelation="and">
+				<TargetObject condition="contains all">\REGISTRY\A\;LocalState\admin_settings</TargetObject>
+			</Rule>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->

From 00185b9a96a2a4b9b5d32725210327a3ff1ce7d9 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 10 Jul 2023 13:11:57 -0400
Subject: [PATCH 448/471] Fix some inactive/broken rules and filtering

---
 sysmonconfig-export.xml | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 7266ab8b..2aeba08c 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -304,10 +304,7 @@
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
 				<Image condition="image">wscript.exe</Image>
-				<CommandLine condition="contains">.jse</CommandLine>
-				<CommandLine condition="contains">.js</CommandLine>
-				<CommandLine condition="contains">.vba</CommandLine>
-				<CommandLine condition="contains">.vbe</CommandLine>
+				<CommandLine condition="contains any">.jse;.js;.vba;.vbe</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious scripting to dll commands,Risk=70" groupRelation="and">
 				<ParentImage condition="contains any">\wscript.exe;\cscript.exe</ParentImage>
@@ -321,10 +318,7 @@
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
 				<Image condition="image">cscript.exe</Image>
-				<CommandLine condition="contains">.js</CommandLine>
-				<CommandLine condition="contains">.jse</CommandLine>
-				<CommandLine condition="contains">.vba</CommandLine>
-				<CommandLine condition="contains">.vbe</CommandLine>
+				<CommandLine condition="contains any">.jse;.js;.vba;.vbe</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
 				<CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine>
@@ -2484,10 +2478,10 @@
 				<CommandLine condition="image">start-bitstransfer</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">expand \\</CommandLine>
+				<CommandLine condition="contains all">expand;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">expand.exe \\</CommandLine>
+				<CommandLine condition="contains all">expand.exe;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" groupRelation="and">
 				<CommandLine condition="contains">ieexec http</CommandLine>
@@ -2505,10 +2499,10 @@
 				<CommandLine condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">extrac32 \\</CommandLine>
+				<CommandLine condition="contains all">extrac32;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">extrac32.exe \\</CommandLine>
+				<CommandLine condition="contains all">extrac32.exe;\\</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
@@ -2650,10 +2644,16 @@
 				<CommandLine condition="contains">erase</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains">-nw -exec=</CommandLine>
+				<CommandLine condition="contains all">-nw;-exec=</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
+				<CommandLine condition="contains all">/nw;/exec=</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
+				<CommandLine condition="contains all">-p;-nw</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains">-p -nw</CommandLine>
+				<CommandLine condition="contains all">/p;/nw</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" groupRelation="and">
 				<Image condition="contains">shred</Image>
@@ -2678,8 +2678,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
 			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
 				<Image condition="image">fsutil.exe</Image>
-				<CommandLine condition="contains">deletejournal</CommandLine>
-				<CommandLine condition="contains">usn</CommandLine>
+				<CommandLine condition="contains all">usn;deletejournal</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
@@ -2950,7 +2949,7 @@
 				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
 			</Rule>
 			<Rule name="exclude armoury Crate from cmdline file deletion rule" groupRelation="and">
-				<ParentImage condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</ParentImage>
+				<ParentImage condition="image">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</ParentImage>
 			</Rule>
 		</ProcessCreate>
 	</RuleGroup>
@@ -9680,7 +9679,7 @@
 				<Image condition="begin with">C:\Users\</Image>
 				<Image condition="contains">Content.Outlook</Image>
 			</Rule>
-			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected under Unusual File extension,Risk=10" groupRelation="or">
+			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected under Unusual File extension,Risk=10" groupRelation="and">
 				<TargetFilename condition="not end with">.exe</TargetFilename>
 				<TargetFilename condition="not end with">.dll</TargetFilename>
 				<TargetFilename condition="not end with">.sys</TargetFilename>

From 91c9f540009ca4a94224d38d45d3e4837fc045c0 Mon Sep 17 00:00:00 2001
From: ionstorm <ionstorm@peertopeerecash.com>
Date: Mon, 10 Jul 2023 16:06:46 -0400
Subject: [PATCH 449/471] Re-enable Browser Extension monitoring for Chrome,
 added MITRE Tagging

---
 sysmonconfig-export.xml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 2aeba08c..c618df01 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -6753,10 +6753,10 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" groupRelation="and">
 				<TargetFilename condition="contains">.mht</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
 				<TargetFilename condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Chrome extension auditing" groupRelation="and">
 				<TargetFilename condition="end with">.crx</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" groupRelation="and">
@@ -7123,11 +7123,16 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Old Chrome Extension auditing" groupRelation="and">
 				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
 				<TargetObject condition="end with">update_url</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+				<TargetObject condition="contains">Google\Chrome</TargetObject>
+				<TargetObject condition="contains">extensions.settings</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Forced password reset detected" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
@@ -8111,7 +8116,6 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Disconnect" groupRelation="and">
 				<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
 			</Rule>
-			<!-- <TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject> Nosiy and doesn't seem to provide helpful information. -->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion URL Key" groupRelation="and">
 				<TargetObject condition="contains">CurrentVersion\URL</TargetObject>
 			</Rule>

From 3ee217b7414a17e7916d3edaf4da1b0798a6508e Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Wed, 6 Sep 2023 10:40:46 -0400
Subject: [PATCH 450/471] Add files via upload

---
 sysmonconfig-export.xml | 43 ++++++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 16 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f439018a..c29e6938 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -4,8 +4,8 @@
 	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
 	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
 		/___/                                                           
-	Author:	ionstorm
-	Contributors: NerbalOne
+	Author:	@ionstorm
+	Contributors: @NerbalOne, @cyberkryption
 	Project:	https://github.com/ion-storm/sysmon-config
 	License:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
 	Methodology: Detect the most Techniques per data source in MITRE ATT&CK.
@@ -52,13 +52,11 @@
 				 Critical Risk: 90-100
 				 
 				 Levels: (from Sigma)
-				 (0) informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered 
-				 by such rules because it is expected that a huge amount of events will match these rules.
-				 (1) low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. 
-				 Immediate reaction shouldn't be necessary, but a regular review is recommended.
-				 (2) medium: Relevant event that should be reviewed manually on a more frequent basis.
-				 (3) high: Relevant event that should trigger an internal alert and requires a prompt review.
-				 (4) critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
+				 (0) Informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules.
+				 (1) Low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended.
+				 (2) Medium: Relevant event that should be reviewed manually on a more frequent basis.
+				 (3) High: Relevant event that should trigger an internal alert and requires a prompt review.
+				 (4) Critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
 				 
 				 False Positive Rates: (FP=?)
 				 (0) Zero False Positives rate
@@ -75,11 +73,10 @@
 				 
 				 Other Notes:
 				 The Rulename field has a hard limit of 255 characters, make the best of the size available, shorten tags and descriptions as needed.
-				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
+				 Add exclusions in line enclosed within a compound rule rather than a global exclusion list.
 				 
 				 Contribution Guidelines:
-				 Always submit new rule requests/pull requests in this format where possible, if the rule is highly accurate and should fire off a SIEM Alert replace Desc= with Alert=, 
-				 See Risk ratings and levels above for guidance.  
+				 Always submit new rule requests/pull requests in this format where possible, if the rule is highly accurate and should fire off a SIEM Alert replace Desc= with Alert=. See Risk ratings and levels above for guidance.  
 				 Example Rule:
 				<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Your Description Here,Author=YourTwitter/Github" groupRelation="and">
 					<Your Rule Here/>
@@ -265,7 +262,7 @@
 				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
 				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
 				<Image condition="image">conhost.exe</Image>
-				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe</ParentImage>
+				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe</ParentImage> <!--NCentral exclusions-->
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
@@ -519,7 +516,7 @@
 				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
 				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
 				<ParentImage condition="excludes">C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe</ParentImage>
-				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
+				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine> <!--SentinelOne exclusion-->
 				<CommandLine condition="excludes">Update_Sysmon_Rules</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
@@ -529,7 +526,7 @@
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
 				<Image condition="image">schtasks.exe</Image>
 				<CommandLine condition="contains any">/Run;-run</CommandLine>
-				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
+				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine> <!--SentinelOne exclusion-->
 				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
 			</Rule>
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
@@ -9633,7 +9630,7 @@
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename>
 				<TargetFilename condition="contains">\Downloads</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected under Unusual File extension,Risk=10" groupRelation="or">
+			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=PE File Detected under Unusual File extension,Risk=10" groupRelation="or">
 				<TargetFilename condition="not end with">.exe</TargetFilename>
 				<TargetFilename condition="not end with">.dll</TargetFilename>
 				<TargetFilename condition="not end with">.sys</TargetFilename>
@@ -9653,6 +9650,20 @@
 	</RuleGroup>
 	<RuleGroup name="RG=FileExecutable Excludes" groupRelation="or">
 		<FileExecutableDetected onmatch="exclude">
+			<Rule name="SmartGit Exclusion" groupRelation="and"> <!-- Noisy on install -->
+				<TargetFilename condition="begin with">C:\Users</TargetFilename>
+				<TargetFilename condition="contains">Appdata</TargetFilename>
+				<TargetFilename condition="contains">smartgit</TargetFilename>
+			</Rule>
+			<Rule name="NCentral Exclusion" groupRelation="or">
+				<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</Image>
+				<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</Image>
+				<TargetFilename condition="end with">Msp.Ecosystem.Discovery.exe</TargetFilename>
+			</Rule>
+			<Rule name="Windows Defender Exclusion" groupRelation="and">
+				<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform</Image>
+				<Image condition="end with">MsMpEng.exe</Image>
+			</Rule>
 		</FileExecutableDetected>
 	</RuleGroup>
 	</EventFiltering>

From ee20ccd3a9b399255a7e12c25e434ea92a426795 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Wed, 6 Sep 2023 13:28:03 -0400
Subject: [PATCH 451/471] Added changes from @ionstorm config.

---
 sysmonconfig-export.xml | 1115 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 1093 insertions(+), 22 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c29e6938..9016300b 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -262,7 +262,7 @@
 				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
 				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
 				<Image condition="image">conhost.exe</Image>
-				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe</ParentImage> <!--NCentral exclusions-->
+				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe;\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</ParentImage> <!--NCentral and Nvidia exclusions-->
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
@@ -518,6 +518,7 @@
 				<ParentImage condition="excludes">C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe</ParentImage>
 				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine> <!--SentinelOne exclusion-->
 				<CommandLine condition="excludes">Update_Sysmon_Rules</CommandLine>
+				<ParentImage condition="excludes">C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">taskeng.exe</OriginalFileName>
@@ -532,7 +533,7 @@
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
 				<ParentImage condition="image">schtasks.exe</ParentImage>
 				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
-				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules</ParentCommandLine>
+				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules;AMDRyzenMasterSDKTask</ParentCommandLine>
 			</Rule>
 			<Rule name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" groupRelation="and">
 				<Image condition="image">at.exe</Image>
@@ -686,6 +687,8 @@
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
 				<CommandLine condition="contains any">..\;\..</CommandLine>
+				<ParentImage condition="excludes all">C:\Program Files;\Razer\Synapse3\Service\Razer Synapse Service.exe</ParentImage>
+				<Image condition="excludes all">C:\Program Files;\Razer\;\UserProcess\Razer Synapse Service Process.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
 				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
@@ -957,9 +960,13 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall delete</CommandLine>
+				<ParentCommandLine condition="excludes all">ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe</ParentCommandLine>
+				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall add</CommandLine>
+				<ParentCommandLine condition="excludes all">cmd.exe;ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe;enable=yes</ParentCommandLine>
+				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall set opmode disable</CommandLine>
@@ -1047,6 +1054,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
 				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
+				<ParentImage condition="excludes all">C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;\CitrixReceiverUpdater.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
 				<Image condition="end with">      .exe</Image>
@@ -2473,10 +2481,10 @@
 				<CommandLine condition="image">start-bitstransfer</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">expand \\</CommandLine>
+				<CommandLine condition="contains all">expand;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">expand.exe \\</CommandLine>
+				<CommandLine condition="contains all">expand.exe;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" groupRelation="and">
 				<CommandLine condition="contains">ieexec http</CommandLine>
@@ -2494,10 +2502,10 @@
 				<CommandLine condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">extrac32 \\</CommandLine>
+				<CommandLine condition="contains all">extrac32;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">extrac32.exe \\</CommandLine>
+				<CommandLine condition="contains all">extrac32.exe;\\</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
@@ -2639,10 +2647,16 @@
 				<CommandLine condition="contains">erase</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains">-nw -exec=</CommandLine>
+				<CommandLine condition="contains all">-nw;-exec=</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
+				<CommandLine condition="contains all">/nw;/exec=</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
+				<CommandLine condition="contains all">-p;-nw</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains">-p -nw</CommandLine>
+				<CommandLine condition="contains all">/p;/nw</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" groupRelation="and">
 				<Image condition="contains">shred</Image>
@@ -2667,8 +2681,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
 			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
 				<Image condition="image">fsutil.exe</Image>
-				<CommandLine condition="contains">deletejournal</CommandLine>
-				<CommandLine condition="contains">usn</CommandLine>
+				<CommandLine condition="contains all">usn;deletejournal</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
@@ -2678,7 +2691,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<Rule name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" groupRelation="and">
-			<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+				<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+				<Image condition="excludes all">C:\Program Files;\LightingService\AsusInstallVerifier.exe</Image>
 			</Rule>
 			<!--Crypto Currency Miner Detections-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
@@ -2937,6 +2951,9 @@
 				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
 				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
 			</Rule>
+			<Rule name="exclude armoury Crate from cmdline file deletion rule" groupRelation="and">
+				<ParentImage condition="image">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</ParentImage>
+			</Rule>
 		</ProcessCreate>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
@@ -5124,6 +5141,7 @@
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\;C:\Program Files (x86)\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\ProgramData\Cavelo\jre\bin\java.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files\Cavelo\Cavelo Agent\parser.exe</SourceImage>
 				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
 				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
+				<TargetImage condition="excludes any">C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe;C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.UserSessionHelper.exe</TargetImage>
 				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
@@ -5264,6 +5282,7 @@
 				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
 				<TargetFilename condition="not begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="excludes">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
 				<TargetFilename condition="end with">proj</TargetFilename>
@@ -5299,6 +5318,7 @@
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" groupRelation="and">
 				<TargetFilename condition="end with">.bin</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
@@ -5436,6 +5456,8 @@
 				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
 				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL</TargetFilename>
+				<TargetFilename condition="excludes any">\System.Security.Cryptography</TargetFilename>
+				<Image condition="excludes any">Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains">crackmapexec</TargetFilename>
@@ -5674,6 +5696,7 @@
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename>
@@ -5883,6 +5906,7 @@
 			</Rule>
 			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" groupRelation="and">
 				<TargetFilename condition="end with">.bin</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" groupRelation="and">
 				<TargetFilename condition="end with">.cab</TargetFilename>
@@ -6732,10 +6756,10 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" groupRelation="and">
 				<TargetFilename condition="contains">.mht</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
 				<TargetFilename condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Chrome extension auditing" groupRelation="and">
 				<TargetFilename condition="end with">.crx</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" groupRelation="and">
@@ -6865,7 +6889,7 @@
 				<TargetFilename condition="contains">Temp\Temp1_</TargetFilename>
 			</Rule>
 			<!--Uncategorized-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=DotNet UsageLogs" groupRelation="and">
 				<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
@@ -7102,11 +7126,16 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Old Chrome Extension auditing" groupRelation="and">
 				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
 				<TargetObject condition="end with">update_url</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+				<TargetObject condition="contains">Google\Chrome</TargetObject>
+				<TargetObject condition="contains">extensions.settings</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>								  
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Forced password reset detected" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
@@ -7141,6 +7170,9 @@
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
 				<Image condition="excludes any">C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe;\AppData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+				<Details condition="excludes all">C:\Program Files\Google\Drive File Stream;\GoogleDriveFS.exe;startup_mode</Details>
+				<Details condition="excludes all">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;no-startup-window;win-session-start;prefetch</Details>
+				<Details condition="excludes all">\Application\chrome.exe;no-startup-window;win-session-start;prefetch</Details>
 			</Rule>
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject>
@@ -7433,7 +7465,7 @@
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
-				<TargetObject condition="excludes">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator;\AMDInstallLauncher\SD;\SD;ASUS Switch;\PowerToys\Autorun for </TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
@@ -7635,6 +7667,7 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
+				<Image condition="excludes">C:\WINDOWS\system32\DrvInst.exe</Image> <!--Common Driver Installs-->
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
@@ -8302,10 +8335,10 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
 			</Rule>
 			<!--DLLs that get injected into every process launch-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Monitoring: DLLs that get injected into every process launch" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Monitoring: DLLs that get injected into every process launch" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			</Rule>
 			<!--Office-->
@@ -8517,6 +8550,9 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Office Information" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Registry Hive List" groupRelation="and">
+				<TargetObject condition="contains">\Control\hivelist</TargetObject>
+			</Rule>
 			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=ISO Drive Mounted" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume</TargetObject>
 				<TargetObject condition="end with">Drive Type</TargetObject>
@@ -8771,10 +8807,10 @@
 			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">Software\recfg</TargetObject>
 			</Rule>
-			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Suspicious Keyboard Layout Load" groupRelation="and">
 				<TargetObject condition="contains">\Keyboard Layout\Preload\</TargetObject>
 			</Rule>
-			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Suspicious Keyboard Layout Load" groupRelation="and">
 				<TargetObject condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
@@ -8825,6 +8861,21 @@
 				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
 				<Image condition="begin with">C:\Program Files\ESET</Image>
 			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Browser Helper Object Contacted Domains" groupRelation="and">
+				<TargetObject condition="end with">\EnableBHO</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Printer Port Changes,CVE=CVE-2020-1048" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports</TargetObject> <!--Microsoft:Windows: Printer port changes as used in CVE-2020-1048 [ https://windows-internals.com/printdemon-cve-2020-1048/ ] -->
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=PrintNightmare Coverage,Author=Florian Roth" groupRelation="and">
+				<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
+			</Rule>
+			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=NGenAssemblyUsageLog Tampering Detected" groupRelation="and">
+				<TargetObject condition="contains all">\Microsoft\.NETFramework;NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=Winget admin settings Tampering Detected" groupRelation="and">
+				<TargetObject condition="contains all">\REGISTRY\A\;LocalState\admin_settings</TargetObject>
+			</Rule>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
@@ -8851,7 +8902,7 @@
 				<Hash condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hash><!--Exchange Zero Day Dropped DLL-->
 			</Rule>
 			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,DS=File: File Metadata,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
-				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
+				<TargetFilename condition="contains any">Startup;Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonEnte Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
 				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
@@ -9624,13 +9675,18 @@
 	</RuleGroup>
 	<!-- SYSMON EVENT ID 29 : File Executable Detected -->
 	<!--Fields: ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes -->
+	<!-- Key Authors in this section are Florian Roth as a majority Contributer from: https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml -->
 	<RuleGroup name="RG=FileExecutable Includes" groupRelation="or">
 		<FileExecutableDetected onmatch="include">
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Exe created within Downloads Folder,Risk=10" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename>
 				<TargetFilename condition="contains">\Downloads</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=PE File Detected under Unusual File extension,Risk=10" groupRelation="or">
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
+				<Image condition="begin with">C:\Users\</Image>
+				<Image condition="contains">Content.Outlook</Image>
+			</Rule>
+			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=PE File Detected under Unusual File extension,Risk=10" groupRelation="and">
 				<TargetFilename condition="not end with">.exe</TargetFilename>
 				<TargetFilename condition="not end with">.dll</TargetFilename>
 				<TargetFilename condition="not end with">.sys</TargetFilename>
@@ -9646,6 +9702,1021 @@
 				<TargetFilename condition="not end with">.ime</TargetFilename>
 				<TargetFilename condition="not end with">.tsp</TargetFilename>
 			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=,Risk=10,Alert=Powershell Creating Executables" groupRelation="and">
+				<Image condition="is any">powershell.exe;powershell_ise.exe;pwsh.exe;Sqlps.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.003,Technique=Command and Scripting Interpreter: Windows Command Shell,Tactic=Execution,DS=File: File Creation,Level=0,Alert=Command or consolehost Anomaly,Risk=10" groupRelation="and">
+				<Image condition="is any">cmd.exe;conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected within Unusual Location,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> <!-- often used staging directories; could cause false positives --> 
+				<TargetFilename condition="begin with">C:\Perflogs\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Fonts\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\debug\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\tracing\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Logs\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\System32\spool\SERVERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
+				<TargetFilename condition="begin with">C:\Windows\System32\spool\PRINTERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
+				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Intel</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Mozilla</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\chocolatey\</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\DeviceSync</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\PlayReady</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\User Account Pictures</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Office\Heartbeat</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER</TargetFilename>
+				<TargetFilename condition="contains all">C:\Users\All Users\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Music\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Pictures\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Videos\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Contacts\</TargetFilename> <!-- often used staging directories in User folders -->
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Double File Extension Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="end with">.7z.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+				<TargetFilename condition="end with">.docm.exe</TargetFilename>
+				<TargetFilename condition="end with">.docx.exe</TargetFilename>
+				<TargetFilename condition="end with">.htm.exe</TargetFilename>
+				<TargetFilename condition="end with">.html.exe</TargetFilename>
+				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+				<TargetFilename condition="end with">.lnk.exe</TargetFilename>				
+				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
+				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
+				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
+				<TargetFilename condition="end with">.rar.exe</TargetFilename>
+				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
+				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+				<TargetFilename condition="end with">.xls.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsm.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
+				<TargetFilename condition="end with">.zip.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="end with">\EntenLoader.exe</TargetFilename>
+				<TargetFilename condition="end with">\SysmonQuiet.exe</TargetFilename>
+				<TargetFilename condition="end with">\SharpEvtMute.exe</TargetFilename>
+				<TargetFilename condition="end with">\EvtMuteHook.dll</TargetFilename>
+				<TargetFilename condition="end with">\SysmonEOP.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=F9A28C458284584A93B14216308D31BD</Hashes> <!-- JuicyPotatoNG -->
+				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
+				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
+				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
+				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
+				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=03866661686829d806989e2fc5a72606</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
+				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
+				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
+				<Hashes condition="contains">IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313</Hashes> <!-- Forkatz -->
+				<Hashes condition="contains">IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC</Hashes> <!-- PPLKiller -->
+				<Hashes condition="contains">IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28</Hashes> <!-- PPLKiller -->
+				<Hashes condition="contains">IMPHASH=96DF3A3731912449521F6F8D183279B1</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=51791678F351C03A0EB4E2A7B05C6E17</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=25CE42B079282632708FC846129E98A5</Hashes> <!-- Forensia -->
+				<Hashes condition="contains">MD5=7B17F15713FCF13C764535AA2BDF52AA</Hashes>													<!-- ShaprEvtMute -->
+				<Hashes condition="contains">SHA1=4E18320493042BCD7D21B53E258974BC460ACC78</Hashes>										<!-- ShaprEvtMute -->
+				<Hashes condition="contains">SHA256=477DFE485F5BD9540CC83E88FC04AAFB6DE49CF1ADC6BD857D5D6F4C1730A6D1</Hashes>	<!-- ShaprEvtMute -->
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Microsoft Office Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Image condition="image">winword.exe</Image>
+				<Image condition="image">excel.exe</Image>
+				<Image condition="image">powerpnt.exe</Image>
+				<Image condition="image">msaccess.exe</Image>
+				<Image condition="image">mspub.exe</Image>
+				<Image condition="image">eqnedt32.exe</Image>
+				<Image condition="image">visio.exe</Image>
+				<Image condition="image">wordpad.exe</Image>
+				<Image condition="image">wordview.exe</Image>
+				<Image condition="image">msohtmed.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=OneNote Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Image condition="image">onenote.exe</Image>
+				<Image condition="image">onenotem.exe</Image>
+				<Image condition="image">onenoteim.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=LOLBin Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<!-- LOLBINs that can be used to download executables -->
+				<Image condition="image">certutil.exe</Image>
+				<Image condition="image">certoc.exe</Image>
+				<Image condition="image">CertReq.exe</Image>
+				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
+				<Image condition="image">Desktopimgdownldr.exe</Image>
+				<Image condition="image">esentutl.exe</Image>
+				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
+				<Image condition="image">finger.exe</Image>
+				<!-- Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)-->
+				<Image condition="image">notepad.exe</Image>
+				<Image condition="image">AcroRd32.exe</Image>
+				<Image condition="image">RdrCEF.exe</Image> <!-- RdrCEF was seen dropping a DLL in temp (Example: \AppData\Local\Temp\acrocef_low\4616_1623006624_platform_specific\win_x86\widevinecdm.dll). Comment out this entry if you experience issues (https://github.com/Neo23x0/sysmon-config/issues/43) -->
+				<Image condition="image">calc.exe</Image>
+				<Image condition="image">mspaint.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.01,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Compiled HTML File Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">hh.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.002,Technique=System Binary Proxy Execution: Control Panel,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Control Panel Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">control.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=System Binary Proxy Execution: CMSTP,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=CMSTP Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">CMSTP.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.004,Technique=System Binary Proxy Execution: InstallUtil,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=InstallUtil Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">installutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.005,Technique=System Binary Proxy Execution: Mshta,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MSHTA Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.007,Technique=System Binary Proxy Execution: MSIExec,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=MSIExec Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.008,Technique=System Binary Proxy Execution: Odbcconf,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Odbcconf Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Odbcconf.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.009,Technique=System Binary Proxy Execution: Regsvcs/Regasm,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvcs/Regasm Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="contains any">Regsvcs.exe;Regasm.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.010,Technique=System Binary Proxy Execution: Regsvr32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvr32 Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=System Binary Proxy Execution: Rundll32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Rundll32 Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Rundll32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.012,Technique=System Binary Proxy Execution: Verclsid,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Verclsid Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Verclsid.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.013,Technique=System Binary Proxy Execution: mavinject,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Mavinject Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="contains any">mavinject.exe;mavinject64.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.014,Technique=System Binary Proxy Execution: MMC,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MMC Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">mmc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Other LOLBins Dropping Executables,Risk=10" groupRelation="or">
+				<Image condition="contains any">Appvlp.exe;InfDefaultInstall.EXE;PresentationHost.exe;Register-cimprovider.exe;RegisterCimProvider2.exe;RegisterCimProvider.exe;ScriptRunner.exe;appcmd.exe;csi.exe;devtoolslauncher.exe;diskshadow.exe;extexport.exe;jjs.exe;msconfig.EXE;msdt.exe;rasautou.exe;rasdlui.exe;replace.exe;tttracer.exe;wab.exe;wsreset.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=4,Alert=Vulnerable Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+			    <Hashes condition="contains">SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed</Hashes>
+                <Hashes condition="contains">SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb</Hashes>
+                <Hashes condition="contains">SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db</Hashes>
+                <Hashes condition="contains">SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05</Hashes>
+                <Hashes condition="contains">SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d</Hashes>
+                <Hashes condition="contains">SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917</Hashes>
+                <Hashes condition="contains">SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135</Hashes>
+                <Hashes condition="contains">SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1</Hashes>
+                <Hashes condition="contains">SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467</Hashes>
+                <Hashes condition="contains">SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c</Hashes>
+                <Hashes condition="contains">SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c</Hashes>
+                <Hashes condition="contains">SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3</Hashes>
+                <Hashes condition="contains">SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f</Hashes>
+                <Hashes condition="contains">SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c</Hashes>
+                <Hashes condition="contains">SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8</Hashes>
+                <Hashes condition="contains">SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b</Hashes>
+                <Hashes condition="contains">SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff</Hashes>
+                <Hashes condition="contains">SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6</Hashes>
+                <Hashes condition="contains">SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8</Hashes>
+                <Hashes condition="contains">SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf</Hashes>
+                <Hashes condition="contains">SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff</Hashes>
+                <Hashes condition="contains">SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670</Hashes>
+                <Hashes condition="contains">SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd</Hashes>
+                <Hashes condition="contains">SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece</Hashes>
+                <Hashes condition="contains">SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5</Hashes>
+                <Hashes condition="contains">SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0</Hashes>
+                <Hashes condition="contains">SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c</Hashes>
+                <Hashes condition="contains">SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b</Hashes>
+                <Hashes condition="contains">SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a</Hashes>
+                <Hashes condition="contains">SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e</Hashes>
+                <Hashes condition="contains">SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa</Hashes>
+                <Hashes condition="contains">SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a</Hashes>
+                <Hashes condition="contains">SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687</Hashes>
+                <Hashes condition="contains">SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8</Hashes>
+                <Hashes condition="contains">SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219</Hashes>
+                <Hashes condition="contains">SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe</Hashes>
+                <Hashes condition="contains">SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee</Hashes>
+                <Hashes condition="contains">SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961</Hashes>
+                <Hashes condition="contains">SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512</Hashes>
+                <Hashes condition="contains">SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c</Hashes>
+                <Hashes condition="contains">SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501</Hashes>
+                <Hashes condition="contains">SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486</Hashes>
+                <Hashes condition="contains">SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e</Hashes>
+                <Hashes condition="contains">SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a</Hashes>
+                <Hashes condition="contains">SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8</Hashes>
+                <Hashes condition="contains">SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4</Hashes>
+                <Hashes condition="contains">SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30</Hashes>
+                <Hashes condition="contains">SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a</Hashes>
+                <Hashes condition="contains">SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797</Hashes>
+                <Hashes condition="contains">SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d</Hashes>
+                <Hashes condition="contains">SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1</Hashes>
+                <Hashes condition="contains">SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250</Hashes>
+                <Hashes condition="contains">SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14</Hashes>
+                <Hashes condition="contains">SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1</Hashes>
+                <Hashes condition="contains">SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b</Hashes>
+                <Hashes condition="contains">SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d</Hashes>
+                <Hashes condition="contains">SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396</Hashes>
+                <Hashes condition="contains">SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e</Hashes>
+                <Hashes condition="contains">SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8</Hashes>
+                <Hashes condition="contains">SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0</Hashes>
+                <Hashes condition="contains">SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e</Hashes>
+                <Hashes condition="contains">SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae</Hashes>
+                <Hashes condition="contains">SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445</Hashes>
+                <Hashes condition="contains">SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9</Hashes>
+                <Hashes condition="contains">SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25</Hashes>
+                <Hashes condition="contains">SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0</Hashes>
+                <Hashes condition="contains">SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e</Hashes>
+                <Hashes condition="contains">SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46</Hashes>
+                <Hashes condition="contains">SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b</Hashes>
+                <Hashes condition="contains">SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c</Hashes>
+                <Hashes condition="contains">SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5</Hashes>
+                <Hashes condition="contains">SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc</Hashes>
+                <Hashes condition="contains">SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b</Hashes>
+                <Hashes condition="contains">SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f</Hashes>
+                <Hashes condition="contains">SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134</Hashes>
+                <Hashes condition="contains">SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3</Hashes>
+                <Hashes condition="contains">SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4</Hashes>
+                <Hashes condition="contains">SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272</Hashes>
+                <Hashes condition="contains">SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf</Hashes>
+                <Hashes condition="contains">SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c</Hashes>
+                <Hashes condition="contains">SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75</Hashes>
+                <Hashes condition="contains">SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8</Hashes>
+                <Hashes condition="contains">SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5</Hashes>
+                <Hashes condition="contains">SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa</Hashes>
+                <Hashes condition="contains">SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e</Hashes>
+                <Hashes condition="contains">SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6</Hashes>
+                <Hashes condition="contains">SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa</Hashes>
+                <Hashes condition="contains">SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162</Hashes>
+                <Hashes condition="contains">SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2</Hashes>
+                <Hashes condition="contains">SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe</Hashes>
+                <Hashes condition="contains">SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7</Hashes>
+                <Hashes condition="contains">SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae</Hashes>
+                <Hashes condition="contains">SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1</Hashes>
+                <Hashes condition="contains">SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4</Hashes>
+                <Hashes condition="contains">SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e</Hashes>
+                <Hashes condition="contains">SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036</Hashes>
+                <Hashes condition="contains">SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee</Hashes>
+                <Hashes condition="contains">SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba</Hashes>
+                <Hashes condition="contains">SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80</Hashes>
+                <Hashes condition="contains">SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69</Hashes>
+                <Hashes condition="contains">SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748</Hashes>
+                <Hashes condition="contains">SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a</Hashes>
+                <Hashes condition="contains">SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a</Hashes>
+                <Hashes condition="contains">SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe</Hashes>
+                <Hashes condition="contains">SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a</Hashes>
+                <Hashes condition="contains">SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c</Hashes>
+                <Hashes condition="contains">SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921</Hashes>
+                <Hashes condition="contains">SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a</Hashes>
+                <Hashes condition="contains">SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185</Hashes>
+                <Hashes condition="contains">SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3</Hashes>
+                <Hashes condition="contains">SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92</Hashes>
+                <Hashes condition="contains">SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be</Hashes>
+                <Hashes condition="contains">SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3</Hashes>
+                <Hashes condition="contains">SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683</Hashes>
+                <Hashes condition="contains">SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0</Hashes>
+                <Hashes condition="contains">SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2</Hashes>
+                <Hashes condition="contains">SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa</Hashes>
+                <Hashes condition="contains">SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36</Hashes>
+                <Hashes condition="contains">SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50</Hashes>
+                <Hashes condition="contains">SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5</Hashes>
+                <Hashes condition="contains">SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74</Hashes>
+                <Hashes condition="contains">SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63</Hashes>
+                <Hashes condition="contains">SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e</Hashes>
+                <Hashes condition="contains">SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44</Hashes>
+                <Hashes condition="contains">SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a</Hashes>
+                <Hashes condition="contains">SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293</Hashes>
+                <Hashes condition="contains">SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc</Hashes>
+                <Hashes condition="contains">SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492</Hashes>
+                <Hashes condition="contains">SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf</Hashes>
+                <Hashes condition="contains">SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7</Hashes>
+                <Hashes condition="contains">SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7</Hashes>
+                <Hashes condition="contains">SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38</Hashes>
+                <Hashes condition="contains">SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4</Hashes>
+                <Hashes condition="contains">SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c</Hashes>
+                <Hashes condition="contains">SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d</Hashes>
+                <Hashes condition="contains">SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc</Hashes>
+                <Hashes condition="contains">SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357</Hashes>
+                <Hashes condition="contains">SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf</Hashes>
+                <Hashes condition="contains">SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853</Hashes>
+                <Hashes condition="contains">SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7</Hashes>
+                <Hashes condition="contains">SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b</Hashes>
+                <Hashes condition="contains">SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7</Hashes>
+                <Hashes condition="contains">SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21</Hashes>
+                <Hashes condition="contains">SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4</Hashes>
+                <Hashes condition="contains">SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c</Hashes>
+                <Hashes condition="contains">SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f</Hashes>
+                <Hashes condition="contains">SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea</Hashes>
+                <Hashes condition="contains">SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd</Hashes>
+                <Hashes condition="contains">SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd</Hashes>
+                <Hashes condition="contains">SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456</Hashes>
+                <Hashes condition="contains">SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d</Hashes>
+                <Hashes condition="contains">SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7</Hashes>
+                <Hashes condition="contains">SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d</Hashes>
+                <Hashes condition="contains">SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35</Hashes>
+                <Hashes condition="contains">SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457</Hashes>
+                <Hashes condition="contains">SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa</Hashes>
+                <Hashes condition="contains">SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6</Hashes>
+                <Hashes condition="contains">SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2</Hashes>
+                <Hashes condition="contains">SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59</Hashes>
+                <Hashes condition="contains">SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6</Hashes>
+                <Hashes condition="contains">SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9</Hashes>
+                <Hashes condition="contains">SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f</Hashes>
+                <Hashes condition="contains">SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775</Hashes>
+                <Hashes condition="contains">SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9</Hashes>
+                <Hashes condition="contains">SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2</Hashes>
+                <Hashes condition="contains">SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126</Hashes>
+                <Hashes condition="contains">SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c</Hashes>
+                <Hashes condition="contains">SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f</Hashes>
+                <Hashes condition="contains">SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f</Hashes>
+                <Hashes condition="contains">SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00</Hashes>
+                <Hashes condition="contains">SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2</Hashes>
+                <Hashes condition="contains">SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a</Hashes>
+                <Hashes condition="contains">SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184</Hashes>
+                <Hashes condition="contains">SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1</Hashes>
+                <Hashes condition="contains">SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e</Hashes>
+                <Hashes condition="contains">SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7</Hashes>
+                <Hashes condition="contains">SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba</Hashes>
+                <Hashes condition="contains">SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c</Hashes>
+                <Hashes condition="contains">SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c</Hashes>
+                <Hashes condition="contains">SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194</Hashes>
+                <Hashes condition="contains">SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285</Hashes>
+                <Hashes condition="contains">SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4</Hashes>
+                <Hashes condition="contains">SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449</Hashes>
+                <Hashes condition="contains">SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2</Hashes>
+                <Hashes condition="contains">SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395</Hashes>
+                <Hashes condition="contains">SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4</Hashes>
+                <Hashes condition="contains">SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3</Hashes>
+                <Hashes condition="contains">SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5</Hashes>
+                <Hashes condition="contains">SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33</Hashes>
+                <Hashes condition="contains">SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def</Hashes>
+                <Hashes condition="contains">SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374</Hashes>
+                <Hashes condition="contains">SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5</Hashes>
+                <Hashes condition="contains">SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b</Hashes>
+                <Hashes condition="contains">SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56</Hashes>
+                <Hashes condition="contains">SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8</Hashes>
+                <Hashes condition="contains">SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229</Hashes>
+                <Hashes condition="contains">SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9</Hashes>
+                <Hashes condition="contains">SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1</Hashes>
+                <Hashes condition="contains">SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506</Hashes>
+                <Hashes condition="contains">SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6</Hashes>
+                <Hashes condition="contains">SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0</Hashes>
+                <Hashes condition="contains">SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775</Hashes>
+                <Hashes condition="contains">SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0</Hashes>
+                <Hashes condition="contains">SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb</Hashes>
+                <Hashes condition="contains">SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21</Hashes>
+                <Hashes condition="contains">SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c</Hashes>
+                <Hashes condition="contains">SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade</Hashes>
+                <Hashes condition="contains">SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4</Hashes>
+                <Hashes condition="contains">SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097</Hashes>
+                <Hashes condition="contains">SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43</Hashes>
+                <Hashes condition="contains">SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712</Hashes>
+                <Hashes condition="contains">SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970</Hashes>
+                <Hashes condition="contains">SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6</Hashes>
+                <Hashes condition="contains">SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94</Hashes>
+                <Hashes condition="contains">SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb</Hashes>
+                <Hashes condition="contains">SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a</Hashes>
+                <Hashes condition="contains">SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427</Hashes>
+                <Hashes condition="contains">SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192</Hashes>
+                <Hashes condition="contains">SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351</Hashes>
+                <Hashes condition="contains">SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993</Hashes>
+                <Hashes condition="contains">SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3</Hashes>
+                <Hashes condition="contains">SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf</Hashes>
+                <Hashes condition="contains">SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d</Hashes>
+                <Hashes condition="contains">SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb</Hashes>
+                <Hashes condition="contains">SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289</Hashes>
+                <Hashes condition="contains">SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9</Hashes>
+                <Hashes condition="contains">SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e</Hashes>
+                <Hashes condition="contains">SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305</Hashes>
+                <Hashes condition="contains">SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7</Hashes>
+                <Hashes condition="contains">SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0</Hashes>
+                <Hashes condition="contains">SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20</Hashes>
+                <Hashes condition="contains">SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a</Hashes>
+                <Hashes condition="contains">SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e</Hashes>
+                <Hashes condition="contains">SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb</Hashes>
+                <Hashes condition="contains">SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f</Hashes>
+                <Hashes condition="contains">SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89</Hashes>
+                <Hashes condition="contains">SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0</Hashes>
+                <Hashes condition="contains">SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a</Hashes>
+                <Hashes condition="contains">SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26</Hashes>
+                <Hashes condition="contains">SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef</Hashes>
+                <Hashes condition="contains">SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84</Hashes>
+                <Hashes condition="contains">SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005</Hashes>
+                <Hashes condition="contains">SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc</Hashes>
+                <Hashes condition="contains">SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810</Hashes>
+                <Hashes condition="contains">SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba</Hashes>
+                <Hashes condition="contains">SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793</Hashes>
+                <Hashes condition="contains">SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f</Hashes>
+                <Hashes condition="contains">SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5</Hashes>
+                <Hashes condition="contains">SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e</Hashes>
+                <Hashes condition="contains">SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9</Hashes>
+                <Hashes condition="contains">SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a</Hashes>
+                <Hashes condition="contains">SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7</Hashes>
+                <Hashes condition="contains">SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572</Hashes>
+                <Hashes condition="contains">SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495</Hashes>
+                <Hashes condition="contains">SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59</Hashes>
+                <Hashes condition="contains">SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879</Hashes>
+                <Hashes condition="contains">SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289</Hashes>
+                <Hashes condition="contains">SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813</Hashes>
+                <Hashes condition="contains">SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0</Hashes>
+                <Hashes condition="contains">SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf</Hashes>
+                <Hashes condition="contains">SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8</Hashes>
+                <Hashes condition="contains">SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0</Hashes>
+                <Hashes condition="contains">SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57</Hashes>
+                <Hashes condition="contains">SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9</Hashes>
+                <Hashes condition="contains">SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890</Hashes>
+                <Hashes condition="contains">SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2</Hashes>
+                <Hashes condition="contains">SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009</Hashes>
+                <Hashes condition="contains">SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d</Hashes>
+                <Hashes condition="contains">SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1</Hashes>
+                <Hashes condition="contains">SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1</Hashes>
+                <Hashes condition="contains">SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761</Hashes>
+                <Hashes condition="contains">SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4</Hashes>
+                <Hashes condition="contains">SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85</Hashes>
+                <Hashes condition="contains">SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184</Hashes>
+                <Hashes condition="contains">SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524</Hashes>
+                <Hashes condition="contains">SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303</Hashes>
+                <Hashes condition="contains">SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356</Hashes>
+                <Hashes condition="contains">SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9</Hashes>
+                <Hashes condition="contains">SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57</Hashes>
+                <Hashes condition="contains">SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463</Hashes>
+                <Hashes condition="contains">SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085</Hashes>
+                <Hashes condition="contains">SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3</Hashes>
+                <Hashes condition="contains">SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1</Hashes>
+                <Hashes condition="contains">SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0</Hashes>
+                <Hashes condition="contains">SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d</Hashes>
+                <Hashes condition="contains">SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989</Hashes>
+                <Hashes condition="contains">SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a</Hashes>
+                <Hashes condition="contains">SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4</Hashes>
+                <Hashes condition="contains">SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4</Hashes>
+                <Hashes condition="contains">SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882</Hashes>
+                <Hashes condition="contains">SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219</Hashes>
+                <Hashes condition="contains">SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9</Hashes>
+                <Hashes condition="contains">SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc</Hashes>
+                <Hashes condition="contains">SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be</Hashes>
+                <Hashes condition="contains">SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7</Hashes>
+                <Hashes condition="contains">SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0</Hashes>
+                <Hashes condition="contains">SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131</Hashes>
+                <Hashes condition="contains">SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63</Hashes>
+                <Hashes condition="contains">SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e</Hashes>
+                <Hashes condition="contains">SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3</Hashes>
+                <Hashes condition="contains">SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd</Hashes>
+                <Hashes condition="contains">SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb</Hashes>
+                <Hashes condition="contains">SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8</Hashes>
+                <Hashes condition="contains">SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1</Hashes>
+                <Hashes condition="contains">SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280</Hashes>
+                <Hashes condition="contains">SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6</Hashes>
+                <Hashes condition="contains">SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743</Hashes>
+                <Hashes condition="contains">SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88</Hashes>
+                <Hashes condition="contains">SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980</Hashes>
+                <Hashes condition="contains">SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347</Hashes>
+                <Hashes condition="contains">SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9</Hashes>
+                <Hashes condition="contains">SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24</Hashes>
+                <Hashes condition="contains">SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5</Hashes>
+                <Hashes condition="contains">SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d</Hashes>
+                <Hashes condition="contains">SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69</Hashes>
+                <Hashes condition="contains">SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc</Hashes>
+                <Hashes condition="contains">SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa</Hashes>
+                <Hashes condition="contains">SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7</Hashes>
+                <Hashes condition="contains">SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233</Hashes>
+                <Hashes condition="contains">SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b</Hashes>
+                <Hashes condition="contains">SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8</Hashes>
+                <Hashes condition="contains">SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a</Hashes>
+                <Hashes condition="contains">SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0</Hashes>
+                <Hashes condition="contains">SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b</Hashes>
+                <Hashes condition="contains">SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28</Hashes>
+                <Hashes condition="contains">SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba</Hashes>
+                <Hashes condition="contains">SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd</Hashes>
+                <Hashes condition="contains">SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9</Hashes>
+                <Hashes condition="contains">SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52</Hashes>
+                <Hashes condition="contains">SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c</Hashes>
+                <Hashes condition="contains">SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0</Hashes>
+                <Hashes condition="contains">SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c</Hashes>
+                <Hashes condition="contains">SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763</Hashes>
+                <Hashes condition="contains">SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad</Hashes>
+                <Hashes condition="contains">SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92</Hashes>
+                <Hashes condition="contains">SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b</Hashes>
+                <Hashes condition="contains">SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf</Hashes>
+                <Hashes condition="contains">SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af</Hashes>
+                <Hashes condition="contains">SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd</Hashes>
+                <Hashes condition="contains">SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01</Hashes>
+                <Hashes condition="contains">SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba</Hashes>
+                <Hashes condition="contains">SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a</Hashes>
+                <Hashes condition="contains">SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015</Hashes>
+                <Hashes condition="contains">SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461</Hashes>
+                <Hashes condition="contains">SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88</Hashes>
+                <Hashes condition="contains">SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a</Hashes>
+                <Hashes condition="contains">SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880</Hashes>
+                <Hashes condition="contains">SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c</Hashes>
+                <Hashes condition="contains">SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677</Hashes>
+                <Hashes condition="contains">SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782</Hashes>
+                <Hashes condition="contains">SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a</Hashes>
+                <Hashes condition="contains">SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9</Hashes>
+                <Hashes condition="contains">SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad</Hashes>
+                <Hashes condition="contains">SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7</Hashes>
+                <Hashes condition="contains">SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4</Hashes>
+                <Hashes condition="contains">SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c</Hashes>
+                <Hashes condition="contains">SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1</Hashes>
+                <Hashes condition="contains">SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb</Hashes>
+                <Hashes condition="contains">SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52</Hashes>
+                <Hashes condition="contains">SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d</Hashes>
+                <Hashes condition="contains">SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22</Hashes>
+                <Hashes condition="contains">SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109</Hashes>
+                <Hashes condition="contains">SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6</Hashes>
+                <Hashes condition="contains">SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f</Hashes>
+                <Hashes condition="contains">SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2</Hashes>
+                <Hashes condition="contains">SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5</Hashes>
+                <Hashes condition="contains">SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099</Hashes>
+                <Hashes condition="contains">SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5</Hashes>
+                <Hashes condition="contains">SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de</Hashes>
+                <Hashes condition="contains">SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a</Hashes>
+                <Hashes condition="contains">SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b</Hashes>
+                <Hashes condition="contains">SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3</Hashes>
+                <Hashes condition="contains">SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838</Hashes>
+                <Hashes condition="contains">SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca</Hashes>
+                <Hashes condition="contains">SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8</Hashes>
+                <Hashes condition="contains">SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b</Hashes>
+                <Hashes condition="contains">SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6</Hashes>
+                <Hashes condition="contains">SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8</Hashes>
+                <Hashes condition="contains">SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8</Hashes>
+                <Hashes condition="contains">SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48</Hashes>
+                <Hashes condition="contains">SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02</Hashes>
+                <Hashes condition="contains">SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b</Hashes>
+                <Hashes condition="contains">SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c</Hashes>
+                <Hashes condition="contains">SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8</Hashes>
+                <Hashes condition="contains">SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc</Hashes>
+                <Hashes condition="contains">SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf</Hashes>
+                <Hashes condition="contains">SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb</Hashes>
+                <Hashes condition="contains">SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129</Hashes>
+                <Hashes condition="contains">SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8</Hashes>
+                <Hashes condition="contains">SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408</Hashes>
+                <Hashes condition="contains">SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca</Hashes>
+                <Hashes condition="contains">SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60</Hashes>
+                <Hashes condition="contains">SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38</Hashes>
+                <Hashes condition="contains">SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b</Hashes>
+                <Hashes condition="contains">SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d</Hashes>
+                <Hashes condition="contains">SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9</Hashes>
+                <Hashes condition="contains">SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b</Hashes>
+                <Hashes condition="contains">SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6</Hashes>
+                <Hashes condition="contains">SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b</Hashes>
+                <Hashes condition="contains">SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca</Hashes>
+                <Hashes condition="contains">SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229</Hashes>
+                <Hashes condition="contains">SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c</Hashes>
+                <Hashes condition="contains">SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758</Hashes>
+                <Hashes condition="contains">SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40</Hashes>
+                <Hashes condition="contains">SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7</Hashes>
+                <Hashes condition="contains">SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab</Hashes>
+                <Hashes condition="contains">SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba</Hashes>
+                <Hashes condition="contains">SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1</Hashes>
+                <Hashes condition="contains">SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00</Hashes>
+                <Hashes condition="contains">SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0</Hashes>
+                <Hashes condition="contains">SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668</Hashes>
+                <Hashes condition="contains">SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57</Hashes>
+                <Hashes condition="contains">SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347</Hashes>
+                <Hashes condition="contains">SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd</Hashes>
+                <Hashes condition="contains">SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc</Hashes>
+                <Hashes condition="contains">SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4</Hashes>
+                <Hashes condition="contains">SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb</Hashes>
+                <Hashes condition="contains">SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de</Hashes>
+                <Hashes condition="contains">SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a</Hashes>
+                <Hashes condition="contains">SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22</Hashes>
+                <Hashes condition="contains">SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c</Hashes>
+                <Hashes condition="contains">SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f</Hashes>
+                <Hashes condition="contains">SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469</Hashes>
+                <Hashes condition="contains">SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94</Hashes>
+                <Hashes condition="contains">SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675</Hashes>
+                <Hashes condition="contains">SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10</Hashes>
+                <Hashes condition="contains">SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0</Hashes>
+                <Hashes condition="contains">SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5</Hashes>
+                <Hashes condition="contains">SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558</Hashes>
+                <Hashes condition="contains">SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4</Hashes>
+                <Hashes condition="contains">SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79</Hashes>
+                <Hashes condition="contains">SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073</Hashes>
+                <Hashes condition="contains">SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039</Hashes>
+                <Hashes condition="contains">SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659</Hashes>
+                <Hashes condition="contains">SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c</Hashes>
+                <Hashes condition="contains">SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6</Hashes>
+                <Hashes condition="contains">SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91</Hashes>
+                <Hashes condition="contains">SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b</Hashes>
+                <Hashes condition="contains">SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965</Hashes>
+                <Hashes condition="contains">SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c</Hashes>
+                <Hashes condition="contains">SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3</Hashes>
+                <Hashes condition="contains">SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b</Hashes>
+                <Hashes condition="contains">SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06</Hashes>
+                <Hashes condition="contains">SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4</Hashes>
+                <Hashes condition="contains">SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c</Hashes>
+                <Hashes condition="contains">SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf</Hashes>
+                <Hashes condition="contains">SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd</Hashes>
+                <Hashes condition="contains">SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9</Hashes>
+                <Hashes condition="contains">SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d</Hashes>
+                <Hashes condition="contains">SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c</Hashes>
+                <Hashes condition="contains">SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504</Hashes>
+                <Hashes condition="contains">SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587</Hashes>
+                <Hashes condition="contains">SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f</Hashes>
+                <Hashes condition="contains">SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354</Hashes>
+                <Hashes condition="contains">SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805</Hashes>
+                <Hashes condition="contains">SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a</Hashes>
+                <Hashes condition="contains">SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10</Hashes>
+                <Hashes condition="contains">SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a</Hashes>
+                <Hashes condition="contains">SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3</Hashes>
+                <Hashes condition="contains">SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa</Hashes>
+                <Hashes condition="contains">SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3</Hashes>
+                <Hashes condition="contains">SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75</Hashes>
+                <Hashes condition="contains">SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c</Hashes>
+                <Hashes condition="contains">SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82</Hashes>
+                <Hashes condition="contains">SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a</Hashes>
+                <Hashes condition="contains">SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135</Hashes>
+                <Hashes condition="contains">SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f</Hashes>
+                <Hashes condition="contains">SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d</Hashes>
+                <Hashes condition="contains">SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7</Hashes>
+                <Hashes condition="contains">SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9</Hashes>
+                <Hashes condition="contains">SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa</Hashes>
+                <Hashes condition="contains">SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1</Hashes>
+                <Hashes condition="contains">SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8</Hashes>
+                <Hashes condition="contains">SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad</Hashes>
+                <Hashes condition="contains">SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062</Hashes>
+                <Hashes condition="contains">SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc</Hashes>
+                <Hashes condition="contains">SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200</Hashes>
+                <Hashes condition="contains">SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8</Hashes>
+                <Hashes condition="contains">SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df</Hashes>
+                <Hashes condition="contains">SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d</Hashes>
+                <Hashes condition="contains">SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5</Hashes>
+                <Hashes condition="contains">SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3</Hashes>
+                <Hashes condition="contains">SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e</Hashes>
+                <Hashes condition="contains">SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499</Hashes>
+                <Hashes condition="contains">SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9</Hashes>
+                <Hashes condition="contains">SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6</Hashes>
+                <Hashes condition="contains">SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e</Hashes>
+                <Hashes condition="contains">SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526</Hashes>
+                <Hashes condition="contains">SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433</Hashes>
+                <Hashes condition="contains">SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48</Hashes>
+                <Hashes condition="contains">SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4</Hashes>
+                <Hashes condition="contains">SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608</Hashes>
+                <Hashes condition="contains">SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c</Hashes>
+                <Hashes condition="contains">SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b</Hashes>
+                <Hashes condition="contains">SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89</Hashes>
+                <Hashes condition="contains">SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd</Hashes>
+                <Hashes condition="contains">SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a</Hashes>
+                <Hashes condition="contains">SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165</Hashes>
+                <Hashes condition="contains">SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25</Hashes>
+                <Hashes condition="contains">SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833</Hashes>
+                <Hashes condition="contains">SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b</Hashes>
+                <Hashes condition="contains">SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173</Hashes>
+                <Hashes condition="contains">SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058</Hashes>
+                <Hashes condition="contains">SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47</Hashes>
+                <Hashes condition="contains">SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee</Hashes>
+                <Hashes condition="contains">SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa</Hashes>
+                <Hashes condition="contains">SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471</Hashes>
+                <Hashes condition="contains">SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2</Hashes>
+                <Hashes condition="contains">SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399</Hashes>
+                <Hashes condition="contains">SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685</Hashes>
+                <Hashes condition="contains">SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a</Hashes>
+                <Hashes condition="contains">SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508</Hashes>
+                <Hashes condition="contains">SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414</Hashes>
+                <Hashes condition="contains">SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1</Hashes>
+                <Hashes condition="contains">SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29</Hashes>
+                <Hashes condition="contains">SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602</Hashes>
+                <Hashes condition="contains">SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df</Hashes>
+                <Hashes condition="contains">SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d</Hashes>
+                <Hashes condition="contains">SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418</Hashes>
+                <Hashes condition="contains">SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf</Hashes>
+                <Hashes condition="contains">SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c</Hashes>
+                <Hashes condition="contains">SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a</Hashes>
+                <Hashes condition="contains">SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b</Hashes>
+                <Hashes condition="contains">SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a</Hashes>
+                <Hashes condition="contains">SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a</Hashes>
+                <Hashes condition="contains">SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e</Hashes>
+                <Hashes condition="contains">SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5</Hashes>
+                <Hashes condition="contains">SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441</Hashes>
+                <Hashes condition="contains">SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de</Hashes>
+                <Hashes condition="contains">SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e</Hashes>
+                <Hashes condition="contains">SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47</Hashes>
+                <Hashes condition="contains">SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0</Hashes>
+                <Hashes condition="contains">SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867</Hashes>
+                <Hashes condition="contains">SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704</Hashes>
+                <Hashes condition="contains">SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3</Hashes>
+                <Hashes condition="contains">SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa</Hashes>
+                <Hashes condition="contains">SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc</Hashes>
+                <Hashes condition="contains">SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955</Hashes>
+                <Hashes condition="contains">SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3</Hashes>
+                <Hashes condition="contains">SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248</Hashes>
+                <Hashes condition="contains">SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63</Hashes>
+                <Hashes condition="contains">SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f</Hashes>
+                <Hashes condition="contains">SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f</Hashes>
+                <Hashes condition="contains">SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961</Hashes>
+                <Hashes condition="contains">SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c</Hashes>
+                <Hashes condition="contains">SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0</Hashes>
+                <Hashes condition="contains">SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100</Hashes>
+                <Hashes condition="contains">SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2</Hashes>
+                <Hashes condition="contains">SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57</Hashes>
+                <Hashes condition="contains">SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8</Hashes>
+                <Hashes condition="contains">SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8</Hashes>
+                <Hashes condition="contains">SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247</Hashes>
+                <Hashes condition="contains">SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e</Hashes>
+                <Hashes condition="contains">SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9</Hashes>
+                <Hashes condition="contains">SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e</Hashes>
+                <Hashes condition="contains">SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8</Hashes>
+                <Hashes condition="contains">SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924</Hashes>
+                <Hashes condition="contains">SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26</Hashes>
+                <Hashes condition="contains">SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a</Hashes>
+                <Hashes condition="contains">SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc</Hashes>
+                <Hashes condition="contains">SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa</Hashes>
+                <Hashes condition="contains">SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646</Hashes>
+                <Hashes condition="contains">SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2</Hashes>
+                <Hashes condition="contains">SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2</Hashes>
+                <Hashes condition="contains">SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5</Hashes>
+                <Hashes condition="contains">SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada</Hashes>
+                <Hashes condition="contains">SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c</Hashes>
+                <Hashes condition="contains">SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d</Hashes>
+                <Hashes condition="contains">SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c</Hashes>
+                <Hashes condition="contains">SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd</Hashes>
+                <Hashes condition="contains">SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab</Hashes>
+                <Hashes condition="contains">SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612</Hashes>
+                <Hashes condition="contains">SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec</Hashes>
+                <Hashes condition="contains">SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6</Hashes>
+                <Hashes condition="contains">SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8</Hashes>
+                <Hashes condition="contains">SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64</Hashes>
+                <Hashes condition="contains">SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b</Hashes>
+                <Hashes condition="contains">SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb</Hashes>
+                <Hashes condition="contains">SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812</Hashes>
+                <Hashes condition="contains">SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc</Hashes>
+                <Hashes condition="contains">SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2</Hashes>
+                <Hashes condition="contains">SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986</Hashes>
+                <Hashes condition="contains">SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b</Hashes>
+                <Hashes condition="contains">SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190</Hashes>
+                <Hashes condition="contains">SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb</Hashes>
+                <Hashes condition="contains">SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40</Hashes>
+                <Hashes condition="contains">SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b</Hashes>
+                <Hashes condition="contains">SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab</Hashes>
+                <Hashes condition="contains">SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c</Hashes>
+                <Hashes condition="contains">SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889</Hashes>
+                <Hashes condition="contains">SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605</Hashes>
+                <Hashes condition="contains">SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f</Hashes>
+                <Hashes condition="contains">SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9</Hashes>
+                <Hashes condition="contains">SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102</Hashes>
+                <Hashes condition="contains">SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d</Hashes>
+                <Hashes condition="contains">SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0</Hashes>
+                <Hashes condition="contains">SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530</Hashes>
+                <Hashes condition="contains">SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482</Hashes>
+                <Hashes condition="contains">SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2</Hashes>
+                <Hashes condition="contains">SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f</Hashes>
+                <Hashes condition="contains">SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3</Hashes>
+                <Hashes condition="contains">SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3</Hashes>
+                <Hashes condition="contains">SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71</Hashes>
+                <Hashes condition="contains">SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476</Hashes>
+                <Hashes condition="contains">SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2</Hashes>
+                <Hashes condition="contains">SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26</Hashes>
+                <Hashes condition="contains">SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e</Hashes>
+                <Hashes condition="contains">SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d</Hashes>
+                <Hashes condition="contains">SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1</Hashes>
+                <Hashes condition="contains">SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24</Hashes>
+                <Hashes condition="contains">SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d</Hashes>
+                <Hashes condition="contains">SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004</Hashes>
+                <Hashes condition="contains">SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653</Hashes>
+                <Hashes condition="contains">SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98</Hashes>
+                <Hashes condition="contains">SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed</Hashes>
+                <Hashes condition="contains">SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef</Hashes>
+                <Hashes condition="contains">SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258</Hashes>
+                <Hashes condition="contains">SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097</Hashes>
+                <Hashes condition="contains">SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094</Hashes>
+                <Hashes condition="contains">SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8</Hashes>
+                <Hashes condition="contains">SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa</Hashes>
+                <Hashes condition="contains">SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c</Hashes>
+                <Hashes condition="contains">SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5</Hashes>
+                <Hashes condition="contains">SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc</Hashes>
+                <Hashes condition="contains">SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d</Hashes>
+                <Hashes condition="contains">SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578</Hashes>
+                <Hashes condition="contains">SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6</Hashes>
+                <Hashes condition="contains">SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15</Hashes>
+                <Hashes condition="contains">SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22</Hashes>
+                <Hashes condition="contains">SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b</Hashes>
+                <Hashes condition="contains">SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f</Hashes>
+                <Hashes condition="contains">SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6</Hashes>
+                <Hashes condition="contains">SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac</Hashes>
+                <Hashes condition="contains">SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918</Hashes>
+                <Hashes condition="contains">SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd</Hashes>
+                <Hashes condition="contains">SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb</Hashes>
+                <Hashes condition="contains">SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc</Hashes>
+                <Hashes condition="contains">SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036</Hashes>
+                <Hashes condition="contains">SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148</Hashes>
+                <Hashes condition="contains">SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1</Hashes>
+                <Hashes condition="contains">SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53</Hashes>
+                <Hashes condition="contains">SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8</Hashes>
+                <Hashes condition="contains">SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f</Hashes>
+                <Hashes condition="contains">SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48</Hashes>
+                <Hashes condition="contains">SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f</Hashes>
+                <Hashes condition="contains">SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae</Hashes>
+                <Hashes condition="contains">SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90</Hashes>
+                <Hashes condition="contains">SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028</Hashes>
+                <Hashes condition="contains">SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a</Hashes>
+                <Hashes condition="contains">SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4</Hashes>
+                <Hashes condition="contains">SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f</Hashes>
+                <Hashes condition="contains">SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf</Hashes>
+                <Hashes condition="contains">SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2</Hashes>
+                <Hashes condition="contains">SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9</Hashes>
+                <Hashes condition="contains">SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf</Hashes>
+                <Hashes condition="contains">SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa</Hashes>
+                <Hashes condition="contains">SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06</Hashes>
+                <Hashes condition="contains">SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790</Hashes>
+                <Hashes condition="contains">SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293</Hashes>
+                <Hashes condition="contains">SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3</Hashes>
+                <Hashes condition="contains">SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41</Hashes>
+                <Hashes condition="contains">SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3</Hashes>
+                <Hashes condition="contains">SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5</Hashes>
+                <Hashes condition="contains">SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566</Hashes>
+                <Hashes condition="contains">SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c</Hashes>
+                <Hashes condition="contains">SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282</Hashes>
+                <Hashes condition="contains">SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39</Hashes>
+                <Hashes condition="contains">SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7</Hashes>
+                <Hashes condition="contains">SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe</Hashes>
+                <Hashes condition="contains">SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b</Hashes>
+                <Hashes condition="contains">SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850</Hashes>
+                <Hashes condition="contains">SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0</Hashes>
+                <Hashes condition="contains">SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3</Hashes>
+                <Hashes condition="contains">SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b</Hashes>
+                <Hashes condition="contains">SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe</Hashes>
+                <Hashes condition="contains">SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f</Hashes>
+                <Hashes condition="contains">SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1</Hashes>
+                <Hashes condition="contains">SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc</Hashes>
+                <Hashes condition="contains">SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960</Hashes>
+                <Hashes condition="contains">SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c</Hashes>
+                <Hashes condition="contains">SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496</Hashes>
+                <Hashes condition="contains">SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004</Hashes>
+                <Hashes condition="contains">SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439</Hashes>
+                <Hashes condition="contains">SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d</Hashes>
+                <Hashes condition="contains">SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57</Hashes>
+                <Hashes condition="contains">SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af</Hashes>
+                <Hashes condition="contains">SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960</Hashes>
+                <Hashes condition="contains">SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008</Hashes>
+                <Hashes condition="contains">SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145</Hashes>
+                <Hashes condition="contains">SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65</Hashes>
+                <Hashes condition="contains">SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35</Hashes>
+                <Hashes condition="contains">SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13</Hashes>
+                <Hashes condition="contains">SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b</Hashes>
+                <Hashes condition="contains">SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478</Hashes>
+                <Hashes condition="contains">SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573</Hashes>
+                <Hashes condition="contains">SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54</Hashes>
+                <Hashes condition="contains">SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298</Hashes>
+                <Hashes condition="contains">SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b</Hashes>
+                <Hashes condition="contains">SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91</Hashes>
+                <Hashes condition="contains">SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566</Hashes>
+                <Hashes condition="contains">SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22</Hashes>
+                <Hashes condition="contains">SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f</Hashes>
+                <Hashes condition="contains">SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2</Hashes>
+                <Hashes condition="contains">SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c</Hashes>
+                <Hashes condition="contains">SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1</Hashes>
+                <Hashes condition="contains">SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533</Hashes>
+                <Hashes condition="contains">SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c</Hashes>
+                <Hashes condition="contains">SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03</Hashes>
+                <Hashes condition="contains">SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280</Hashes>
+                <Hashes condition="contains">SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7</Hashes>
+                <Hashes condition="contains">SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339</Hashes>
+                <Hashes condition="contains">SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5</Hashes>
+                <Hashes condition="contains">SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f</Hashes>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Malicious Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+                <Hashes condition="contains">SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c</Hashes>
+                <Hashes condition="contains">SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4</Hashes>
+                <Hashes condition="contains">SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62</Hashes>
+                <Hashes condition="contains">SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f</Hashes>
+                <Hashes condition="contains">SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e</Hashes>
+                <Hashes condition="contains">SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1</Hashes>
+                <Hashes condition="contains">SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724</Hashes>
+                <Hashes condition="contains">SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620</Hashes>
+                <Hashes condition="contains">SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc</Hashes>
+                <Hashes condition="contains">SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c</Hashes>
+                <Hashes condition="contains">SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d</Hashes>
+                <Hashes condition="contains">SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7</Hashes>
+                <Hashes condition="contains">SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988</Hashes>
+                <Hashes condition="contains">SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427</Hashes>
+                <Hashes condition="contains">SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e</Hashes>
+                <Hashes condition="contains">SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421</Hashes>
+                <Hashes condition="contains">SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99</Hashes>
+                <Hashes condition="contains">SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a</Hashes>
+                <Hashes condition="contains">SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3</Hashes>
+                <Hashes condition="contains">SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b</Hashes>
+                <Hashes condition="contains">SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5</Hashes>
+                <Hashes condition="contains">SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4</Hashes>
+                <Hashes condition="contains">SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77</Hashes>
+                <Hashes condition="contains">SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f</Hashes>
+                <Hashes condition="contains">SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d</Hashes>
+                <Hashes condition="contains">SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8</Hashes>
+                <Hashes condition="contains">SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1</Hashes>
+                <Hashes condition="contains">SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a</Hashes>
+                <Hashes condition="contains">SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376</Hashes>
+                <Hashes condition="contains">SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc</Hashes>
+                <Hashes condition="contains">SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3</Hashes>
+                <Hashes condition="contains">SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217</Hashes>
+                <Hashes condition="contains">SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a</Hashes>
+                <Hashes condition="contains">SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce</Hashes>
+                <Hashes condition="contains">SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497</Hashes>
+                <Hashes condition="contains">SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931</Hashes>
+                <Hashes condition="contains">SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316</Hashes>
+                <Hashes condition="contains">SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d</Hashes>
+                <Hashes condition="contains">SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12</Hashes>
+                <Hashes condition="contains">SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87</Hashes>
+                <Hashes condition="contains">SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae</Hashes>
+                <Hashes condition="contains">SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e</Hashes>
+                <Hashes condition="contains">SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c</Hashes>
+                <Hashes condition="contains">SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280</Hashes>
+                <Hashes condition="contains">SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51</Hashes>
+                <Hashes condition="contains">SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c</Hashes>
+                <Hashes condition="contains">SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76</Hashes>
+                <Hashes condition="contains">SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677</Hashes>
+                <Hashes condition="contains">SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6</Hashes>
+                <Hashes condition="contains">SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104</Hashes>
+                <Hashes condition="contains">SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330</Hashes>
+                <Hashes condition="contains">SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4</Hashes>
+                <Hashes condition="contains">SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463</Hashes>
+                <Hashes condition="contains">SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c</Hashes>
+                <Hashes condition="contains">SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530</Hashes>
+                <Hashes condition="contains">SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c</Hashes>
+                <Hashes condition="contains">SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d</Hashes>
+                <Hashes condition="contains">SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a</Hashes>
+                <Hashes condition="contains">SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae</Hashes>
+                <Hashes condition="contains">SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df</Hashes>
+                <Hashes condition="contains">SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25</Hashes>
+                <Hashes condition="contains">SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212</Hashes>
+                <Hashes condition="contains">SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a</Hashes>
+			</Rule>
 		</FileExecutableDetected>
 	</RuleGroup>
 	<RuleGroup name="RG=FileExecutable Excludes" groupRelation="or">

From ca6f0aa641b7a2d9fe6f05380da675a2308a7b8e Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Wed, 6 Sep 2023 13:28:49 -0400
Subject: [PATCH 452/471] Update sysmonconfig-export.xml

---
 sysmonconfig-export.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9016300b..1cbb31f5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -10738,4 +10738,4 @@
 		</FileExecutableDetected>
 	</RuleGroup>
 	</EventFiltering>
-</Sysmon>
\ No newline at end of file
+</Sysmon>

From 5316d5dd52a90987887fb1b67c6707409cacebbf Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Thu, 7 Sep 2023 08:57:46 -0400
Subject: [PATCH 453/471] Revert "Added changes from @ion-storm config."

This reverts commit ee20ccd3a9b399255a7e12c25e434ea92a426795.
---
 sysmonconfig-export.xml | 1115 +--------------------------------------
 1 file changed, 22 insertions(+), 1093 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 1cbb31f5..58259a75 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -262,7 +262,7 @@
 				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
 				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
 				<Image condition="image">conhost.exe</Image>
-				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe;\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</ParentImage> <!--NCentral and Nvidia exclusions-->
+				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe</ParentImage> <!--NCentral exclusions-->
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
@@ -518,7 +518,6 @@
 				<ParentImage condition="excludes">C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe</ParentImage>
 				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine> <!--SentinelOne exclusion-->
 				<CommandLine condition="excludes">Update_Sysmon_Rules</CommandLine>
-				<ParentImage condition="excludes">C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">taskeng.exe</OriginalFileName>
@@ -533,7 +532,7 @@
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
 				<ParentImage condition="image">schtasks.exe</ParentImage>
 				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
-				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules;AMDRyzenMasterSDKTask</ParentCommandLine>
+				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules</ParentCommandLine>
 			</Rule>
 			<Rule name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" groupRelation="and">
 				<Image condition="image">at.exe</Image>
@@ -687,8 +686,6 @@
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
 				<CommandLine condition="contains any">..\;\..</CommandLine>
-				<ParentImage condition="excludes all">C:\Program Files;\Razer\Synapse3\Service\Razer Synapse Service.exe</ParentImage>
-				<Image condition="excludes all">C:\Program Files;\Razer\;\UserProcess\Razer Synapse Service Process.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
 				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
@@ -960,13 +957,9 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall delete</CommandLine>
-				<ParentCommandLine condition="excludes all">ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe</ParentCommandLine>
-				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall add</CommandLine>
-				<ParentCommandLine condition="excludes all">cmd.exe;ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe;enable=yes</ParentCommandLine>
-				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall set opmode disable</CommandLine>
@@ -1054,7 +1047,6 @@
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
 				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
-				<ParentImage condition="excludes all">C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;\CitrixReceiverUpdater.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
 				<Image condition="end with">      .exe</Image>
@@ -2481,10 +2473,10 @@
 				<CommandLine condition="image">start-bitstransfer</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
-				<CommandLine condition="contains all">expand;\\</CommandLine>
+				<CommandLine condition="contains">expand \\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
-				<CommandLine condition="contains all">expand.exe;\\</CommandLine>
+				<CommandLine condition="contains">expand.exe \\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" groupRelation="and">
 				<CommandLine condition="contains">ieexec http</CommandLine>
@@ -2502,10 +2494,10 @@
 				<CommandLine condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
-				<CommandLine condition="contains all">extrac32;\\</CommandLine>
+				<CommandLine condition="contains">extrac32 \\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
-				<CommandLine condition="contains all">extrac32.exe;\\</CommandLine>
+				<CommandLine condition="contains">extrac32.exe \\</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
@@ -2647,16 +2639,10 @@
 				<CommandLine condition="contains">erase</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains all">-nw;-exec=</CommandLine>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains all">/nw;/exec=</CommandLine>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains all">-p;-nw</CommandLine>
+				<CommandLine condition="contains">-nw -exec=</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains all">/p;/nw</CommandLine>
+				<CommandLine condition="contains">-p -nw</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" groupRelation="and">
 				<Image condition="contains">shred</Image>
@@ -2681,7 +2667,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
 			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
 				<Image condition="image">fsutil.exe</Image>
-				<CommandLine condition="contains all">usn;deletejournal</CommandLine>
+				<CommandLine condition="contains">deletejournal</CommandLine>
+				<CommandLine condition="contains">usn</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
@@ -2691,8 +2678,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<Rule name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" groupRelation="and">
-				<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
-				<Image condition="excludes all">C:\Program Files;\LightingService\AsusInstallVerifier.exe</Image>
+			<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
 			</Rule>
 			<!--Crypto Currency Miner Detections-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
@@ -2951,9 +2937,6 @@
 				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
 				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
 			</Rule>
-			<Rule name="exclude armoury Crate from cmdline file deletion rule" groupRelation="and">
-				<ParentImage condition="image">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</ParentImage>
-			</Rule>
 		</ProcessCreate>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
@@ -5141,7 +5124,6 @@
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\;C:\Program Files (x86)\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\ProgramData\Cavelo\jre\bin\java.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files\Cavelo\Cavelo Agent\parser.exe</SourceImage>
 				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
 				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
-				<TargetImage condition="excludes any">C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe;C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.UserSessionHelper.exe</TargetImage>
 				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
@@ -5282,7 +5264,6 @@
 				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
 				<TargetFilename condition="not begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="excludes">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
 				<TargetFilename condition="end with">proj</TargetFilename>
@@ -5318,7 +5299,6 @@
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" groupRelation="and">
 				<TargetFilename condition="end with">.bin</TargetFilename>
-				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
@@ -5456,8 +5436,6 @@
 				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
 				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL</TargetFilename>
-				<TargetFilename condition="excludes any">\System.Security.Cryptography</TargetFilename>
-				<Image condition="excludes any">Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains">crackmapexec</TargetFilename>
@@ -5696,7 +5674,6 @@
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
-				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename>
@@ -5906,7 +5883,6 @@
 			</Rule>
 			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" groupRelation="and">
 				<TargetFilename condition="end with">.bin</TargetFilename>
-				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" groupRelation="and">
 				<TargetFilename condition="end with">.cab</TargetFilename>
@@ -6756,10 +6732,10 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" groupRelation="and">
 				<TargetFilename condition="contains">.mht</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
 				<TargetFilename condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Chrome extension auditing" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" groupRelation="and">
 				<TargetFilename condition="end with">.crx</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" groupRelation="and">
@@ -6889,7 +6865,7 @@
 				<TargetFilename condition="contains">Temp\Temp1_</TargetFilename>
 			</Rule>
 			<!--Uncategorized-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=DotNet UsageLogs" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
 				<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
@@ -7126,16 +7102,11 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Old Chrome Extension auditing" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
 				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
 				<TargetObject condition="end with">update_url</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
-			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
-				<TargetObject condition="contains">Google\Chrome</TargetObject>
-				<TargetObject condition="contains">extensions.settings</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>								  
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Forced password reset detected" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
@@ -7170,9 +7141,6 @@
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
 				<Image condition="excludes any">C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe;\AppData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-				<Details condition="excludes all">C:\Program Files\Google\Drive File Stream;\GoogleDriveFS.exe;startup_mode</Details>
-				<Details condition="excludes all">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;no-startup-window;win-session-start;prefetch</Details>
-				<Details condition="excludes all">\Application\chrome.exe;no-startup-window;win-session-start;prefetch</Details>
 			</Rule>
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject>
@@ -7465,7 +7433,7 @@
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
-				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator;\AMDInstallLauncher\SD;\SD;ASUS Switch;\PowerToys\Autorun for </TargetObject>
+				<TargetObject condition="excludes">Microsoft\Windows\UpdateOrchestrator</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
@@ -7667,7 +7635,6 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
-				<Image condition="excludes">C:\WINDOWS\system32\DrvInst.exe</Image> <!--Common Driver Installs-->
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
@@ -8335,10 +8302,10 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
 			</Rule>
 			<!--DLLs that get injected into every process launch-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Monitoring: DLLs that get injected into every process launch" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Monitoring: DLLs that get injected into every process launch" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			</Rule>
 			<!--Office-->
@@ -8550,9 +8517,6 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Office Information" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Registry Hive List" groupRelation="and">
-				<TargetObject condition="contains">\Control\hivelist</TargetObject>
-			</Rule>
 			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=ISO Drive Mounted" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume</TargetObject>
 				<TargetObject condition="end with">Drive Type</TargetObject>
@@ -8807,10 +8771,10 @@
 			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">Software\recfg</TargetObject>
 			</Rule>
-			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Suspicious Keyboard Layout Load" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
 				<TargetObject condition="contains">\Keyboard Layout\Preload\</TargetObject>
 			</Rule>
-			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Suspicious Keyboard Layout Load" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
 				<TargetObject condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
@@ -8861,21 +8825,6 @@
 				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
 				<Image condition="begin with">C:\Program Files\ESET</Image>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Browser Helper Object Contacted Domains" groupRelation="and">
-				<TargetObject condition="end with">\EnableBHO</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Printer Port Changes,CVE=CVE-2020-1048" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports</TargetObject> <!--Microsoft:Windows: Printer port changes as used in CVE-2020-1048 [ https://windows-internals.com/printdemon-cve-2020-1048/ ] -->
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=PrintNightmare Coverage,Author=Florian Roth" groupRelation="and">
-				<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
-			</Rule>
-			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=NGenAssemblyUsageLog Tampering Detected" groupRelation="and">
-				<TargetObject condition="contains all">\Microsoft\.NETFramework;NGenAssemblyUsageLog</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=Winget admin settings Tampering Detected" groupRelation="and">
-				<TargetObject condition="contains all">\REGISTRY\A\;LocalState\admin_settings</TargetObject>
-			</Rule>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
@@ -8902,7 +8851,7 @@
 				<Hash condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hash><!--Exchange Zero Day Dropped DLL-->
 			</Rule>
 			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,DS=File: File Metadata,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
-				<TargetFilename condition="contains any">Startup;Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
+				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonEnte Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
 				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
@@ -9675,18 +9624,13 @@
 	</RuleGroup>
 	<!-- SYSMON EVENT ID 29 : File Executable Detected -->
 	<!--Fields: ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes -->
-	<!-- Key Authors in this section are Florian Roth as a majority Contributer from: https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml -->
 	<RuleGroup name="RG=FileExecutable Includes" groupRelation="or">
 		<FileExecutableDetected onmatch="include">
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Exe created within Downloads Folder,Risk=10" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename>
 				<TargetFilename condition="contains">\Downloads</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
-				<Image condition="begin with">C:\Users\</Image>
-				<Image condition="contains">Content.Outlook</Image>
-			</Rule>
-			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=PE File Detected under Unusual File extension,Risk=10" groupRelation="and">
+			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=PE File Detected under Unusual File extension,Risk=10" groupRelation="or">
 				<TargetFilename condition="not end with">.exe</TargetFilename>
 				<TargetFilename condition="not end with">.dll</TargetFilename>
 				<TargetFilename condition="not end with">.sys</TargetFilename>
@@ -9702,1021 +9646,6 @@
 				<TargetFilename condition="not end with">.ime</TargetFilename>
 				<TargetFilename condition="not end with">.tsp</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=,Risk=10,Alert=Powershell Creating Executables" groupRelation="and">
-				<Image condition="is any">powershell.exe;powershell_ise.exe;pwsh.exe;Sqlps.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059.003,Technique=Command and Scripting Interpreter: Windows Command Shell,Tactic=Execution,DS=File: File Creation,Level=0,Alert=Command or consolehost Anomaly,Risk=10" groupRelation="and">
-				<Image condition="is any">cmd.exe;conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected within Unusual Location,Risk=10,Author=Florian Roth" groupRelation="or">
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> <!-- often used staging directories; could cause false positives --> 
-				<TargetFilename condition="begin with">C:\Perflogs\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\Fonts\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\debug\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\tracing\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\Logs\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\System32\spool\SERVERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
-				<TargetFilename condition="begin with">C:\Windows\System32\spool\PRINTERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
-				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Intel</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Mozilla</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\chocolatey\</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\DeviceSync</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\PlayReady</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\User Account Pictures</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Office\Heartbeat</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER</TargetFilename>
-				<TargetFilename condition="contains all">C:\Users\All Users\</TargetFilename> <!-- often used staging directories in User folders --> 
-				<TargetFilename condition="contains all">C:\Users\;\Music\</TargetFilename> <!-- often used staging directories in User folders --> 
-				<TargetFilename condition="contains all">C:\Users\;\Pictures\</TargetFilename> <!-- often used staging directories in User folders --> 
-				<TargetFilename condition="contains all">C:\Users\;\Videos\</TargetFilename> <!-- often used staging directories in User folders --> 
-				<TargetFilename condition="contains all">C:\Users\;\Contacts\</TargetFilename> <!-- often used staging directories in User folders -->
-			</Rule>
-			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Double File Extension Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-				<TargetFilename condition="end with">.7z.exe</TargetFilename>
-				<TargetFilename condition="end with">.doc.exe</TargetFilename>
-				<TargetFilename condition="end with">.docm.exe</TargetFilename>
-				<TargetFilename condition="end with">.docx.exe</TargetFilename>
-				<TargetFilename condition="end with">.htm.exe</TargetFilename>
-				<TargetFilename condition="end with">.html.exe</TargetFilename>
-				<TargetFilename condition="end with">.iso.exe</TargetFilename>
-				<TargetFilename condition="end with">.lnk.exe</TargetFilename>				
-				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
-				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
-				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
-				<TargetFilename condition="end with">.rar.exe</TargetFilename>
-				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
-				<TargetFilename condition="end with">.txt.exe</TargetFilename>
-				<TargetFilename condition="end with">.xls.exe</TargetFilename>
-				<TargetFilename condition="end with">.xlsm.exe</TargetFilename>
-				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
-				<TargetFilename condition="end with">.zip.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-				<TargetFilename condition="end with">\EntenLoader.exe</TargetFilename>
-				<TargetFilename condition="end with">\SysmonQuiet.exe</TargetFilename>
-				<TargetFilename condition="end with">\SharpEvtMute.exe</TargetFilename>
-				<TargetFilename condition="end with">\EvtMuteHook.dll</TargetFilename>
-				<TargetFilename condition="end with">\SysmonEOP.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=F9A28C458284584A93B14216308D31BD</Hashes> <!-- JuicyPotatoNG -->
-				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
-				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
-				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
-				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
-				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=03866661686829d806989e2fc5a72606</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
-				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
-				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
-				<Hashes condition="contains">IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313</Hashes> <!-- Forkatz -->
-				<Hashes condition="contains">IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC</Hashes> <!-- PPLKiller -->
-				<Hashes condition="contains">IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28</Hashes> <!-- PPLKiller -->
-				<Hashes condition="contains">IMPHASH=96DF3A3731912449521F6F8D183279B1</Hashes> <!-- Backstab -->
-				<Hashes condition="contains">IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46</Hashes> <!-- Backstab -->
-				<Hashes condition="contains">IMPHASH=51791678F351C03A0EB4E2A7B05C6E17</Hashes> <!-- Backstab -->
-				<Hashes condition="contains">IMPHASH=25CE42B079282632708FC846129E98A5</Hashes> <!-- Forensia -->
-				<Hashes condition="contains">MD5=7B17F15713FCF13C764535AA2BDF52AA</Hashes>													<!-- ShaprEvtMute -->
-				<Hashes condition="contains">SHA1=4E18320493042BCD7D21B53E258974BC460ACC78</Hashes>										<!-- ShaprEvtMute -->
-				<Hashes condition="contains">SHA256=477DFE485F5BD9540CC83E88FC04AAFB6DE49CF1ADC6BD857D5D6F4C1730A6D1</Hashes>	<!-- ShaprEvtMute -->
-			</Rule>
-			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Microsoft Office Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
-				<Image condition="image">winword.exe</Image>
-				<Image condition="image">excel.exe</Image>
-				<Image condition="image">powerpnt.exe</Image>
-				<Image condition="image">msaccess.exe</Image>
-				<Image condition="image">mspub.exe</Image>
-				<Image condition="image">eqnedt32.exe</Image>
-				<Image condition="image">visio.exe</Image>
-				<Image condition="image">wordpad.exe</Image>
-				<Image condition="image">wordview.exe</Image>
-				<Image condition="image">msohtmed.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=OneNote Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
-				<Image condition="image">onenote.exe</Image>
-				<Image condition="image">onenotem.exe</Image>
-				<Image condition="image">onenoteim.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=LOLBin Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
-				<!-- LOLBINs that can be used to download executables -->
-				<Image condition="image">certutil.exe</Image>
-				<Image condition="image">certoc.exe</Image>
-				<Image condition="image">CertReq.exe</Image>
-				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
-				<Image condition="image">Desktopimgdownldr.exe</Image>
-				<Image condition="image">esentutl.exe</Image>
-				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
-				<Image condition="image">finger.exe</Image>
-				<!-- Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)-->
-				<Image condition="image">notepad.exe</Image>
-				<Image condition="image">AcroRd32.exe</Image>
-				<Image condition="image">RdrCEF.exe</Image> <!-- RdrCEF was seen dropping a DLL in temp (Example: \AppData\Local\Temp\acrocef_low\4616_1623006624_platform_specific\win_x86\widevinecdm.dll). Comment out this entry if you experience issues (https://github.com/Neo23x0/sysmon-config/issues/43) -->
-				<Image condition="image">calc.exe</Image>
-				<Image condition="image">mspaint.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.01,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Compiled HTML File Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">hh.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.002,Technique=System Binary Proxy Execution: Control Panel,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Control Panel Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">control.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=System Binary Proxy Execution: CMSTP,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=CMSTP Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">CMSTP.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.004,Technique=System Binary Proxy Execution: InstallUtil,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=InstallUtil Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">installutil.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.005,Technique=System Binary Proxy Execution: Mshta,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MSHTA Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.007,Technique=System Binary Proxy Execution: MSIExec,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=MSIExec Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.008,Technique=System Binary Proxy Execution: Odbcconf,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Odbcconf Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">Odbcconf.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.009,Technique=System Binary Proxy Execution: Regsvcs/Regasm,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvcs/Regasm Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="contains any">Regsvcs.exe;Regasm.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.010,Technique=System Binary Proxy Execution: Regsvr32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvr32 Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">regsvr32.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=System Binary Proxy Execution: Rundll32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Rundll32 Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">Rundll32.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.012,Technique=System Binary Proxy Execution: Verclsid,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Verclsid Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">Verclsid.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.013,Technique=System Binary Proxy Execution: mavinject,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Mavinject Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="contains any">mavinject.exe;mavinject64.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.014,Technique=System Binary Proxy Execution: MMC,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MMC Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">mmc.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Other LOLBins Dropping Executables,Risk=10" groupRelation="or">
-				<Image condition="contains any">Appvlp.exe;InfDefaultInstall.EXE;PresentationHost.exe;Register-cimprovider.exe;RegisterCimProvider2.exe;RegisterCimProvider.exe;ScriptRunner.exe;appcmd.exe;csi.exe;devtoolslauncher.exe;diskshadow.exe;extexport.exe;jjs.exe;msconfig.EXE;msdt.exe;rasautou.exe;rasdlui.exe;replace.exe;tttracer.exe;wab.exe;wsreset.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=4,Alert=Vulnerable Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-			    <Hashes condition="contains">SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed</Hashes>
-                <Hashes condition="contains">SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb</Hashes>
-                <Hashes condition="contains">SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db</Hashes>
-                <Hashes condition="contains">SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05</Hashes>
-                <Hashes condition="contains">SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d</Hashes>
-                <Hashes condition="contains">SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917</Hashes>
-                <Hashes condition="contains">SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135</Hashes>
-                <Hashes condition="contains">SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1</Hashes>
-                <Hashes condition="contains">SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467</Hashes>
-                <Hashes condition="contains">SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c</Hashes>
-                <Hashes condition="contains">SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c</Hashes>
-                <Hashes condition="contains">SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3</Hashes>
-                <Hashes condition="contains">SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f</Hashes>
-                <Hashes condition="contains">SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c</Hashes>
-                <Hashes condition="contains">SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8</Hashes>
-                <Hashes condition="contains">SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b</Hashes>
-                <Hashes condition="contains">SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff</Hashes>
-                <Hashes condition="contains">SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6</Hashes>
-                <Hashes condition="contains">SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8</Hashes>
-                <Hashes condition="contains">SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf</Hashes>
-                <Hashes condition="contains">SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff</Hashes>
-                <Hashes condition="contains">SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670</Hashes>
-                <Hashes condition="contains">SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd</Hashes>
-                <Hashes condition="contains">SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece</Hashes>
-                <Hashes condition="contains">SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5</Hashes>
-                <Hashes condition="contains">SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0</Hashes>
-                <Hashes condition="contains">SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c</Hashes>
-                <Hashes condition="contains">SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b</Hashes>
-                <Hashes condition="contains">SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a</Hashes>
-                <Hashes condition="contains">SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e</Hashes>
-                <Hashes condition="contains">SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa</Hashes>
-                <Hashes condition="contains">SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a</Hashes>
-                <Hashes condition="contains">SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687</Hashes>
-                <Hashes condition="contains">SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8</Hashes>
-                <Hashes condition="contains">SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219</Hashes>
-                <Hashes condition="contains">SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe</Hashes>
-                <Hashes condition="contains">SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee</Hashes>
-                <Hashes condition="contains">SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961</Hashes>
-                <Hashes condition="contains">SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512</Hashes>
-                <Hashes condition="contains">SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c</Hashes>
-                <Hashes condition="contains">SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501</Hashes>
-                <Hashes condition="contains">SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486</Hashes>
-                <Hashes condition="contains">SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e</Hashes>
-                <Hashes condition="contains">SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a</Hashes>
-                <Hashes condition="contains">SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8</Hashes>
-                <Hashes condition="contains">SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4</Hashes>
-                <Hashes condition="contains">SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30</Hashes>
-                <Hashes condition="contains">SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a</Hashes>
-                <Hashes condition="contains">SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797</Hashes>
-                <Hashes condition="contains">SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d</Hashes>
-                <Hashes condition="contains">SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1</Hashes>
-                <Hashes condition="contains">SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250</Hashes>
-                <Hashes condition="contains">SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14</Hashes>
-                <Hashes condition="contains">SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1</Hashes>
-                <Hashes condition="contains">SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b</Hashes>
-                <Hashes condition="contains">SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d</Hashes>
-                <Hashes condition="contains">SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396</Hashes>
-                <Hashes condition="contains">SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e</Hashes>
-                <Hashes condition="contains">SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8</Hashes>
-                <Hashes condition="contains">SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0</Hashes>
-                <Hashes condition="contains">SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e</Hashes>
-                <Hashes condition="contains">SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae</Hashes>
-                <Hashes condition="contains">SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445</Hashes>
-                <Hashes condition="contains">SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9</Hashes>
-                <Hashes condition="contains">SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25</Hashes>
-                <Hashes condition="contains">SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0</Hashes>
-                <Hashes condition="contains">SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e</Hashes>
-                <Hashes condition="contains">SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46</Hashes>
-                <Hashes condition="contains">SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b</Hashes>
-                <Hashes condition="contains">SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c</Hashes>
-                <Hashes condition="contains">SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5</Hashes>
-                <Hashes condition="contains">SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc</Hashes>
-                <Hashes condition="contains">SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b</Hashes>
-                <Hashes condition="contains">SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f</Hashes>
-                <Hashes condition="contains">SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134</Hashes>
-                <Hashes condition="contains">SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3</Hashes>
-                <Hashes condition="contains">SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4</Hashes>
-                <Hashes condition="contains">SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272</Hashes>
-                <Hashes condition="contains">SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf</Hashes>
-                <Hashes condition="contains">SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c</Hashes>
-                <Hashes condition="contains">SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75</Hashes>
-                <Hashes condition="contains">SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8</Hashes>
-                <Hashes condition="contains">SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5</Hashes>
-                <Hashes condition="contains">SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa</Hashes>
-                <Hashes condition="contains">SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e</Hashes>
-                <Hashes condition="contains">SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6</Hashes>
-                <Hashes condition="contains">SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa</Hashes>
-                <Hashes condition="contains">SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162</Hashes>
-                <Hashes condition="contains">SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2</Hashes>
-                <Hashes condition="contains">SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe</Hashes>
-                <Hashes condition="contains">SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7</Hashes>
-                <Hashes condition="contains">SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae</Hashes>
-                <Hashes condition="contains">SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1</Hashes>
-                <Hashes condition="contains">SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4</Hashes>
-                <Hashes condition="contains">SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e</Hashes>
-                <Hashes condition="contains">SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036</Hashes>
-                <Hashes condition="contains">SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee</Hashes>
-                <Hashes condition="contains">SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba</Hashes>
-                <Hashes condition="contains">SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80</Hashes>
-                <Hashes condition="contains">SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69</Hashes>
-                <Hashes condition="contains">SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748</Hashes>
-                <Hashes condition="contains">SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a</Hashes>
-                <Hashes condition="contains">SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a</Hashes>
-                <Hashes condition="contains">SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe</Hashes>
-                <Hashes condition="contains">SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a</Hashes>
-                <Hashes condition="contains">SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c</Hashes>
-                <Hashes condition="contains">SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921</Hashes>
-                <Hashes condition="contains">SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a</Hashes>
-                <Hashes condition="contains">SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185</Hashes>
-                <Hashes condition="contains">SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3</Hashes>
-                <Hashes condition="contains">SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92</Hashes>
-                <Hashes condition="contains">SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be</Hashes>
-                <Hashes condition="contains">SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3</Hashes>
-                <Hashes condition="contains">SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683</Hashes>
-                <Hashes condition="contains">SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0</Hashes>
-                <Hashes condition="contains">SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2</Hashes>
-                <Hashes condition="contains">SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa</Hashes>
-                <Hashes condition="contains">SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36</Hashes>
-                <Hashes condition="contains">SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50</Hashes>
-                <Hashes condition="contains">SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5</Hashes>
-                <Hashes condition="contains">SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74</Hashes>
-                <Hashes condition="contains">SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63</Hashes>
-                <Hashes condition="contains">SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e</Hashes>
-                <Hashes condition="contains">SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44</Hashes>
-                <Hashes condition="contains">SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a</Hashes>
-                <Hashes condition="contains">SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293</Hashes>
-                <Hashes condition="contains">SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc</Hashes>
-                <Hashes condition="contains">SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492</Hashes>
-                <Hashes condition="contains">SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf</Hashes>
-                <Hashes condition="contains">SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7</Hashes>
-                <Hashes condition="contains">SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7</Hashes>
-                <Hashes condition="contains">SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38</Hashes>
-                <Hashes condition="contains">SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4</Hashes>
-                <Hashes condition="contains">SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c</Hashes>
-                <Hashes condition="contains">SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d</Hashes>
-                <Hashes condition="contains">SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc</Hashes>
-                <Hashes condition="contains">SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357</Hashes>
-                <Hashes condition="contains">SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf</Hashes>
-                <Hashes condition="contains">SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853</Hashes>
-                <Hashes condition="contains">SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7</Hashes>
-                <Hashes condition="contains">SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b</Hashes>
-                <Hashes condition="contains">SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7</Hashes>
-                <Hashes condition="contains">SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21</Hashes>
-                <Hashes condition="contains">SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4</Hashes>
-                <Hashes condition="contains">SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c</Hashes>
-                <Hashes condition="contains">SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f</Hashes>
-                <Hashes condition="contains">SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea</Hashes>
-                <Hashes condition="contains">SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd</Hashes>
-                <Hashes condition="contains">SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd</Hashes>
-                <Hashes condition="contains">SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456</Hashes>
-                <Hashes condition="contains">SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d</Hashes>
-                <Hashes condition="contains">SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7</Hashes>
-                <Hashes condition="contains">SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d</Hashes>
-                <Hashes condition="contains">SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35</Hashes>
-                <Hashes condition="contains">SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457</Hashes>
-                <Hashes condition="contains">SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa</Hashes>
-                <Hashes condition="contains">SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6</Hashes>
-                <Hashes condition="contains">SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2</Hashes>
-                <Hashes condition="contains">SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59</Hashes>
-                <Hashes condition="contains">SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6</Hashes>
-                <Hashes condition="contains">SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9</Hashes>
-                <Hashes condition="contains">SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f</Hashes>
-                <Hashes condition="contains">SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775</Hashes>
-                <Hashes condition="contains">SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9</Hashes>
-                <Hashes condition="contains">SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2</Hashes>
-                <Hashes condition="contains">SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126</Hashes>
-                <Hashes condition="contains">SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c</Hashes>
-                <Hashes condition="contains">SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f</Hashes>
-                <Hashes condition="contains">SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f</Hashes>
-                <Hashes condition="contains">SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00</Hashes>
-                <Hashes condition="contains">SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2</Hashes>
-                <Hashes condition="contains">SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a</Hashes>
-                <Hashes condition="contains">SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184</Hashes>
-                <Hashes condition="contains">SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1</Hashes>
-                <Hashes condition="contains">SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e</Hashes>
-                <Hashes condition="contains">SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7</Hashes>
-                <Hashes condition="contains">SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba</Hashes>
-                <Hashes condition="contains">SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c</Hashes>
-                <Hashes condition="contains">SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c</Hashes>
-                <Hashes condition="contains">SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194</Hashes>
-                <Hashes condition="contains">SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285</Hashes>
-                <Hashes condition="contains">SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4</Hashes>
-                <Hashes condition="contains">SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449</Hashes>
-                <Hashes condition="contains">SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2</Hashes>
-                <Hashes condition="contains">SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395</Hashes>
-                <Hashes condition="contains">SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4</Hashes>
-                <Hashes condition="contains">SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3</Hashes>
-                <Hashes condition="contains">SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5</Hashes>
-                <Hashes condition="contains">SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33</Hashes>
-                <Hashes condition="contains">SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def</Hashes>
-                <Hashes condition="contains">SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374</Hashes>
-                <Hashes condition="contains">SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5</Hashes>
-                <Hashes condition="contains">SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b</Hashes>
-                <Hashes condition="contains">SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56</Hashes>
-                <Hashes condition="contains">SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8</Hashes>
-                <Hashes condition="contains">SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229</Hashes>
-                <Hashes condition="contains">SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9</Hashes>
-                <Hashes condition="contains">SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1</Hashes>
-                <Hashes condition="contains">SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506</Hashes>
-                <Hashes condition="contains">SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6</Hashes>
-                <Hashes condition="contains">SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0</Hashes>
-                <Hashes condition="contains">SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775</Hashes>
-                <Hashes condition="contains">SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0</Hashes>
-                <Hashes condition="contains">SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb</Hashes>
-                <Hashes condition="contains">SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21</Hashes>
-                <Hashes condition="contains">SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c</Hashes>
-                <Hashes condition="contains">SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade</Hashes>
-                <Hashes condition="contains">SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4</Hashes>
-                <Hashes condition="contains">SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097</Hashes>
-                <Hashes condition="contains">SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43</Hashes>
-                <Hashes condition="contains">SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712</Hashes>
-                <Hashes condition="contains">SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970</Hashes>
-                <Hashes condition="contains">SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6</Hashes>
-                <Hashes condition="contains">SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94</Hashes>
-                <Hashes condition="contains">SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb</Hashes>
-                <Hashes condition="contains">SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a</Hashes>
-                <Hashes condition="contains">SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427</Hashes>
-                <Hashes condition="contains">SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192</Hashes>
-                <Hashes condition="contains">SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351</Hashes>
-                <Hashes condition="contains">SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993</Hashes>
-                <Hashes condition="contains">SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3</Hashes>
-                <Hashes condition="contains">SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf</Hashes>
-                <Hashes condition="contains">SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d</Hashes>
-                <Hashes condition="contains">SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb</Hashes>
-                <Hashes condition="contains">SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289</Hashes>
-                <Hashes condition="contains">SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9</Hashes>
-                <Hashes condition="contains">SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e</Hashes>
-                <Hashes condition="contains">SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305</Hashes>
-                <Hashes condition="contains">SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7</Hashes>
-                <Hashes condition="contains">SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0</Hashes>
-                <Hashes condition="contains">SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20</Hashes>
-                <Hashes condition="contains">SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a</Hashes>
-                <Hashes condition="contains">SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e</Hashes>
-                <Hashes condition="contains">SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb</Hashes>
-                <Hashes condition="contains">SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f</Hashes>
-                <Hashes condition="contains">SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89</Hashes>
-                <Hashes condition="contains">SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0</Hashes>
-                <Hashes condition="contains">SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a</Hashes>
-                <Hashes condition="contains">SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26</Hashes>
-                <Hashes condition="contains">SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef</Hashes>
-                <Hashes condition="contains">SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84</Hashes>
-                <Hashes condition="contains">SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005</Hashes>
-                <Hashes condition="contains">SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc</Hashes>
-                <Hashes condition="contains">SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810</Hashes>
-                <Hashes condition="contains">SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba</Hashes>
-                <Hashes condition="contains">SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793</Hashes>
-                <Hashes condition="contains">SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f</Hashes>
-                <Hashes condition="contains">SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5</Hashes>
-                <Hashes condition="contains">SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e</Hashes>
-                <Hashes condition="contains">SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9</Hashes>
-                <Hashes condition="contains">SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a</Hashes>
-                <Hashes condition="contains">SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7</Hashes>
-                <Hashes condition="contains">SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572</Hashes>
-                <Hashes condition="contains">SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495</Hashes>
-                <Hashes condition="contains">SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59</Hashes>
-                <Hashes condition="contains">SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879</Hashes>
-                <Hashes condition="contains">SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289</Hashes>
-                <Hashes condition="contains">SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813</Hashes>
-                <Hashes condition="contains">SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0</Hashes>
-                <Hashes condition="contains">SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf</Hashes>
-                <Hashes condition="contains">SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8</Hashes>
-                <Hashes condition="contains">SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0</Hashes>
-                <Hashes condition="contains">SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57</Hashes>
-                <Hashes condition="contains">SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9</Hashes>
-                <Hashes condition="contains">SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890</Hashes>
-                <Hashes condition="contains">SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2</Hashes>
-                <Hashes condition="contains">SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009</Hashes>
-                <Hashes condition="contains">SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d</Hashes>
-                <Hashes condition="contains">SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1</Hashes>
-                <Hashes condition="contains">SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1</Hashes>
-                <Hashes condition="contains">SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761</Hashes>
-                <Hashes condition="contains">SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4</Hashes>
-                <Hashes condition="contains">SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85</Hashes>
-                <Hashes condition="contains">SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184</Hashes>
-                <Hashes condition="contains">SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524</Hashes>
-                <Hashes condition="contains">SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303</Hashes>
-                <Hashes condition="contains">SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356</Hashes>
-                <Hashes condition="contains">SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9</Hashes>
-                <Hashes condition="contains">SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57</Hashes>
-                <Hashes condition="contains">SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463</Hashes>
-                <Hashes condition="contains">SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085</Hashes>
-                <Hashes condition="contains">SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3</Hashes>
-                <Hashes condition="contains">SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1</Hashes>
-                <Hashes condition="contains">SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0</Hashes>
-                <Hashes condition="contains">SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d</Hashes>
-                <Hashes condition="contains">SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989</Hashes>
-                <Hashes condition="contains">SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a</Hashes>
-                <Hashes condition="contains">SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4</Hashes>
-                <Hashes condition="contains">SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4</Hashes>
-                <Hashes condition="contains">SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882</Hashes>
-                <Hashes condition="contains">SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219</Hashes>
-                <Hashes condition="contains">SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9</Hashes>
-                <Hashes condition="contains">SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc</Hashes>
-                <Hashes condition="contains">SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be</Hashes>
-                <Hashes condition="contains">SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7</Hashes>
-                <Hashes condition="contains">SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0</Hashes>
-                <Hashes condition="contains">SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131</Hashes>
-                <Hashes condition="contains">SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63</Hashes>
-                <Hashes condition="contains">SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e</Hashes>
-                <Hashes condition="contains">SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3</Hashes>
-                <Hashes condition="contains">SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd</Hashes>
-                <Hashes condition="contains">SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb</Hashes>
-                <Hashes condition="contains">SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8</Hashes>
-                <Hashes condition="contains">SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1</Hashes>
-                <Hashes condition="contains">SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280</Hashes>
-                <Hashes condition="contains">SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6</Hashes>
-                <Hashes condition="contains">SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743</Hashes>
-                <Hashes condition="contains">SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88</Hashes>
-                <Hashes condition="contains">SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980</Hashes>
-                <Hashes condition="contains">SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347</Hashes>
-                <Hashes condition="contains">SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9</Hashes>
-                <Hashes condition="contains">SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24</Hashes>
-                <Hashes condition="contains">SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5</Hashes>
-                <Hashes condition="contains">SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d</Hashes>
-                <Hashes condition="contains">SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69</Hashes>
-                <Hashes condition="contains">SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc</Hashes>
-                <Hashes condition="contains">SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa</Hashes>
-                <Hashes condition="contains">SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7</Hashes>
-                <Hashes condition="contains">SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233</Hashes>
-                <Hashes condition="contains">SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b</Hashes>
-                <Hashes condition="contains">SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8</Hashes>
-                <Hashes condition="contains">SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a</Hashes>
-                <Hashes condition="contains">SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0</Hashes>
-                <Hashes condition="contains">SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b</Hashes>
-                <Hashes condition="contains">SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28</Hashes>
-                <Hashes condition="contains">SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba</Hashes>
-                <Hashes condition="contains">SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd</Hashes>
-                <Hashes condition="contains">SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9</Hashes>
-                <Hashes condition="contains">SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52</Hashes>
-                <Hashes condition="contains">SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c</Hashes>
-                <Hashes condition="contains">SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0</Hashes>
-                <Hashes condition="contains">SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c</Hashes>
-                <Hashes condition="contains">SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763</Hashes>
-                <Hashes condition="contains">SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad</Hashes>
-                <Hashes condition="contains">SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92</Hashes>
-                <Hashes condition="contains">SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b</Hashes>
-                <Hashes condition="contains">SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf</Hashes>
-                <Hashes condition="contains">SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af</Hashes>
-                <Hashes condition="contains">SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd</Hashes>
-                <Hashes condition="contains">SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01</Hashes>
-                <Hashes condition="contains">SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba</Hashes>
-                <Hashes condition="contains">SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a</Hashes>
-                <Hashes condition="contains">SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015</Hashes>
-                <Hashes condition="contains">SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461</Hashes>
-                <Hashes condition="contains">SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88</Hashes>
-                <Hashes condition="contains">SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a</Hashes>
-                <Hashes condition="contains">SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880</Hashes>
-                <Hashes condition="contains">SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c</Hashes>
-                <Hashes condition="contains">SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677</Hashes>
-                <Hashes condition="contains">SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782</Hashes>
-                <Hashes condition="contains">SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a</Hashes>
-                <Hashes condition="contains">SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9</Hashes>
-                <Hashes condition="contains">SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad</Hashes>
-                <Hashes condition="contains">SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7</Hashes>
-                <Hashes condition="contains">SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4</Hashes>
-                <Hashes condition="contains">SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c</Hashes>
-                <Hashes condition="contains">SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1</Hashes>
-                <Hashes condition="contains">SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb</Hashes>
-                <Hashes condition="contains">SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52</Hashes>
-                <Hashes condition="contains">SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d</Hashes>
-                <Hashes condition="contains">SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22</Hashes>
-                <Hashes condition="contains">SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109</Hashes>
-                <Hashes condition="contains">SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6</Hashes>
-                <Hashes condition="contains">SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f</Hashes>
-                <Hashes condition="contains">SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2</Hashes>
-                <Hashes condition="contains">SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5</Hashes>
-                <Hashes condition="contains">SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099</Hashes>
-                <Hashes condition="contains">SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5</Hashes>
-                <Hashes condition="contains">SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de</Hashes>
-                <Hashes condition="contains">SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a</Hashes>
-                <Hashes condition="contains">SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b</Hashes>
-                <Hashes condition="contains">SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3</Hashes>
-                <Hashes condition="contains">SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838</Hashes>
-                <Hashes condition="contains">SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca</Hashes>
-                <Hashes condition="contains">SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8</Hashes>
-                <Hashes condition="contains">SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b</Hashes>
-                <Hashes condition="contains">SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6</Hashes>
-                <Hashes condition="contains">SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8</Hashes>
-                <Hashes condition="contains">SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8</Hashes>
-                <Hashes condition="contains">SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48</Hashes>
-                <Hashes condition="contains">SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02</Hashes>
-                <Hashes condition="contains">SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b</Hashes>
-                <Hashes condition="contains">SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c</Hashes>
-                <Hashes condition="contains">SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8</Hashes>
-                <Hashes condition="contains">SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc</Hashes>
-                <Hashes condition="contains">SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf</Hashes>
-                <Hashes condition="contains">SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb</Hashes>
-                <Hashes condition="contains">SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129</Hashes>
-                <Hashes condition="contains">SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8</Hashes>
-                <Hashes condition="contains">SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408</Hashes>
-                <Hashes condition="contains">SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca</Hashes>
-                <Hashes condition="contains">SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60</Hashes>
-                <Hashes condition="contains">SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38</Hashes>
-                <Hashes condition="contains">SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b</Hashes>
-                <Hashes condition="contains">SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d</Hashes>
-                <Hashes condition="contains">SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9</Hashes>
-                <Hashes condition="contains">SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b</Hashes>
-                <Hashes condition="contains">SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6</Hashes>
-                <Hashes condition="contains">SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b</Hashes>
-                <Hashes condition="contains">SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca</Hashes>
-                <Hashes condition="contains">SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229</Hashes>
-                <Hashes condition="contains">SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c</Hashes>
-                <Hashes condition="contains">SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758</Hashes>
-                <Hashes condition="contains">SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40</Hashes>
-                <Hashes condition="contains">SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7</Hashes>
-                <Hashes condition="contains">SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab</Hashes>
-                <Hashes condition="contains">SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba</Hashes>
-                <Hashes condition="contains">SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1</Hashes>
-                <Hashes condition="contains">SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00</Hashes>
-                <Hashes condition="contains">SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0</Hashes>
-                <Hashes condition="contains">SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668</Hashes>
-                <Hashes condition="contains">SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57</Hashes>
-                <Hashes condition="contains">SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347</Hashes>
-                <Hashes condition="contains">SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd</Hashes>
-                <Hashes condition="contains">SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc</Hashes>
-                <Hashes condition="contains">SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4</Hashes>
-                <Hashes condition="contains">SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb</Hashes>
-                <Hashes condition="contains">SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de</Hashes>
-                <Hashes condition="contains">SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a</Hashes>
-                <Hashes condition="contains">SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22</Hashes>
-                <Hashes condition="contains">SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c</Hashes>
-                <Hashes condition="contains">SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f</Hashes>
-                <Hashes condition="contains">SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469</Hashes>
-                <Hashes condition="contains">SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94</Hashes>
-                <Hashes condition="contains">SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675</Hashes>
-                <Hashes condition="contains">SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10</Hashes>
-                <Hashes condition="contains">SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0</Hashes>
-                <Hashes condition="contains">SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5</Hashes>
-                <Hashes condition="contains">SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558</Hashes>
-                <Hashes condition="contains">SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4</Hashes>
-                <Hashes condition="contains">SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79</Hashes>
-                <Hashes condition="contains">SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073</Hashes>
-                <Hashes condition="contains">SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039</Hashes>
-                <Hashes condition="contains">SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659</Hashes>
-                <Hashes condition="contains">SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c</Hashes>
-                <Hashes condition="contains">SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6</Hashes>
-                <Hashes condition="contains">SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91</Hashes>
-                <Hashes condition="contains">SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b</Hashes>
-                <Hashes condition="contains">SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965</Hashes>
-                <Hashes condition="contains">SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c</Hashes>
-                <Hashes condition="contains">SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3</Hashes>
-                <Hashes condition="contains">SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b</Hashes>
-                <Hashes condition="contains">SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06</Hashes>
-                <Hashes condition="contains">SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4</Hashes>
-                <Hashes condition="contains">SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c</Hashes>
-                <Hashes condition="contains">SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf</Hashes>
-                <Hashes condition="contains">SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd</Hashes>
-                <Hashes condition="contains">SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9</Hashes>
-                <Hashes condition="contains">SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d</Hashes>
-                <Hashes condition="contains">SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c</Hashes>
-                <Hashes condition="contains">SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504</Hashes>
-                <Hashes condition="contains">SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587</Hashes>
-                <Hashes condition="contains">SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f</Hashes>
-                <Hashes condition="contains">SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354</Hashes>
-                <Hashes condition="contains">SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805</Hashes>
-                <Hashes condition="contains">SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a</Hashes>
-                <Hashes condition="contains">SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10</Hashes>
-                <Hashes condition="contains">SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a</Hashes>
-                <Hashes condition="contains">SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3</Hashes>
-                <Hashes condition="contains">SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa</Hashes>
-                <Hashes condition="contains">SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3</Hashes>
-                <Hashes condition="contains">SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75</Hashes>
-                <Hashes condition="contains">SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c</Hashes>
-                <Hashes condition="contains">SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82</Hashes>
-                <Hashes condition="contains">SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a</Hashes>
-                <Hashes condition="contains">SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135</Hashes>
-                <Hashes condition="contains">SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f</Hashes>
-                <Hashes condition="contains">SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d</Hashes>
-                <Hashes condition="contains">SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7</Hashes>
-                <Hashes condition="contains">SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9</Hashes>
-                <Hashes condition="contains">SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa</Hashes>
-                <Hashes condition="contains">SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1</Hashes>
-                <Hashes condition="contains">SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8</Hashes>
-                <Hashes condition="contains">SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad</Hashes>
-                <Hashes condition="contains">SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062</Hashes>
-                <Hashes condition="contains">SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc</Hashes>
-                <Hashes condition="contains">SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200</Hashes>
-                <Hashes condition="contains">SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8</Hashes>
-                <Hashes condition="contains">SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df</Hashes>
-                <Hashes condition="contains">SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d</Hashes>
-                <Hashes condition="contains">SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5</Hashes>
-                <Hashes condition="contains">SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3</Hashes>
-                <Hashes condition="contains">SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e</Hashes>
-                <Hashes condition="contains">SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499</Hashes>
-                <Hashes condition="contains">SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9</Hashes>
-                <Hashes condition="contains">SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6</Hashes>
-                <Hashes condition="contains">SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e</Hashes>
-                <Hashes condition="contains">SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526</Hashes>
-                <Hashes condition="contains">SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433</Hashes>
-                <Hashes condition="contains">SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48</Hashes>
-                <Hashes condition="contains">SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4</Hashes>
-                <Hashes condition="contains">SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608</Hashes>
-                <Hashes condition="contains">SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c</Hashes>
-                <Hashes condition="contains">SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b</Hashes>
-                <Hashes condition="contains">SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89</Hashes>
-                <Hashes condition="contains">SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd</Hashes>
-                <Hashes condition="contains">SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a</Hashes>
-                <Hashes condition="contains">SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165</Hashes>
-                <Hashes condition="contains">SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25</Hashes>
-                <Hashes condition="contains">SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833</Hashes>
-                <Hashes condition="contains">SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b</Hashes>
-                <Hashes condition="contains">SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173</Hashes>
-                <Hashes condition="contains">SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058</Hashes>
-                <Hashes condition="contains">SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47</Hashes>
-                <Hashes condition="contains">SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee</Hashes>
-                <Hashes condition="contains">SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa</Hashes>
-                <Hashes condition="contains">SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471</Hashes>
-                <Hashes condition="contains">SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2</Hashes>
-                <Hashes condition="contains">SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399</Hashes>
-                <Hashes condition="contains">SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685</Hashes>
-                <Hashes condition="contains">SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a</Hashes>
-                <Hashes condition="contains">SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508</Hashes>
-                <Hashes condition="contains">SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414</Hashes>
-                <Hashes condition="contains">SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1</Hashes>
-                <Hashes condition="contains">SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29</Hashes>
-                <Hashes condition="contains">SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602</Hashes>
-                <Hashes condition="contains">SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df</Hashes>
-                <Hashes condition="contains">SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d</Hashes>
-                <Hashes condition="contains">SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418</Hashes>
-                <Hashes condition="contains">SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf</Hashes>
-                <Hashes condition="contains">SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c</Hashes>
-                <Hashes condition="contains">SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a</Hashes>
-                <Hashes condition="contains">SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b</Hashes>
-                <Hashes condition="contains">SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a</Hashes>
-                <Hashes condition="contains">SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a</Hashes>
-                <Hashes condition="contains">SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e</Hashes>
-                <Hashes condition="contains">SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5</Hashes>
-                <Hashes condition="contains">SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441</Hashes>
-                <Hashes condition="contains">SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de</Hashes>
-                <Hashes condition="contains">SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e</Hashes>
-                <Hashes condition="contains">SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47</Hashes>
-                <Hashes condition="contains">SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0</Hashes>
-                <Hashes condition="contains">SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867</Hashes>
-                <Hashes condition="contains">SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704</Hashes>
-                <Hashes condition="contains">SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3</Hashes>
-                <Hashes condition="contains">SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa</Hashes>
-                <Hashes condition="contains">SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc</Hashes>
-                <Hashes condition="contains">SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955</Hashes>
-                <Hashes condition="contains">SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3</Hashes>
-                <Hashes condition="contains">SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248</Hashes>
-                <Hashes condition="contains">SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63</Hashes>
-                <Hashes condition="contains">SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f</Hashes>
-                <Hashes condition="contains">SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f</Hashes>
-                <Hashes condition="contains">SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961</Hashes>
-                <Hashes condition="contains">SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c</Hashes>
-                <Hashes condition="contains">SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0</Hashes>
-                <Hashes condition="contains">SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100</Hashes>
-                <Hashes condition="contains">SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2</Hashes>
-                <Hashes condition="contains">SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57</Hashes>
-                <Hashes condition="contains">SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8</Hashes>
-                <Hashes condition="contains">SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8</Hashes>
-                <Hashes condition="contains">SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247</Hashes>
-                <Hashes condition="contains">SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e</Hashes>
-                <Hashes condition="contains">SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9</Hashes>
-                <Hashes condition="contains">SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e</Hashes>
-                <Hashes condition="contains">SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8</Hashes>
-                <Hashes condition="contains">SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924</Hashes>
-                <Hashes condition="contains">SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26</Hashes>
-                <Hashes condition="contains">SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a</Hashes>
-                <Hashes condition="contains">SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc</Hashes>
-                <Hashes condition="contains">SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa</Hashes>
-                <Hashes condition="contains">SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646</Hashes>
-                <Hashes condition="contains">SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2</Hashes>
-                <Hashes condition="contains">SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2</Hashes>
-                <Hashes condition="contains">SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5</Hashes>
-                <Hashes condition="contains">SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada</Hashes>
-                <Hashes condition="contains">SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c</Hashes>
-                <Hashes condition="contains">SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d</Hashes>
-                <Hashes condition="contains">SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c</Hashes>
-                <Hashes condition="contains">SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd</Hashes>
-                <Hashes condition="contains">SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab</Hashes>
-                <Hashes condition="contains">SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612</Hashes>
-                <Hashes condition="contains">SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec</Hashes>
-                <Hashes condition="contains">SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6</Hashes>
-                <Hashes condition="contains">SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8</Hashes>
-                <Hashes condition="contains">SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64</Hashes>
-                <Hashes condition="contains">SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b</Hashes>
-                <Hashes condition="contains">SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb</Hashes>
-                <Hashes condition="contains">SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812</Hashes>
-                <Hashes condition="contains">SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc</Hashes>
-                <Hashes condition="contains">SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2</Hashes>
-                <Hashes condition="contains">SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986</Hashes>
-                <Hashes condition="contains">SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b</Hashes>
-                <Hashes condition="contains">SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190</Hashes>
-                <Hashes condition="contains">SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb</Hashes>
-                <Hashes condition="contains">SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40</Hashes>
-                <Hashes condition="contains">SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b</Hashes>
-                <Hashes condition="contains">SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab</Hashes>
-                <Hashes condition="contains">SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c</Hashes>
-                <Hashes condition="contains">SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889</Hashes>
-                <Hashes condition="contains">SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605</Hashes>
-                <Hashes condition="contains">SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f</Hashes>
-                <Hashes condition="contains">SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9</Hashes>
-                <Hashes condition="contains">SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102</Hashes>
-                <Hashes condition="contains">SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d</Hashes>
-                <Hashes condition="contains">SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0</Hashes>
-                <Hashes condition="contains">SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530</Hashes>
-                <Hashes condition="contains">SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482</Hashes>
-                <Hashes condition="contains">SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2</Hashes>
-                <Hashes condition="contains">SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f</Hashes>
-                <Hashes condition="contains">SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3</Hashes>
-                <Hashes condition="contains">SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3</Hashes>
-                <Hashes condition="contains">SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71</Hashes>
-                <Hashes condition="contains">SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476</Hashes>
-                <Hashes condition="contains">SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2</Hashes>
-                <Hashes condition="contains">SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26</Hashes>
-                <Hashes condition="contains">SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e</Hashes>
-                <Hashes condition="contains">SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d</Hashes>
-                <Hashes condition="contains">SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1</Hashes>
-                <Hashes condition="contains">SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24</Hashes>
-                <Hashes condition="contains">SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d</Hashes>
-                <Hashes condition="contains">SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004</Hashes>
-                <Hashes condition="contains">SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653</Hashes>
-                <Hashes condition="contains">SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98</Hashes>
-                <Hashes condition="contains">SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed</Hashes>
-                <Hashes condition="contains">SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef</Hashes>
-                <Hashes condition="contains">SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258</Hashes>
-                <Hashes condition="contains">SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097</Hashes>
-                <Hashes condition="contains">SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094</Hashes>
-                <Hashes condition="contains">SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8</Hashes>
-                <Hashes condition="contains">SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa</Hashes>
-                <Hashes condition="contains">SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c</Hashes>
-                <Hashes condition="contains">SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5</Hashes>
-                <Hashes condition="contains">SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc</Hashes>
-                <Hashes condition="contains">SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d</Hashes>
-                <Hashes condition="contains">SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578</Hashes>
-                <Hashes condition="contains">SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6</Hashes>
-                <Hashes condition="contains">SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15</Hashes>
-                <Hashes condition="contains">SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22</Hashes>
-                <Hashes condition="contains">SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b</Hashes>
-                <Hashes condition="contains">SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f</Hashes>
-                <Hashes condition="contains">SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6</Hashes>
-                <Hashes condition="contains">SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac</Hashes>
-                <Hashes condition="contains">SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918</Hashes>
-                <Hashes condition="contains">SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd</Hashes>
-                <Hashes condition="contains">SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb</Hashes>
-                <Hashes condition="contains">SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc</Hashes>
-                <Hashes condition="contains">SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036</Hashes>
-                <Hashes condition="contains">SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148</Hashes>
-                <Hashes condition="contains">SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1</Hashes>
-                <Hashes condition="contains">SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53</Hashes>
-                <Hashes condition="contains">SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8</Hashes>
-                <Hashes condition="contains">SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f</Hashes>
-                <Hashes condition="contains">SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48</Hashes>
-                <Hashes condition="contains">SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f</Hashes>
-                <Hashes condition="contains">SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae</Hashes>
-                <Hashes condition="contains">SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90</Hashes>
-                <Hashes condition="contains">SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028</Hashes>
-                <Hashes condition="contains">SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a</Hashes>
-                <Hashes condition="contains">SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4</Hashes>
-                <Hashes condition="contains">SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f</Hashes>
-                <Hashes condition="contains">SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf</Hashes>
-                <Hashes condition="contains">SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2</Hashes>
-                <Hashes condition="contains">SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9</Hashes>
-                <Hashes condition="contains">SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf</Hashes>
-                <Hashes condition="contains">SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa</Hashes>
-                <Hashes condition="contains">SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06</Hashes>
-                <Hashes condition="contains">SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790</Hashes>
-                <Hashes condition="contains">SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293</Hashes>
-                <Hashes condition="contains">SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3</Hashes>
-                <Hashes condition="contains">SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41</Hashes>
-                <Hashes condition="contains">SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3</Hashes>
-                <Hashes condition="contains">SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5</Hashes>
-                <Hashes condition="contains">SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566</Hashes>
-                <Hashes condition="contains">SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c</Hashes>
-                <Hashes condition="contains">SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282</Hashes>
-                <Hashes condition="contains">SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39</Hashes>
-                <Hashes condition="contains">SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7</Hashes>
-                <Hashes condition="contains">SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe</Hashes>
-                <Hashes condition="contains">SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b</Hashes>
-                <Hashes condition="contains">SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850</Hashes>
-                <Hashes condition="contains">SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0</Hashes>
-                <Hashes condition="contains">SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3</Hashes>
-                <Hashes condition="contains">SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b</Hashes>
-                <Hashes condition="contains">SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe</Hashes>
-                <Hashes condition="contains">SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f</Hashes>
-                <Hashes condition="contains">SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1</Hashes>
-                <Hashes condition="contains">SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc</Hashes>
-                <Hashes condition="contains">SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960</Hashes>
-                <Hashes condition="contains">SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c</Hashes>
-                <Hashes condition="contains">SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496</Hashes>
-                <Hashes condition="contains">SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004</Hashes>
-                <Hashes condition="contains">SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439</Hashes>
-                <Hashes condition="contains">SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d</Hashes>
-                <Hashes condition="contains">SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57</Hashes>
-                <Hashes condition="contains">SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af</Hashes>
-                <Hashes condition="contains">SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960</Hashes>
-                <Hashes condition="contains">SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008</Hashes>
-                <Hashes condition="contains">SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145</Hashes>
-                <Hashes condition="contains">SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65</Hashes>
-                <Hashes condition="contains">SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35</Hashes>
-                <Hashes condition="contains">SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13</Hashes>
-                <Hashes condition="contains">SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b</Hashes>
-                <Hashes condition="contains">SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478</Hashes>
-                <Hashes condition="contains">SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573</Hashes>
-                <Hashes condition="contains">SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54</Hashes>
-                <Hashes condition="contains">SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298</Hashes>
-                <Hashes condition="contains">SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b</Hashes>
-                <Hashes condition="contains">SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91</Hashes>
-                <Hashes condition="contains">SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566</Hashes>
-                <Hashes condition="contains">SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22</Hashes>
-                <Hashes condition="contains">SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f</Hashes>
-                <Hashes condition="contains">SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2</Hashes>
-                <Hashes condition="contains">SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c</Hashes>
-                <Hashes condition="contains">SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1</Hashes>
-                <Hashes condition="contains">SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533</Hashes>
-                <Hashes condition="contains">SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c</Hashes>
-                <Hashes condition="contains">SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03</Hashes>
-                <Hashes condition="contains">SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280</Hashes>
-                <Hashes condition="contains">SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7</Hashes>
-                <Hashes condition="contains">SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339</Hashes>
-                <Hashes condition="contains">SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5</Hashes>
-                <Hashes condition="contains">SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f</Hashes>
-			</Rule>
-			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Malicious Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-                <Hashes condition="contains">SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c</Hashes>
-                <Hashes condition="contains">SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4</Hashes>
-                <Hashes condition="contains">SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62</Hashes>
-                <Hashes condition="contains">SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f</Hashes>
-                <Hashes condition="contains">SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e</Hashes>
-                <Hashes condition="contains">SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1</Hashes>
-                <Hashes condition="contains">SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724</Hashes>
-                <Hashes condition="contains">SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620</Hashes>
-                <Hashes condition="contains">SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc</Hashes>
-                <Hashes condition="contains">SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c</Hashes>
-                <Hashes condition="contains">SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d</Hashes>
-                <Hashes condition="contains">SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7</Hashes>
-                <Hashes condition="contains">SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988</Hashes>
-                <Hashes condition="contains">SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427</Hashes>
-                <Hashes condition="contains">SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e</Hashes>
-                <Hashes condition="contains">SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421</Hashes>
-                <Hashes condition="contains">SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99</Hashes>
-                <Hashes condition="contains">SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a</Hashes>
-                <Hashes condition="contains">SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3</Hashes>
-                <Hashes condition="contains">SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b</Hashes>
-                <Hashes condition="contains">SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5</Hashes>
-                <Hashes condition="contains">SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4</Hashes>
-                <Hashes condition="contains">SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77</Hashes>
-                <Hashes condition="contains">SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f</Hashes>
-                <Hashes condition="contains">SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d</Hashes>
-                <Hashes condition="contains">SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8</Hashes>
-                <Hashes condition="contains">SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1</Hashes>
-                <Hashes condition="contains">SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a</Hashes>
-                <Hashes condition="contains">SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376</Hashes>
-                <Hashes condition="contains">SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc</Hashes>
-                <Hashes condition="contains">SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3</Hashes>
-                <Hashes condition="contains">SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217</Hashes>
-                <Hashes condition="contains">SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a</Hashes>
-                <Hashes condition="contains">SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce</Hashes>
-                <Hashes condition="contains">SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497</Hashes>
-                <Hashes condition="contains">SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931</Hashes>
-                <Hashes condition="contains">SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316</Hashes>
-                <Hashes condition="contains">SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d</Hashes>
-                <Hashes condition="contains">SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12</Hashes>
-                <Hashes condition="contains">SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87</Hashes>
-                <Hashes condition="contains">SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae</Hashes>
-                <Hashes condition="contains">SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e</Hashes>
-                <Hashes condition="contains">SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c</Hashes>
-                <Hashes condition="contains">SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280</Hashes>
-                <Hashes condition="contains">SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51</Hashes>
-                <Hashes condition="contains">SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c</Hashes>
-                <Hashes condition="contains">SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76</Hashes>
-                <Hashes condition="contains">SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677</Hashes>
-                <Hashes condition="contains">SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6</Hashes>
-                <Hashes condition="contains">SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104</Hashes>
-                <Hashes condition="contains">SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330</Hashes>
-                <Hashes condition="contains">SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4</Hashes>
-                <Hashes condition="contains">SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463</Hashes>
-                <Hashes condition="contains">SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c</Hashes>
-                <Hashes condition="contains">SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530</Hashes>
-                <Hashes condition="contains">SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c</Hashes>
-                <Hashes condition="contains">SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d</Hashes>
-                <Hashes condition="contains">SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a</Hashes>
-                <Hashes condition="contains">SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae</Hashes>
-                <Hashes condition="contains">SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df</Hashes>
-                <Hashes condition="contains">SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25</Hashes>
-                <Hashes condition="contains">SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212</Hashes>
-                <Hashes condition="contains">SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a</Hashes>
-			</Rule>
 		</FileExecutableDetected>
 	</RuleGroup>
 	<RuleGroup name="RG=FileExecutable Excludes" groupRelation="or">

From 7449900e0ede8da9e957b1d7ecf6e444c02baab8 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Thu, 7 Sep 2023 09:02:11 -0400
Subject: [PATCH 454/471] Update sysmonconfig-export.xml

---
 sysmonconfig-export.xml | 1119 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 1096 insertions(+), 23 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 58259a75..c2283c19 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -262,7 +262,7 @@
 				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
 				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
 				<Image condition="image">conhost.exe</Image>
-				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe</ParentImage> <!--NCentral exclusions-->
+				<ParentImage condition="excludes any">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\Msp.Ecosystem.Discovery.exe;TCIntegratorCommHelper.exe;\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</ParentImage> <!--NCentral and Nvidia exclusions-->
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
 				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
@@ -518,6 +518,7 @@
 				<ParentImage condition="excludes">C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe</ParentImage>
 				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine> <!--SentinelOne exclusion-->
 				<CommandLine condition="excludes">Update_Sysmon_Rules</CommandLine>
+				<ParentImage condition="excludes">C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
 				<OriginalFileName condition="is">taskeng.exe</OriginalFileName>
@@ -532,7 +533,7 @@
 			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
 				<ParentImage condition="image">schtasks.exe</ParentImage>
 				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
-				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules</ParentCommandLine>
+				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create;Update_Sysmon_Rules;AMDRyzenMasterSDKTask</ParentCommandLine>
 			</Rule>
 			<Rule name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" groupRelation="and">
 				<Image condition="image">at.exe</Image>
@@ -686,6 +687,8 @@
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
 				<CommandLine condition="contains any">..\;\..</CommandLine>
+				<ParentImage condition="excludes all">C:\Program Files;\Razer\Synapse3\Service\Razer Synapse Service.exe</ParentImage>
+				<Image condition="excludes all">C:\Program Files;\Razer\;\UserProcess\Razer Synapse Service Process.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
 				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
@@ -957,9 +960,13 @@
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall delete</CommandLine>
+				<ParentCommandLine condition="excludes all">ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe</ParentCommandLine>
+				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall add</CommandLine>
+				<ParentCommandLine condition="excludes all">cmd.exe;ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe;enable=yes</ParentCommandLine>
+				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall set opmode disable</CommandLine>
@@ -1047,6 +1054,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
 				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
+				<ParentImage condition="excludes all">C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;\CitrixReceiverUpdater.exe</ParentImage>
 			</Rule>
 			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
 				<Image condition="end with">      .exe</Image>
@@ -2473,10 +2481,10 @@
 				<CommandLine condition="image">start-bitstransfer</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">expand \\</CommandLine>
+				<CommandLine condition="contains all">expand;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">expand.exe \\</CommandLine>
+				<CommandLine condition="contains all">expand.exe;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" groupRelation="and">
 				<CommandLine condition="contains">ieexec http</CommandLine>
@@ -2494,10 +2502,10 @@
 				<CommandLine condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">extrac32 \\</CommandLine>
+				<CommandLine condition="contains all">extrac32;\\</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">extrac32.exe \\</CommandLine>
+				<CommandLine condition="contains all">extrac32.exe;\\</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
 			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
@@ -2639,10 +2647,16 @@
 				<CommandLine condition="contains">erase</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains">-nw -exec=</CommandLine>
+				<CommandLine condition="contains all">-nw;-exec=</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and">
+				<CommandLine condition="contains all">/nw;/exec=</CommandLine>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
+				<CommandLine condition="contains all">-p;-nw</CommandLine>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and">
-				<CommandLine condition="contains">-p -nw</CommandLine>
+				<CommandLine condition="contains all">/p;/nw</CommandLine>
 			</Rule>
 			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" groupRelation="and">
 				<Image condition="contains">shred</Image>
@@ -2667,8 +2681,7 @@
 			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
 			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
 				<Image condition="image">fsutil.exe</Image>
-				<CommandLine condition="contains">deletejournal</CommandLine>
-				<CommandLine condition="contains">usn</CommandLine>
+				<CommandLine condition="contains all">usn;deletejournal</CommandLine>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
 			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
@@ -2678,7 +2691,8 @@
 			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
 			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
 			<Rule name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" groupRelation="and">
-			<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+				<CommandLine condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
+				<Image condition="excludes all">C:\Program Files;\LightingService\AsusInstallVerifier.exe</Image>
 			</Rule>
 			<!--Crypto Currency Miner Detections-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
@@ -2937,6 +2951,9 @@
 				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
 				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
 			</Rule>
+			<Rule name="exclude armoury Crate from cmdline file deletion rule" groupRelation="and">
+				<ParentImage condition="image">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</ParentImage>
+			</Rule>
 		</ProcessCreate>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
@@ -5124,6 +5141,7 @@
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\;C:\Program Files (x86)\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\ProgramData\Cavelo\jre\bin\java.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files\Cavelo\Cavelo Agent\parser.exe</SourceImage>
 				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
 				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
+				<TargetImage condition="excludes any">C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe;C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.UserSessionHelper.exe</TargetImage>
 				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
@@ -5264,6 +5282,7 @@
 				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
 				<TargetFilename condition="not begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch</TargetFilename>
 				<TargetFilename condition="end with">.exe</TargetFilename>
+				<TargetFilename condition="excludes">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
 				<TargetFilename condition="end with">proj</TargetFilename>
@@ -5299,6 +5318,7 @@
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" groupRelation="and">
 				<TargetFilename condition="end with">.bin</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
@@ -5436,6 +5456,8 @@
 				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
 				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
 				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL</TargetFilename>
+				<TargetFilename condition="excludes any">\System.Security.Cryptography</TargetFilename>
+				<Image condition="excludes any">Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" groupRelation="and">
 				<TargetFilename condition="contains">crackmapexec</TargetFilename>
@@ -5674,6 +5696,7 @@
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename>
@@ -5883,6 +5906,7 @@
 			</Rule>
 			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" groupRelation="and">
 				<TargetFilename condition="end with">.bin</TargetFilename>
+				<Image condition="excludes any">C:\Windows\System32\WUDFHost.exe</Image>
 			</Rule>
 			<Rule name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" groupRelation="and">
 				<TargetFilename condition="end with">.cab</TargetFilename>
@@ -6732,10 +6756,10 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" groupRelation="and">
 				<TargetFilename condition="contains">.mht</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Chrome Extensions" groupRelation="and">
 				<TargetFilename condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Chrome extension auditing" groupRelation="and">
 				<TargetFilename condition="end with">.crx</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" groupRelation="and">
@@ -6865,7 +6889,7 @@
 				<TargetFilename condition="contains">Temp\Temp1_</TargetFilename>
 			</Rule>
 			<!--Uncategorized-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=DotNet UsageLogs" groupRelation="and">
 				<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Extension Monitoring" groupRelation="and">
@@ -7102,11 +7126,16 @@
 			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
 
 			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Old Chrome Extension auditing" groupRelation="and">
 				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
 				<TargetObject condition="end with">update_url</TargetObject>
 				<EventType condition="is">SetValue</EventType>
 			</Rule>
+			<Rule name="Attack=T1176,Technique=Browser Extensions,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
+				<TargetObject condition="contains">Google\Chrome</TargetObject>
+				<TargetObject condition="contains">extensions.settings</TargetObject>
+				<EventType condition="is">SetValue</EventType>
+			</Rule>								  
 			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Forced password reset detected" groupRelation="and">
 				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
@@ -7141,6 +7170,9 @@
 				<EventType condition="is">SetValue</EventType>
 				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
 				<Image condition="excludes any">C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe;\AppData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+				<Details condition="excludes all">C:\Program Files\Google\Drive File Stream;\GoogleDriveFS.exe;startup_mode</Details>
+				<Details condition="excludes all">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;no-startup-window;win-session-start;prefetch</Details>
+				<Details condition="excludes all">\Application\chrome.exe;no-startup-window;win-session-start;prefetch</Details>
 			</Rule>
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject>
@@ -7433,7 +7465,7 @@
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
-				<TargetObject condition="excludes">Microsoft\Windows\UpdateOrchestrator</TargetObject>
+				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator;\AMDInstallLauncher\SD;\SD;ASUS Switch;\PowerToys\Autorun for </TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
@@ -7516,6 +7548,7 @@
 				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
 				<Image condition="excludes">C:\Programdata\sysmon\sysmon.exe</Image>
 				<Image condition="excludes">C:\Windows\TEMP\sysmon.exe</Image>
+				<Image condition="excludes">C:\Windows\TEMP\SYS</Image>
 				<!--Customize: Add your configuration directory above-->
 			</Rule>
 			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
@@ -7635,6 +7668,7 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
 				<TargetObject condition="end with">\Enabled</TargetObject>
 				<Details condition="contains">DWORD (0x00000000)</Details>
+				<Image condition="excludes">C:\WINDOWS\system32\DrvInst.exe</Image> <!--Common Driver Installs-->
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
@@ -8302,10 +8336,10 @@
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
 			</Rule>
 			<!--DLLs that get injected into every process launch-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Monitoring: DLLs that get injected into every process launch" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" groupRelation="and">
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Monitoring: DLLs that get injected into every process launch" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
 			</Rule>
 			<!--Office-->
@@ -8517,6 +8551,9 @@
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Office Information" groupRelation="and">
 				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
 			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Registry Hive List" groupRelation="and">
+				<TargetObject condition="contains">\Control\hivelist</TargetObject>
+			</Rule>
 			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=ISO Drive Mounted" groupRelation="and">
 				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume</TargetObject>
 				<TargetObject condition="end with">Drive Type</TargetObject>
@@ -8771,10 +8808,10 @@
 			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" groupRelation="and">
 				<TargetObject condition="contains">Software\recfg</TargetObject>
 			</Rule>
-			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Suspicious Keyboard Layout Load" groupRelation="and">
 				<TargetObject condition="contains">\Keyboard Layout\Preload\</TargetObject>
 			</Rule>
-			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" groupRelation="and">
+			<Rule name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Suspicious Keyboard Layout Load" groupRelation="and">
 				<TargetObject condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" groupRelation="and">
@@ -8825,6 +8862,21 @@
 				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
 				<Image condition="begin with">C:\Program Files\ESET</Image>
 			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Browser Helper Object Contacted Domains" groupRelation="and">
+				<TargetObject condition="end with">\EnableBHO</TargetObject>
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Printer Port Changes,CVE=CVE-2020-1048" groupRelation="and">
+				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports</TargetObject> <!--Microsoft:Windows: Printer port changes as used in CVE-2020-1048 [ https://windows-internals.com/printdemon-cve-2020-1048/ ] -->
+			</Rule>
+			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=PrintNightmare Coverage,Author=Florian Roth" groupRelation="and">
+				<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
+			</Rule>
+			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=NGenAssemblyUsageLog Tampering Detected" groupRelation="and">
+				<TargetObject condition="contains all">\Microsoft\.NETFramework;NGenAssemblyUsageLog</TargetObject>
+			</Rule>
+			<Rule name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=Winget admin settings Tampering Detected" groupRelation="and">
+				<TargetObject condition="contains all">\REGISTRY\A\;LocalState\admin_settings</TargetObject>
+			</Rule>
 		</RegistryEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
@@ -8851,7 +8903,7 @@
 				<Hash condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hash><!--Exchange Zero Day Dropped DLL-->
 			</Rule>
 			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,DS=File: File Metadata,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
-				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
+				<TargetFilename condition="contains any">Startup;Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
 			</Rule>
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonEnte Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
 				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
@@ -9624,13 +9676,18 @@
 	</RuleGroup>
 	<!-- SYSMON EVENT ID 29 : File Executable Detected -->
 	<!--Fields: ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes -->
+	<!-- Key Authors in this section are Florian Roth as a majority Contributer from: https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml -->
 	<RuleGroup name="RG=FileExecutable Includes" groupRelation="or">
 		<FileExecutableDetected onmatch="include">
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Exe created within Downloads Folder,Risk=10" groupRelation="and">
 				<TargetFilename condition="begin with">C:\Users\</TargetFilename>
 				<TargetFilename condition="contains">\Downloads</TargetFilename>
 			</Rule>
-			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=PE File Detected under Unusual File extension,Risk=10" groupRelation="or">
+			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
+				<Image condition="begin with">C:\Users\</Image>
+				<Image condition="contains">Content.Outlook</Image>
+			</Rule>
+			<Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=PE File Detected under Unusual File extension,Risk=10" groupRelation="and">
 				<TargetFilename condition="not end with">.exe</TargetFilename>
 				<TargetFilename condition="not end with">.dll</TargetFilename>
 				<TargetFilename condition="not end with">.sys</TargetFilename>
@@ -9645,6 +9702,1022 @@
 				<TargetFilename condition="not end with">.mui</TargetFilename>
 				<TargetFilename condition="not end with">.ime</TargetFilename>
 				<TargetFilename condition="not end with">.tsp</TargetFilename>
+				<Image condition="excludes">C:\Windows\system32\MpSigStub.exe</Image> <!-- 	Related to Microsoft Windows Defender Virus Definition Module -->
+			</Rule>
+			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=,Risk=10,Alert=Powershell Creating Executables" groupRelation="and">
+				<Image condition="is any">powershell.exe;powershell_ise.exe;pwsh.exe;Sqlps.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1059.003,Technique=Command and Scripting Interpreter: Windows Command Shell,Tactic=Execution,DS=File: File Creation,Level=0,Alert=Command or consolehost Anomaly,Risk=10" groupRelation="and">
+				<Image condition="is any">cmd.exe;conhost.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected within Unusual Location,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> <!-- often used staging directories; could cause false positives --> 
+				<TargetFilename condition="begin with">C:\Perflogs\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Fonts\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\debug\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\tracing\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\Logs\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\System32\spool\SERVERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
+				<TargetFilename condition="begin with">C:\Windows\System32\spool\PRINTERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
+				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
+				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Intel</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Mozilla</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\chocolatey\</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\DeviceSync</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\PlayReady</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\User Account Pictures</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Office\Heartbeat</TargetFilename>
+				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER</TargetFilename>
+				<TargetFilename condition="contains all">C:\Users\All Users\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Music\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Pictures\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Videos\</TargetFilename> <!-- often used staging directories in User folders --> 
+				<TargetFilename condition="contains all">C:\Users\;\Contacts\</TargetFilename> <!-- often used staging directories in User folders -->
+			</Rule>
+			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Double File Extension Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="end with">.7z.exe</TargetFilename>
+				<TargetFilename condition="end with">.doc.exe</TargetFilename>
+				<TargetFilename condition="end with">.docm.exe</TargetFilename>
+				<TargetFilename condition="end with">.docx.exe</TargetFilename>
+				<TargetFilename condition="end with">.htm.exe</TargetFilename>
+				<TargetFilename condition="end with">.html.exe</TargetFilename>
+				<TargetFilename condition="end with">.iso.exe</TargetFilename>
+				<TargetFilename condition="end with">.lnk.exe</TargetFilename>				
+				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
+				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
+				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
+				<TargetFilename condition="end with">.rar.exe</TargetFilename>
+				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
+				<TargetFilename condition="end with">.txt.exe</TargetFilename>
+				<TargetFilename condition="end with">.xls.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsm.exe</TargetFilename>
+				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
+				<TargetFilename condition="end with">.zip.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<TargetFilename condition="end with">\EntenLoader.exe</TargetFilename>
+				<TargetFilename condition="end with">\SysmonQuiet.exe</TargetFilename>
+				<TargetFilename condition="end with">\SharpEvtMute.exe</TargetFilename>
+				<TargetFilename condition="end with">\EvtMuteHook.dll</TargetFilename>
+				<TargetFilename condition="end with">\SysmonEOP.exe</TargetFilename>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
+				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
+				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
+				<Hashes condition="contains">IMPHASH=F9A28C458284584A93B14216308D31BD</Hashes> <!-- JuicyPotatoNG -->
+				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
+				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
+				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
+				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
+				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
+				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
+				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
+				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
+				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
+				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
+				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
+				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
+				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
+				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=03866661686829d806989e2fc5a72606</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d</Hashes> <!-- Dumpert -->
+				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
+				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
+				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
+				<Hashes condition="contains">IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313</Hashes> <!-- Forkatz -->
+				<Hashes condition="contains">IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC</Hashes> <!-- PPLKiller -->
+				<Hashes condition="contains">IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28</Hashes> <!-- PPLKiller -->
+				<Hashes condition="contains">IMPHASH=96DF3A3731912449521F6F8D183279B1</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=51791678F351C03A0EB4E2A7B05C6E17</Hashes> <!-- Backstab -->
+				<Hashes condition="contains">IMPHASH=25CE42B079282632708FC846129E98A5</Hashes> <!-- Forensia -->
+				<Hashes condition="contains">MD5=7B17F15713FCF13C764535AA2BDF52AA</Hashes>													<!-- ShaprEvtMute -->
+				<Hashes condition="contains">SHA1=4E18320493042BCD7D21B53E258974BC460ACC78</Hashes>										<!-- ShaprEvtMute -->
+				<Hashes condition="contains">SHA256=477DFE485F5BD9540CC83E88FC04AAFB6DE49CF1ADC6BD857D5D6F4C1730A6D1</Hashes>	<!-- ShaprEvtMute -->
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Microsoft Office Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Image condition="image">winword.exe</Image>
+				<Image condition="image">excel.exe</Image>
+				<Image condition="image">powerpnt.exe</Image>
+				<Image condition="image">msaccess.exe</Image>
+				<Image condition="image">mspub.exe</Image>
+				<Image condition="image">eqnedt32.exe</Image>
+				<Image condition="image">visio.exe</Image>
+				<Image condition="image">wordpad.exe</Image>
+				<Image condition="image">wordview.exe</Image>
+				<Image condition="image">msohtmed.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=OneNote Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<Image condition="image">onenote.exe</Image>
+				<Image condition="image">onenotem.exe</Image>
+				<Image condition="image">onenoteim.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=LOLBin Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
+				<!-- LOLBINs that can be used to download executables -->
+				<Image condition="image">certutil.exe</Image>
+				<Image condition="image">certoc.exe</Image>
+				<Image condition="image">CertReq.exe</Image>
+				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
+				<Image condition="image">Desktopimgdownldr.exe</Image>
+				<Image condition="image">esentutl.exe</Image>
+				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
+				<Image condition="image">finger.exe</Image>
+				<!-- Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)-->
+				<Image condition="image">notepad.exe</Image>
+				<Image condition="image">AcroRd32.exe</Image>
+				<Image condition="image">RdrCEF.exe</Image> <!-- RdrCEF was seen dropping a DLL in temp (Example: \AppData\Local\Temp\acrocef_low\4616_1623006624_platform_specific\win_x86\widevinecdm.dll). Comment out this entry if you experience issues (https://github.com/Neo23x0/sysmon-config/issues/43) -->
+				<Image condition="image">calc.exe</Image>
+				<Image condition="image">mspaint.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.01,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Compiled HTML File Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">hh.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.002,Technique=System Binary Proxy Execution: Control Panel,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Control Panel Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">control.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.003,Technique=System Binary Proxy Execution: CMSTP,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=CMSTP Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">CMSTP.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.004,Technique=System Binary Proxy Execution: InstallUtil,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=InstallUtil Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">installutil.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.005,Technique=System Binary Proxy Execution: Mshta,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MSHTA Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">mshta.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.007,Technique=System Binary Proxy Execution: MSIExec,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=MSIExec Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">msiexec.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.008,Technique=System Binary Proxy Execution: Odbcconf,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Odbcconf Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Odbcconf.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.009,Technique=System Binary Proxy Execution: Regsvcs/Regasm,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvcs/Regasm Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="contains any">Regsvcs.exe;Regasm.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.010,Technique=System Binary Proxy Execution: Regsvr32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvr32 Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">regsvr32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.011,Technique=System Binary Proxy Execution: Rundll32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Rundll32 Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Rundll32.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.012,Technique=System Binary Proxy Execution: Verclsid,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Verclsid Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">Verclsid.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.013,Technique=System Binary Proxy Execution: mavinject,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Mavinject Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="contains any">mavinject.exe;mavinject64.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218.014,Technique=System Binary Proxy Execution: MMC,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MMC Dropping Executables,Risk=10" groupRelation="and">
+				<Image condition="image">mmc.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Other LOLBins Dropping Executables,Risk=10" groupRelation="or">
+				<Image condition="contains any">Appvlp.exe;InfDefaultInstall.EXE;PresentationHost.exe;Register-cimprovider.exe;RegisterCimProvider2.exe;RegisterCimProvider.exe;ScriptRunner.exe;appcmd.exe;csi.exe;devtoolslauncher.exe;diskshadow.exe;extexport.exe;jjs.exe;msconfig.EXE;msdt.exe;rasautou.exe;rasdlui.exe;replace.exe;tttracer.exe;wab.exe;wsreset.exe</Image>
+			</Rule>
+			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=4,Alert=Vulnerable Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+			    <Hashes condition="contains">SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed</Hashes>
+                <Hashes condition="contains">SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb</Hashes>
+                <Hashes condition="contains">SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db</Hashes>
+                <Hashes condition="contains">SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05</Hashes>
+                <Hashes condition="contains">SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d</Hashes>
+                <Hashes condition="contains">SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917</Hashes>
+                <Hashes condition="contains">SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135</Hashes>
+                <Hashes condition="contains">SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1</Hashes>
+                <Hashes condition="contains">SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467</Hashes>
+                <Hashes condition="contains">SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c</Hashes>
+                <Hashes condition="contains">SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c</Hashes>
+                <Hashes condition="contains">SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3</Hashes>
+                <Hashes condition="contains">SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f</Hashes>
+                <Hashes condition="contains">SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c</Hashes>
+                <Hashes condition="contains">SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8</Hashes>
+                <Hashes condition="contains">SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b</Hashes>
+                <Hashes condition="contains">SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff</Hashes>
+                <Hashes condition="contains">SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6</Hashes>
+                <Hashes condition="contains">SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8</Hashes>
+                <Hashes condition="contains">SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf</Hashes>
+                <Hashes condition="contains">SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff</Hashes>
+                <Hashes condition="contains">SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670</Hashes>
+                <Hashes condition="contains">SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd</Hashes>
+                <Hashes condition="contains">SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece</Hashes>
+                <Hashes condition="contains">SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5</Hashes>
+                <Hashes condition="contains">SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0</Hashes>
+                <Hashes condition="contains">SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c</Hashes>
+                <Hashes condition="contains">SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b</Hashes>
+                <Hashes condition="contains">SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a</Hashes>
+                <Hashes condition="contains">SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e</Hashes>
+                <Hashes condition="contains">SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa</Hashes>
+                <Hashes condition="contains">SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a</Hashes>
+                <Hashes condition="contains">SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687</Hashes>
+                <Hashes condition="contains">SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8</Hashes>
+                <Hashes condition="contains">SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219</Hashes>
+                <Hashes condition="contains">SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe</Hashes>
+                <Hashes condition="contains">SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee</Hashes>
+                <Hashes condition="contains">SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961</Hashes>
+                <Hashes condition="contains">SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512</Hashes>
+                <Hashes condition="contains">SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c</Hashes>
+                <Hashes condition="contains">SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501</Hashes>
+                <Hashes condition="contains">SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486</Hashes>
+                <Hashes condition="contains">SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e</Hashes>
+                <Hashes condition="contains">SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a</Hashes>
+                <Hashes condition="contains">SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8</Hashes>
+                <Hashes condition="contains">SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4</Hashes>
+                <Hashes condition="contains">SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30</Hashes>
+                <Hashes condition="contains">SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a</Hashes>
+                <Hashes condition="contains">SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797</Hashes>
+                <Hashes condition="contains">SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d</Hashes>
+                <Hashes condition="contains">SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1</Hashes>
+                <Hashes condition="contains">SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250</Hashes>
+                <Hashes condition="contains">SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14</Hashes>
+                <Hashes condition="contains">SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1</Hashes>
+                <Hashes condition="contains">SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b</Hashes>
+                <Hashes condition="contains">SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d</Hashes>
+                <Hashes condition="contains">SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396</Hashes>
+                <Hashes condition="contains">SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e</Hashes>
+                <Hashes condition="contains">SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8</Hashes>
+                <Hashes condition="contains">SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0</Hashes>
+                <Hashes condition="contains">SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e</Hashes>
+                <Hashes condition="contains">SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae</Hashes>
+                <Hashes condition="contains">SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445</Hashes>
+                <Hashes condition="contains">SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9</Hashes>
+                <Hashes condition="contains">SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25</Hashes>
+                <Hashes condition="contains">SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0</Hashes>
+                <Hashes condition="contains">SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e</Hashes>
+                <Hashes condition="contains">SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46</Hashes>
+                <Hashes condition="contains">SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b</Hashes>
+                <Hashes condition="contains">SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c</Hashes>
+                <Hashes condition="contains">SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5</Hashes>
+                <Hashes condition="contains">SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc</Hashes>
+                <Hashes condition="contains">SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b</Hashes>
+                <Hashes condition="contains">SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f</Hashes>
+                <Hashes condition="contains">SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134</Hashes>
+                <Hashes condition="contains">SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3</Hashes>
+                <Hashes condition="contains">SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4</Hashes>
+                <Hashes condition="contains">SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272</Hashes>
+                <Hashes condition="contains">SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf</Hashes>
+                <Hashes condition="contains">SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c</Hashes>
+                <Hashes condition="contains">SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75</Hashes>
+                <Hashes condition="contains">SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8</Hashes>
+                <Hashes condition="contains">SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5</Hashes>
+                <Hashes condition="contains">SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa</Hashes>
+                <Hashes condition="contains">SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e</Hashes>
+                <Hashes condition="contains">SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6</Hashes>
+                <Hashes condition="contains">SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa</Hashes>
+                <Hashes condition="contains">SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162</Hashes>
+                <Hashes condition="contains">SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2</Hashes>
+                <Hashes condition="contains">SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe</Hashes>
+                <Hashes condition="contains">SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7</Hashes>
+                <Hashes condition="contains">SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae</Hashes>
+                <Hashes condition="contains">SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1</Hashes>
+                <Hashes condition="contains">SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4</Hashes>
+                <Hashes condition="contains">SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e</Hashes>
+                <Hashes condition="contains">SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036</Hashes>
+                <Hashes condition="contains">SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee</Hashes>
+                <Hashes condition="contains">SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba</Hashes>
+                <Hashes condition="contains">SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80</Hashes>
+                <Hashes condition="contains">SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69</Hashes>
+                <Hashes condition="contains">SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748</Hashes>
+                <Hashes condition="contains">SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a</Hashes>
+                <Hashes condition="contains">SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a</Hashes>
+                <Hashes condition="contains">SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe</Hashes>
+                <Hashes condition="contains">SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a</Hashes>
+                <Hashes condition="contains">SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c</Hashes>
+                <Hashes condition="contains">SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921</Hashes>
+                <Hashes condition="contains">SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a</Hashes>
+                <Hashes condition="contains">SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185</Hashes>
+                <Hashes condition="contains">SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3</Hashes>
+                <Hashes condition="contains">SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92</Hashes>
+                <Hashes condition="contains">SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be</Hashes>
+                <Hashes condition="contains">SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3</Hashes>
+                <Hashes condition="contains">SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683</Hashes>
+                <Hashes condition="contains">SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0</Hashes>
+                <Hashes condition="contains">SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2</Hashes>
+                <Hashes condition="contains">SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa</Hashes>
+                <Hashes condition="contains">SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36</Hashes>
+                <Hashes condition="contains">SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50</Hashes>
+                <Hashes condition="contains">SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5</Hashes>
+                <Hashes condition="contains">SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74</Hashes>
+                <Hashes condition="contains">SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63</Hashes>
+                <Hashes condition="contains">SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e</Hashes>
+                <Hashes condition="contains">SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44</Hashes>
+                <Hashes condition="contains">SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a</Hashes>
+                <Hashes condition="contains">SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293</Hashes>
+                <Hashes condition="contains">SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc</Hashes>
+                <Hashes condition="contains">SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492</Hashes>
+                <Hashes condition="contains">SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf</Hashes>
+                <Hashes condition="contains">SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7</Hashes>
+                <Hashes condition="contains">SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7</Hashes>
+                <Hashes condition="contains">SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38</Hashes>
+                <Hashes condition="contains">SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4</Hashes>
+                <Hashes condition="contains">SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c</Hashes>
+                <Hashes condition="contains">SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d</Hashes>
+                <Hashes condition="contains">SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc</Hashes>
+                <Hashes condition="contains">SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357</Hashes>
+                <Hashes condition="contains">SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf</Hashes>
+                <Hashes condition="contains">SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853</Hashes>
+                <Hashes condition="contains">SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7</Hashes>
+                <Hashes condition="contains">SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b</Hashes>
+                <Hashes condition="contains">SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7</Hashes>
+                <Hashes condition="contains">SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21</Hashes>
+                <Hashes condition="contains">SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4</Hashes>
+                <Hashes condition="contains">SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c</Hashes>
+                <Hashes condition="contains">SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f</Hashes>
+                <Hashes condition="contains">SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea</Hashes>
+                <Hashes condition="contains">SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd</Hashes>
+                <Hashes condition="contains">SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd</Hashes>
+                <Hashes condition="contains">SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456</Hashes>
+                <Hashes condition="contains">SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d</Hashes>
+                <Hashes condition="contains">SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7</Hashes>
+                <Hashes condition="contains">SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d</Hashes>
+                <Hashes condition="contains">SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35</Hashes>
+                <Hashes condition="contains">SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457</Hashes>
+                <Hashes condition="contains">SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa</Hashes>
+                <Hashes condition="contains">SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6</Hashes>
+                <Hashes condition="contains">SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2</Hashes>
+                <Hashes condition="contains">SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59</Hashes>
+                <Hashes condition="contains">SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6</Hashes>
+                <Hashes condition="contains">SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9</Hashes>
+                <Hashes condition="contains">SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f</Hashes>
+                <Hashes condition="contains">SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775</Hashes>
+                <Hashes condition="contains">SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9</Hashes>
+                <Hashes condition="contains">SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2</Hashes>
+                <Hashes condition="contains">SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126</Hashes>
+                <Hashes condition="contains">SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c</Hashes>
+                <Hashes condition="contains">SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f</Hashes>
+                <Hashes condition="contains">SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f</Hashes>
+                <Hashes condition="contains">SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00</Hashes>
+                <Hashes condition="contains">SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2</Hashes>
+                <Hashes condition="contains">SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a</Hashes>
+                <Hashes condition="contains">SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184</Hashes>
+                <Hashes condition="contains">SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1</Hashes>
+                <Hashes condition="contains">SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e</Hashes>
+                <Hashes condition="contains">SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7</Hashes>
+                <Hashes condition="contains">SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba</Hashes>
+                <Hashes condition="contains">SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c</Hashes>
+                <Hashes condition="contains">SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c</Hashes>
+                <Hashes condition="contains">SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194</Hashes>
+                <Hashes condition="contains">SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285</Hashes>
+                <Hashes condition="contains">SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4</Hashes>
+                <Hashes condition="contains">SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449</Hashes>
+                <Hashes condition="contains">SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2</Hashes>
+                <Hashes condition="contains">SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395</Hashes>
+                <Hashes condition="contains">SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4</Hashes>
+                <Hashes condition="contains">SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3</Hashes>
+                <Hashes condition="contains">SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5</Hashes>
+                <Hashes condition="contains">SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33</Hashes>
+                <Hashes condition="contains">SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def</Hashes>
+                <Hashes condition="contains">SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374</Hashes>
+                <Hashes condition="contains">SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5</Hashes>
+                <Hashes condition="contains">SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b</Hashes>
+                <Hashes condition="contains">SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56</Hashes>
+                <Hashes condition="contains">SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8</Hashes>
+                <Hashes condition="contains">SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229</Hashes>
+                <Hashes condition="contains">SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9</Hashes>
+                <Hashes condition="contains">SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1</Hashes>
+                <Hashes condition="contains">SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506</Hashes>
+                <Hashes condition="contains">SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6</Hashes>
+                <Hashes condition="contains">SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0</Hashes>
+                <Hashes condition="contains">SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775</Hashes>
+                <Hashes condition="contains">SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0</Hashes>
+                <Hashes condition="contains">SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb</Hashes>
+                <Hashes condition="contains">SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21</Hashes>
+                <Hashes condition="contains">SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c</Hashes>
+                <Hashes condition="contains">SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade</Hashes>
+                <Hashes condition="contains">SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4</Hashes>
+                <Hashes condition="contains">SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097</Hashes>
+                <Hashes condition="contains">SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43</Hashes>
+                <Hashes condition="contains">SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712</Hashes>
+                <Hashes condition="contains">SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970</Hashes>
+                <Hashes condition="contains">SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6</Hashes>
+                <Hashes condition="contains">SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94</Hashes>
+                <Hashes condition="contains">SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb</Hashes>
+                <Hashes condition="contains">SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a</Hashes>
+                <Hashes condition="contains">SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427</Hashes>
+                <Hashes condition="contains">SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192</Hashes>
+                <Hashes condition="contains">SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351</Hashes>
+                <Hashes condition="contains">SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993</Hashes>
+                <Hashes condition="contains">SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3</Hashes>
+                <Hashes condition="contains">SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf</Hashes>
+                <Hashes condition="contains">SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d</Hashes>
+                <Hashes condition="contains">SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb</Hashes>
+                <Hashes condition="contains">SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289</Hashes>
+                <Hashes condition="contains">SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9</Hashes>
+                <Hashes condition="contains">SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e</Hashes>
+                <Hashes condition="contains">SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305</Hashes>
+                <Hashes condition="contains">SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7</Hashes>
+                <Hashes condition="contains">SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0</Hashes>
+                <Hashes condition="contains">SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20</Hashes>
+                <Hashes condition="contains">SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a</Hashes>
+                <Hashes condition="contains">SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e</Hashes>
+                <Hashes condition="contains">SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb</Hashes>
+                <Hashes condition="contains">SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f</Hashes>
+                <Hashes condition="contains">SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89</Hashes>
+                <Hashes condition="contains">SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0</Hashes>
+                <Hashes condition="contains">SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a</Hashes>
+                <Hashes condition="contains">SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26</Hashes>
+                <Hashes condition="contains">SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef</Hashes>
+                <Hashes condition="contains">SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84</Hashes>
+                <Hashes condition="contains">SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005</Hashes>
+                <Hashes condition="contains">SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc</Hashes>
+                <Hashes condition="contains">SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810</Hashes>
+                <Hashes condition="contains">SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba</Hashes>
+                <Hashes condition="contains">SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793</Hashes>
+                <Hashes condition="contains">SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f</Hashes>
+                <Hashes condition="contains">SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5</Hashes>
+                <Hashes condition="contains">SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e</Hashes>
+                <Hashes condition="contains">SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9</Hashes>
+                <Hashes condition="contains">SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a</Hashes>
+                <Hashes condition="contains">SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7</Hashes>
+                <Hashes condition="contains">SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572</Hashes>
+                <Hashes condition="contains">SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495</Hashes>
+                <Hashes condition="contains">SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59</Hashes>
+                <Hashes condition="contains">SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879</Hashes>
+                <Hashes condition="contains">SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289</Hashes>
+                <Hashes condition="contains">SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813</Hashes>
+                <Hashes condition="contains">SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0</Hashes>
+                <Hashes condition="contains">SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf</Hashes>
+                <Hashes condition="contains">SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8</Hashes>
+                <Hashes condition="contains">SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0</Hashes>
+                <Hashes condition="contains">SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57</Hashes>
+                <Hashes condition="contains">SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9</Hashes>
+                <Hashes condition="contains">SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890</Hashes>
+                <Hashes condition="contains">SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2</Hashes>
+                <Hashes condition="contains">SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009</Hashes>
+                <Hashes condition="contains">SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d</Hashes>
+                <Hashes condition="contains">SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1</Hashes>
+                <Hashes condition="contains">SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1</Hashes>
+                <Hashes condition="contains">SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761</Hashes>
+                <Hashes condition="contains">SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4</Hashes>
+                <Hashes condition="contains">SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85</Hashes>
+                <Hashes condition="contains">SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184</Hashes>
+                <Hashes condition="contains">SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524</Hashes>
+                <Hashes condition="contains">SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303</Hashes>
+                <Hashes condition="contains">SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356</Hashes>
+                <Hashes condition="contains">SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9</Hashes>
+                <Hashes condition="contains">SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57</Hashes>
+                <Hashes condition="contains">SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463</Hashes>
+                <Hashes condition="contains">SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085</Hashes>
+                <Hashes condition="contains">SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3</Hashes>
+                <Hashes condition="contains">SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1</Hashes>
+                <Hashes condition="contains">SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0</Hashes>
+                <Hashes condition="contains">SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d</Hashes>
+                <Hashes condition="contains">SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989</Hashes>
+                <Hashes condition="contains">SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a</Hashes>
+                <Hashes condition="contains">SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4</Hashes>
+                <Hashes condition="contains">SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4</Hashes>
+                <Hashes condition="contains">SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882</Hashes>
+                <Hashes condition="contains">SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219</Hashes>
+                <Hashes condition="contains">SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9</Hashes>
+                <Hashes condition="contains">SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc</Hashes>
+                <Hashes condition="contains">SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be</Hashes>
+                <Hashes condition="contains">SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7</Hashes>
+                <Hashes condition="contains">SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0</Hashes>
+                <Hashes condition="contains">SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131</Hashes>
+                <Hashes condition="contains">SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63</Hashes>
+                <Hashes condition="contains">SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e</Hashes>
+                <Hashes condition="contains">SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3</Hashes>
+                <Hashes condition="contains">SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd</Hashes>
+                <Hashes condition="contains">SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb</Hashes>
+                <Hashes condition="contains">SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8</Hashes>
+                <Hashes condition="contains">SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1</Hashes>
+                <Hashes condition="contains">SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280</Hashes>
+                <Hashes condition="contains">SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6</Hashes>
+                <Hashes condition="contains">SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743</Hashes>
+                <Hashes condition="contains">SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88</Hashes>
+                <Hashes condition="contains">SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980</Hashes>
+                <Hashes condition="contains">SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347</Hashes>
+                <Hashes condition="contains">SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9</Hashes>
+                <Hashes condition="contains">SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24</Hashes>
+                <Hashes condition="contains">SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5</Hashes>
+                <Hashes condition="contains">SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d</Hashes>
+                <Hashes condition="contains">SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69</Hashes>
+                <Hashes condition="contains">SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc</Hashes>
+                <Hashes condition="contains">SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa</Hashes>
+                <Hashes condition="contains">SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7</Hashes>
+                <Hashes condition="contains">SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233</Hashes>
+                <Hashes condition="contains">SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b</Hashes>
+                <Hashes condition="contains">SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8</Hashes>
+                <Hashes condition="contains">SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a</Hashes>
+                <Hashes condition="contains">SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0</Hashes>
+                <Hashes condition="contains">SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b</Hashes>
+                <Hashes condition="contains">SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28</Hashes>
+                <Hashes condition="contains">SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba</Hashes>
+                <Hashes condition="contains">SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd</Hashes>
+                <Hashes condition="contains">SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9</Hashes>
+                <Hashes condition="contains">SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52</Hashes>
+                <Hashes condition="contains">SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c</Hashes>
+                <Hashes condition="contains">SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0</Hashes>
+                <Hashes condition="contains">SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c</Hashes>
+                <Hashes condition="contains">SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763</Hashes>
+                <Hashes condition="contains">SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad</Hashes>
+                <Hashes condition="contains">SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92</Hashes>
+                <Hashes condition="contains">SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b</Hashes>
+                <Hashes condition="contains">SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf</Hashes>
+                <Hashes condition="contains">SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af</Hashes>
+                <Hashes condition="contains">SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd</Hashes>
+                <Hashes condition="contains">SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01</Hashes>
+                <Hashes condition="contains">SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba</Hashes>
+                <Hashes condition="contains">SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a</Hashes>
+                <Hashes condition="contains">SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015</Hashes>
+                <Hashes condition="contains">SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461</Hashes>
+                <Hashes condition="contains">SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88</Hashes>
+                <Hashes condition="contains">SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a</Hashes>
+                <Hashes condition="contains">SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880</Hashes>
+                <Hashes condition="contains">SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c</Hashes>
+                <Hashes condition="contains">SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677</Hashes>
+                <Hashes condition="contains">SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782</Hashes>
+                <Hashes condition="contains">SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a</Hashes>
+                <Hashes condition="contains">SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9</Hashes>
+                <Hashes condition="contains">SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad</Hashes>
+                <Hashes condition="contains">SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7</Hashes>
+                <Hashes condition="contains">SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4</Hashes>
+                <Hashes condition="contains">SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c</Hashes>
+                <Hashes condition="contains">SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1</Hashes>
+                <Hashes condition="contains">SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb</Hashes>
+                <Hashes condition="contains">SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52</Hashes>
+                <Hashes condition="contains">SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d</Hashes>
+                <Hashes condition="contains">SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22</Hashes>
+                <Hashes condition="contains">SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109</Hashes>
+                <Hashes condition="contains">SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6</Hashes>
+                <Hashes condition="contains">SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f</Hashes>
+                <Hashes condition="contains">SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2</Hashes>
+                <Hashes condition="contains">SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5</Hashes>
+                <Hashes condition="contains">SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099</Hashes>
+                <Hashes condition="contains">SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5</Hashes>
+                <Hashes condition="contains">SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de</Hashes>
+                <Hashes condition="contains">SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a</Hashes>
+                <Hashes condition="contains">SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b</Hashes>
+                <Hashes condition="contains">SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3</Hashes>
+                <Hashes condition="contains">SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838</Hashes>
+                <Hashes condition="contains">SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca</Hashes>
+                <Hashes condition="contains">SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8</Hashes>
+                <Hashes condition="contains">SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b</Hashes>
+                <Hashes condition="contains">SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6</Hashes>
+                <Hashes condition="contains">SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8</Hashes>
+                <Hashes condition="contains">SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8</Hashes>
+                <Hashes condition="contains">SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48</Hashes>
+                <Hashes condition="contains">SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02</Hashes>
+                <Hashes condition="contains">SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b</Hashes>
+                <Hashes condition="contains">SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c</Hashes>
+                <Hashes condition="contains">SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8</Hashes>
+                <Hashes condition="contains">SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc</Hashes>
+                <Hashes condition="contains">SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf</Hashes>
+                <Hashes condition="contains">SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb</Hashes>
+                <Hashes condition="contains">SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129</Hashes>
+                <Hashes condition="contains">SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8</Hashes>
+                <Hashes condition="contains">SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408</Hashes>
+                <Hashes condition="contains">SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca</Hashes>
+                <Hashes condition="contains">SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60</Hashes>
+                <Hashes condition="contains">SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38</Hashes>
+                <Hashes condition="contains">SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b</Hashes>
+                <Hashes condition="contains">SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d</Hashes>
+                <Hashes condition="contains">SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9</Hashes>
+                <Hashes condition="contains">SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b</Hashes>
+                <Hashes condition="contains">SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6</Hashes>
+                <Hashes condition="contains">SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b</Hashes>
+                <Hashes condition="contains">SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca</Hashes>
+                <Hashes condition="contains">SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229</Hashes>
+                <Hashes condition="contains">SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c</Hashes>
+                <Hashes condition="contains">SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758</Hashes>
+                <Hashes condition="contains">SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40</Hashes>
+                <Hashes condition="contains">SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7</Hashes>
+                <Hashes condition="contains">SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab</Hashes>
+                <Hashes condition="contains">SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba</Hashes>
+                <Hashes condition="contains">SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1</Hashes>
+                <Hashes condition="contains">SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00</Hashes>
+                <Hashes condition="contains">SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0</Hashes>
+                <Hashes condition="contains">SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668</Hashes>
+                <Hashes condition="contains">SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57</Hashes>
+                <Hashes condition="contains">SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347</Hashes>
+                <Hashes condition="contains">SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd</Hashes>
+                <Hashes condition="contains">SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc</Hashes>
+                <Hashes condition="contains">SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4</Hashes>
+                <Hashes condition="contains">SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb</Hashes>
+                <Hashes condition="contains">SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de</Hashes>
+                <Hashes condition="contains">SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a</Hashes>
+                <Hashes condition="contains">SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22</Hashes>
+                <Hashes condition="contains">SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c</Hashes>
+                <Hashes condition="contains">SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f</Hashes>
+                <Hashes condition="contains">SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469</Hashes>
+                <Hashes condition="contains">SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94</Hashes>
+                <Hashes condition="contains">SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675</Hashes>
+                <Hashes condition="contains">SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10</Hashes>
+                <Hashes condition="contains">SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0</Hashes>
+                <Hashes condition="contains">SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5</Hashes>
+                <Hashes condition="contains">SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558</Hashes>
+                <Hashes condition="contains">SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4</Hashes>
+                <Hashes condition="contains">SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79</Hashes>
+                <Hashes condition="contains">SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073</Hashes>
+                <Hashes condition="contains">SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039</Hashes>
+                <Hashes condition="contains">SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659</Hashes>
+                <Hashes condition="contains">SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c</Hashes>
+                <Hashes condition="contains">SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6</Hashes>
+                <Hashes condition="contains">SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91</Hashes>
+                <Hashes condition="contains">SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b</Hashes>
+                <Hashes condition="contains">SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965</Hashes>
+                <Hashes condition="contains">SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c</Hashes>
+                <Hashes condition="contains">SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3</Hashes>
+                <Hashes condition="contains">SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b</Hashes>
+                <Hashes condition="contains">SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06</Hashes>
+                <Hashes condition="contains">SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4</Hashes>
+                <Hashes condition="contains">SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c</Hashes>
+                <Hashes condition="contains">SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf</Hashes>
+                <Hashes condition="contains">SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd</Hashes>
+                <Hashes condition="contains">SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9</Hashes>
+                <Hashes condition="contains">SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d</Hashes>
+                <Hashes condition="contains">SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c</Hashes>
+                <Hashes condition="contains">SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504</Hashes>
+                <Hashes condition="contains">SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587</Hashes>
+                <Hashes condition="contains">SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f</Hashes>
+                <Hashes condition="contains">SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354</Hashes>
+                <Hashes condition="contains">SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805</Hashes>
+                <Hashes condition="contains">SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a</Hashes>
+                <Hashes condition="contains">SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10</Hashes>
+                <Hashes condition="contains">SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a</Hashes>
+                <Hashes condition="contains">SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3</Hashes>
+                <Hashes condition="contains">SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa</Hashes>
+                <Hashes condition="contains">SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3</Hashes>
+                <Hashes condition="contains">SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75</Hashes>
+                <Hashes condition="contains">SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c</Hashes>
+                <Hashes condition="contains">SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82</Hashes>
+                <Hashes condition="contains">SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a</Hashes>
+                <Hashes condition="contains">SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135</Hashes>
+                <Hashes condition="contains">SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f</Hashes>
+                <Hashes condition="contains">SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d</Hashes>
+                <Hashes condition="contains">SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7</Hashes>
+                <Hashes condition="contains">SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9</Hashes>
+                <Hashes condition="contains">SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa</Hashes>
+                <Hashes condition="contains">SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1</Hashes>
+                <Hashes condition="contains">SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8</Hashes>
+                <Hashes condition="contains">SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad</Hashes>
+                <Hashes condition="contains">SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062</Hashes>
+                <Hashes condition="contains">SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc</Hashes>
+                <Hashes condition="contains">SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200</Hashes>
+                <Hashes condition="contains">SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8</Hashes>
+                <Hashes condition="contains">SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df</Hashes>
+                <Hashes condition="contains">SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d</Hashes>
+                <Hashes condition="contains">SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5</Hashes>
+                <Hashes condition="contains">SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3</Hashes>
+                <Hashes condition="contains">SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e</Hashes>
+                <Hashes condition="contains">SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499</Hashes>
+                <Hashes condition="contains">SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9</Hashes>
+                <Hashes condition="contains">SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6</Hashes>
+                <Hashes condition="contains">SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e</Hashes>
+                <Hashes condition="contains">SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526</Hashes>
+                <Hashes condition="contains">SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433</Hashes>
+                <Hashes condition="contains">SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48</Hashes>
+                <Hashes condition="contains">SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4</Hashes>
+                <Hashes condition="contains">SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608</Hashes>
+                <Hashes condition="contains">SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c</Hashes>
+                <Hashes condition="contains">SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b</Hashes>
+                <Hashes condition="contains">SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89</Hashes>
+                <Hashes condition="contains">SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd</Hashes>
+                <Hashes condition="contains">SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a</Hashes>
+                <Hashes condition="contains">SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165</Hashes>
+                <Hashes condition="contains">SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25</Hashes>
+                <Hashes condition="contains">SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833</Hashes>
+                <Hashes condition="contains">SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b</Hashes>
+                <Hashes condition="contains">SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173</Hashes>
+                <Hashes condition="contains">SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058</Hashes>
+                <Hashes condition="contains">SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47</Hashes>
+                <Hashes condition="contains">SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee</Hashes>
+                <Hashes condition="contains">SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa</Hashes>
+                <Hashes condition="contains">SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471</Hashes>
+                <Hashes condition="contains">SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2</Hashes>
+                <Hashes condition="contains">SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399</Hashes>
+                <Hashes condition="contains">SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685</Hashes>
+                <Hashes condition="contains">SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a</Hashes>
+                <Hashes condition="contains">SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508</Hashes>
+                <Hashes condition="contains">SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414</Hashes>
+                <Hashes condition="contains">SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1</Hashes>
+                <Hashes condition="contains">SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29</Hashes>
+                <Hashes condition="contains">SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602</Hashes>
+                <Hashes condition="contains">SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df</Hashes>
+                <Hashes condition="contains">SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d</Hashes>
+                <Hashes condition="contains">SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418</Hashes>
+                <Hashes condition="contains">SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf</Hashes>
+                <Hashes condition="contains">SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c</Hashes>
+                <Hashes condition="contains">SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a</Hashes>
+                <Hashes condition="contains">SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b</Hashes>
+                <Hashes condition="contains">SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a</Hashes>
+                <Hashes condition="contains">SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a</Hashes>
+                <Hashes condition="contains">SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e</Hashes>
+                <Hashes condition="contains">SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5</Hashes>
+                <Hashes condition="contains">SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441</Hashes>
+                <Hashes condition="contains">SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de</Hashes>
+                <Hashes condition="contains">SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e</Hashes>
+                <Hashes condition="contains">SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47</Hashes>
+                <Hashes condition="contains">SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0</Hashes>
+                <Hashes condition="contains">SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867</Hashes>
+                <Hashes condition="contains">SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704</Hashes>
+                <Hashes condition="contains">SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3</Hashes>
+                <Hashes condition="contains">SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa</Hashes>
+                <Hashes condition="contains">SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc</Hashes>
+                <Hashes condition="contains">SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955</Hashes>
+                <Hashes condition="contains">SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3</Hashes>
+                <Hashes condition="contains">SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248</Hashes>
+                <Hashes condition="contains">SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63</Hashes>
+                <Hashes condition="contains">SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f</Hashes>
+                <Hashes condition="contains">SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f</Hashes>
+                <Hashes condition="contains">SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961</Hashes>
+                <Hashes condition="contains">SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c</Hashes>
+                <Hashes condition="contains">SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0</Hashes>
+                <Hashes condition="contains">SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100</Hashes>
+                <Hashes condition="contains">SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2</Hashes>
+                <Hashes condition="contains">SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57</Hashes>
+                <Hashes condition="contains">SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8</Hashes>
+                <Hashes condition="contains">SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8</Hashes>
+                <Hashes condition="contains">SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247</Hashes>
+                <Hashes condition="contains">SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e</Hashes>
+                <Hashes condition="contains">SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9</Hashes>
+                <Hashes condition="contains">SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e</Hashes>
+                <Hashes condition="contains">SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8</Hashes>
+                <Hashes condition="contains">SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924</Hashes>
+                <Hashes condition="contains">SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26</Hashes>
+                <Hashes condition="contains">SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a</Hashes>
+                <Hashes condition="contains">SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc</Hashes>
+                <Hashes condition="contains">SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa</Hashes>
+                <Hashes condition="contains">SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646</Hashes>
+                <Hashes condition="contains">SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2</Hashes>
+                <Hashes condition="contains">SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2</Hashes>
+                <Hashes condition="contains">SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5</Hashes>
+                <Hashes condition="contains">SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada</Hashes>
+                <Hashes condition="contains">SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c</Hashes>
+                <Hashes condition="contains">SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d</Hashes>
+                <Hashes condition="contains">SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c</Hashes>
+                <Hashes condition="contains">SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd</Hashes>
+                <Hashes condition="contains">SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab</Hashes>
+                <Hashes condition="contains">SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612</Hashes>
+                <Hashes condition="contains">SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec</Hashes>
+                <Hashes condition="contains">SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6</Hashes>
+                <Hashes condition="contains">SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8</Hashes>
+                <Hashes condition="contains">SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64</Hashes>
+                <Hashes condition="contains">SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b</Hashes>
+                <Hashes condition="contains">SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb</Hashes>
+                <Hashes condition="contains">SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812</Hashes>
+                <Hashes condition="contains">SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc</Hashes>
+                <Hashes condition="contains">SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2</Hashes>
+                <Hashes condition="contains">SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986</Hashes>
+                <Hashes condition="contains">SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b</Hashes>
+                <Hashes condition="contains">SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190</Hashes>
+                <Hashes condition="contains">SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb</Hashes>
+                <Hashes condition="contains">SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40</Hashes>
+                <Hashes condition="contains">SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b</Hashes>
+                <Hashes condition="contains">SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab</Hashes>
+                <Hashes condition="contains">SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c</Hashes>
+                <Hashes condition="contains">SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889</Hashes>
+                <Hashes condition="contains">SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605</Hashes>
+                <Hashes condition="contains">SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f</Hashes>
+                <Hashes condition="contains">SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9</Hashes>
+                <Hashes condition="contains">SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102</Hashes>
+                <Hashes condition="contains">SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d</Hashes>
+                <Hashes condition="contains">SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0</Hashes>
+                <Hashes condition="contains">SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530</Hashes>
+                <Hashes condition="contains">SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482</Hashes>
+                <Hashes condition="contains">SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2</Hashes>
+                <Hashes condition="contains">SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f</Hashes>
+                <Hashes condition="contains">SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3</Hashes>
+                <Hashes condition="contains">SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3</Hashes>
+                <Hashes condition="contains">SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71</Hashes>
+                <Hashes condition="contains">SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476</Hashes>
+                <Hashes condition="contains">SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2</Hashes>
+                <Hashes condition="contains">SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26</Hashes>
+                <Hashes condition="contains">SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e</Hashes>
+                <Hashes condition="contains">SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d</Hashes>
+                <Hashes condition="contains">SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1</Hashes>
+                <Hashes condition="contains">SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24</Hashes>
+                <Hashes condition="contains">SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d</Hashes>
+                <Hashes condition="contains">SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004</Hashes>
+                <Hashes condition="contains">SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653</Hashes>
+                <Hashes condition="contains">SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98</Hashes>
+                <Hashes condition="contains">SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed</Hashes>
+                <Hashes condition="contains">SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef</Hashes>
+                <Hashes condition="contains">SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258</Hashes>
+                <Hashes condition="contains">SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097</Hashes>
+                <Hashes condition="contains">SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094</Hashes>
+                <Hashes condition="contains">SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8</Hashes>
+                <Hashes condition="contains">SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa</Hashes>
+                <Hashes condition="contains">SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c</Hashes>
+                <Hashes condition="contains">SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5</Hashes>
+                <Hashes condition="contains">SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc</Hashes>
+                <Hashes condition="contains">SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d</Hashes>
+                <Hashes condition="contains">SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578</Hashes>
+                <Hashes condition="contains">SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6</Hashes>
+                <Hashes condition="contains">SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15</Hashes>
+                <Hashes condition="contains">SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22</Hashes>
+                <Hashes condition="contains">SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b</Hashes>
+                <Hashes condition="contains">SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f</Hashes>
+                <Hashes condition="contains">SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6</Hashes>
+                <Hashes condition="contains">SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac</Hashes>
+                <Hashes condition="contains">SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918</Hashes>
+                <Hashes condition="contains">SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd</Hashes>
+                <Hashes condition="contains">SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb</Hashes>
+                <Hashes condition="contains">SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc</Hashes>
+                <Hashes condition="contains">SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036</Hashes>
+                <Hashes condition="contains">SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148</Hashes>
+                <Hashes condition="contains">SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1</Hashes>
+                <Hashes condition="contains">SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53</Hashes>
+                <Hashes condition="contains">SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8</Hashes>
+                <Hashes condition="contains">SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f</Hashes>
+                <Hashes condition="contains">SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48</Hashes>
+                <Hashes condition="contains">SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f</Hashes>
+                <Hashes condition="contains">SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae</Hashes>
+                <Hashes condition="contains">SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90</Hashes>
+                <Hashes condition="contains">SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028</Hashes>
+                <Hashes condition="contains">SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a</Hashes>
+                <Hashes condition="contains">SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4</Hashes>
+                <Hashes condition="contains">SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f</Hashes>
+                <Hashes condition="contains">SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf</Hashes>
+                <Hashes condition="contains">SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2</Hashes>
+                <Hashes condition="contains">SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9</Hashes>
+                <Hashes condition="contains">SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf</Hashes>
+                <Hashes condition="contains">SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa</Hashes>
+                <Hashes condition="contains">SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06</Hashes>
+                <Hashes condition="contains">SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790</Hashes>
+                <Hashes condition="contains">SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293</Hashes>
+                <Hashes condition="contains">SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3</Hashes>
+                <Hashes condition="contains">SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41</Hashes>
+                <Hashes condition="contains">SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3</Hashes>
+                <Hashes condition="contains">SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5</Hashes>
+                <Hashes condition="contains">SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566</Hashes>
+                <Hashes condition="contains">SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c</Hashes>
+                <Hashes condition="contains">SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282</Hashes>
+                <Hashes condition="contains">SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39</Hashes>
+                <Hashes condition="contains">SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7</Hashes>
+                <Hashes condition="contains">SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe</Hashes>
+                <Hashes condition="contains">SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b</Hashes>
+                <Hashes condition="contains">SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850</Hashes>
+                <Hashes condition="contains">SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0</Hashes>
+                <Hashes condition="contains">SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3</Hashes>
+                <Hashes condition="contains">SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b</Hashes>
+                <Hashes condition="contains">SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe</Hashes>
+                <Hashes condition="contains">SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f</Hashes>
+                <Hashes condition="contains">SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1</Hashes>
+                <Hashes condition="contains">SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc</Hashes>
+                <Hashes condition="contains">SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960</Hashes>
+                <Hashes condition="contains">SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c</Hashes>
+                <Hashes condition="contains">SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496</Hashes>
+                <Hashes condition="contains">SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004</Hashes>
+                <Hashes condition="contains">SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439</Hashes>
+                <Hashes condition="contains">SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d</Hashes>
+                <Hashes condition="contains">SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57</Hashes>
+                <Hashes condition="contains">SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af</Hashes>
+                <Hashes condition="contains">SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960</Hashes>
+                <Hashes condition="contains">SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008</Hashes>
+                <Hashes condition="contains">SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145</Hashes>
+                <Hashes condition="contains">SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65</Hashes>
+                <Hashes condition="contains">SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35</Hashes>
+                <Hashes condition="contains">SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13</Hashes>
+                <Hashes condition="contains">SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b</Hashes>
+                <Hashes condition="contains">SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478</Hashes>
+                <Hashes condition="contains">SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573</Hashes>
+                <Hashes condition="contains">SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54</Hashes>
+                <Hashes condition="contains">SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298</Hashes>
+                <Hashes condition="contains">SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b</Hashes>
+                <Hashes condition="contains">SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91</Hashes>
+                <Hashes condition="contains">SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566</Hashes>
+                <Hashes condition="contains">SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22</Hashes>
+                <Hashes condition="contains">SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f</Hashes>
+                <Hashes condition="contains">SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2</Hashes>
+                <Hashes condition="contains">SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c</Hashes>
+                <Hashes condition="contains">SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1</Hashes>
+                <Hashes condition="contains">SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533</Hashes>
+                <Hashes condition="contains">SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c</Hashes>
+                <Hashes condition="contains">SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03</Hashes>
+                <Hashes condition="contains">SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280</Hashes>
+                <Hashes condition="contains">SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7</Hashes>
+                <Hashes condition="contains">SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339</Hashes>
+                <Hashes condition="contains">SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5</Hashes>
+                <Hashes condition="contains">SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f</Hashes>
+			</Rule>
+			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Malicious Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
+                <Hashes condition="contains">SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c</Hashes>
+                <Hashes condition="contains">SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4</Hashes>
+                <Hashes condition="contains">SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62</Hashes>
+                <Hashes condition="contains">SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f</Hashes>
+                <Hashes condition="contains">SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e</Hashes>
+                <Hashes condition="contains">SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1</Hashes>
+                <Hashes condition="contains">SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724</Hashes>
+                <Hashes condition="contains">SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620</Hashes>
+                <Hashes condition="contains">SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc</Hashes>
+                <Hashes condition="contains">SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c</Hashes>
+                <Hashes condition="contains">SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d</Hashes>
+                <Hashes condition="contains">SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7</Hashes>
+                <Hashes condition="contains">SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988</Hashes>
+                <Hashes condition="contains">SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427</Hashes>
+                <Hashes condition="contains">SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e</Hashes>
+                <Hashes condition="contains">SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421</Hashes>
+                <Hashes condition="contains">SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99</Hashes>
+                <Hashes condition="contains">SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a</Hashes>
+                <Hashes condition="contains">SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3</Hashes>
+                <Hashes condition="contains">SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b</Hashes>
+                <Hashes condition="contains">SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5</Hashes>
+                <Hashes condition="contains">SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4</Hashes>
+                <Hashes condition="contains">SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77</Hashes>
+                <Hashes condition="contains">SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f</Hashes>
+                <Hashes condition="contains">SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d</Hashes>
+                <Hashes condition="contains">SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8</Hashes>
+                <Hashes condition="contains">SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1</Hashes>
+                <Hashes condition="contains">SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a</Hashes>
+                <Hashes condition="contains">SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376</Hashes>
+                <Hashes condition="contains">SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc</Hashes>
+                <Hashes condition="contains">SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3</Hashes>
+                <Hashes condition="contains">SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217</Hashes>
+                <Hashes condition="contains">SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a</Hashes>
+                <Hashes condition="contains">SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce</Hashes>
+                <Hashes condition="contains">SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497</Hashes>
+                <Hashes condition="contains">SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931</Hashes>
+                <Hashes condition="contains">SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316</Hashes>
+                <Hashes condition="contains">SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d</Hashes>
+                <Hashes condition="contains">SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12</Hashes>
+                <Hashes condition="contains">SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87</Hashes>
+                <Hashes condition="contains">SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae</Hashes>
+                <Hashes condition="contains">SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e</Hashes>
+                <Hashes condition="contains">SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c</Hashes>
+                <Hashes condition="contains">SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280</Hashes>
+                <Hashes condition="contains">SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51</Hashes>
+                <Hashes condition="contains">SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c</Hashes>
+                <Hashes condition="contains">SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76</Hashes>
+                <Hashes condition="contains">SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677</Hashes>
+                <Hashes condition="contains">SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6</Hashes>
+                <Hashes condition="contains">SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104</Hashes>
+                <Hashes condition="contains">SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330</Hashes>
+                <Hashes condition="contains">SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4</Hashes>
+                <Hashes condition="contains">SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463</Hashes>
+                <Hashes condition="contains">SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c</Hashes>
+                <Hashes condition="contains">SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530</Hashes>
+                <Hashes condition="contains">SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c</Hashes>
+                <Hashes condition="contains">SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d</Hashes>
+                <Hashes condition="contains">SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a</Hashes>
+                <Hashes condition="contains">SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae</Hashes>
+                <Hashes condition="contains">SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df</Hashes>
+                <Hashes condition="contains">SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25</Hashes>
+                <Hashes condition="contains">SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212</Hashes>
+                <Hashes condition="contains">SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a</Hashes>
 			</Rule>
 		</FileExecutableDetected>
 	</RuleGroup>
@@ -9667,4 +10740,4 @@
 		</FileExecutableDetected>
 	</RuleGroup>
 	</EventFiltering>
-</Sysmon>
+</Sysmon>
\ No newline at end of file

From 9b94ebd424797b499b54298301f2ba62e7f82190 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Thu, 7 Sep 2023 09:12:41 -0400
Subject: [PATCH 455/471] Delete .gitignore

Not used?
---
 .gitignore | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 44c9f960..00000000
--- a/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-sysmonconfig-export.xml.bak
-/Graylog_Content_Pack/

From 3aecb5d3abafe38627a8dad4da22dd239dec9ceb Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Thu, 7 Sep 2023 09:28:23 -0400
Subject: [PATCH 456/471] Added PS scripts to install Sysmon with Config

---
 .gitignore             |  2 --
 Sysmon Install.ps1     | 59 ++++++++++++++++++++++++++++++++++++++++++
 SysmonUpdateConfig.ps1 | 23 ++++++++++++++++
 3 files changed, 82 insertions(+), 2 deletions(-)
 delete mode 100644 .gitignore
 create mode 100644 Sysmon Install.ps1
 create mode 100644 SysmonUpdateConfig.ps1

diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 44c9f960..00000000
--- a/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-sysmonconfig-export.xml.bak
-/Graylog_Content_Pack/
diff --git a/Sysmon Install.ps1 b/Sysmon Install.ps1
new file mode 100644
index 00000000..4394b2ad
--- /dev/null
+++ b/Sysmon Install.ps1	
@@ -0,0 +1,59 @@
+#Author: NerbalOne
+#This PowerShell script will first create the Sysmon folder if it does not exist. It will then download Sysmon.exe, which supports both 32 bit and 64 bit, along with the Sysmon config and Sysmon Update script. It will then install Sysmon with the config and create a Scheduled Task to run hourly to update the Sysmon config.
+
+# Define Sysmon URLs
+$sysmonURL = "https://live.sysinternals.com/sysmon.exe"
+$sysmonConfigURL = "https://raw.githubusercontent.com/NerbalOne/sysmon-config/master/sysmonconfig-export.xml"
+$sysmonUpdateConfig = "https://raw.githubusercontent.com/NerbalOne/sysmon-config/master/SysmonUpdateConfig.ps1"
+
+# Define Local Path for Sysmon File and Sysmon Config
+$sysmonPath = "C:\Programdata\Sysmon\sysmon.exe"
+$sysmonConfigPath = "C:\Programdata\Sysmon\sysmonconfig-export.xml"
+$sysmonUpdatePath = "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"
+$sysmonFolderPath = "C:\ProgramData\Sysmon\"
+
+# Create Sysmon Folder if it Doesn't Exist
+if (-not (Test-Path $sysmonFolderPath)) {
+    # Create the Folder
+    try {
+        New-Item -ItemType Directory -Path $sysmonFolderPath -Force
+        Write-Host "Folder created successfully at $folderPath"
+    }
+    catch {
+        Write-Host "Error creating the folder: $_"
+    }
+}
+else {
+    Write-Host "The folder already exists at $folderPath"
+}
+
+# Download Sysmon, Config, and Update Script
+Invoke-WebRequest -Uri $sysmonURL -OutFile $sysmonPath
+Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
+Invoke-WebRequest -Uri $sysmonUpdateConfig -OutFile $sysmonUpdatePath
+
+# Install Sysmon with Config
+Start-Process -FilePath $sysmonPath -ArgumentList "-accepteula -i $sysmonConfigPath" -NoNewWindow -Wait
+
+# Create a New Scheduled Task
+Start-Process schtasks.exe -ArgumentList '/Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR "powershell.exe -ExecutionPolicy Bypass -File "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"" /f' -Wait -WindowStyle Hidden
+Start-Process schtasks.exe -ArgumentList '/Run /TN Update_Sysmon_Rules' -Wait -WindowStyle Hidden
+
+# Define Sysmon service Name
+$sysmonServiceName = "Sysmon"
+
+# Check if Sysmon Service Exists
+try {
+    $service = Get-Service -Name $sysmonServiceName -ErrorAction Stop
+    Write-Output "Sysmon service exists"
+} catch {
+    Throw "Sysmon service does not exist"
+}
+
+# Check if Scheduled Task is Created Successfully
+try {
+    $task = Get-ScheduledTask -TaskName "Update_Sysmon_Rules" -ErrorAction Stop
+    Write-Output "Scheduled task created successfully"
+} catch {
+    Throw "Scheduled task creation failed"
+}
diff --git a/SysmonUpdateConfig.ps1 b/SysmonUpdateConfig.ps1
new file mode 100644
index 00000000..45db31db
--- /dev/null
+++ b/SysmonUpdateConfig.ps1
@@ -0,0 +1,23 @@
+#Author: NerbalOne
+#This PowerShell script will first download the latest Sysmon config. Then it will apply this config to Sysmon.
+
+# Define Sysmon Path
+$sysmonPath = "C:\ProgramData\Sysmon\sysmon.exe"
+$sysmonConfigPath = "C:\ProgramData\Sysmon\sysmonconfig-export.xml"
+
+# Define Sysmon Config URL
+$sysmonConfigURL = "https://raw.githubusercontent.com/NerbalOne/sysmon-config/master/sysmonconfig-export.xml"
+
+# Download the Latest Sysmon Config
+Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
+
+# Run sysmon.exe with Config
+& $sysmonPath -c $sysmonConfigPath
+
+# Check the Exit Code of the Previous Command
+if ($LASTEXITCODE -eq 0) {
+    Write-Output "Sysmon executed successfully."
+} else {
+    Write-Output "Sysmon execution failed."
+}
+

From e60c40b72a6ff1e19e73d17df84a86dd4a77a7e0 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Thu, 7 Sep 2023 09:30:45 -0400
Subject: [PATCH 457/471] Delete Auto_Update.bat

---
 Auto_Update.bat | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 Auto_Update.bat

diff --git a/Auto_Update.bat b/Auto_Update.bat
deleted file mode 100644
index 25685148..00000000
--- a/Auto_Update.bat
+++ /dev/null
@@ -1,5 +0,0 @@
-@echo on
-cd C:\ProgramData\sysmon\
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
-sysmon64 -c sysmonconfig-export.xml
-exit

From 729a19816316830375a268a180189b6a00d68693 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Thu, 7 Sep 2023 09:31:11 -0400
Subject: [PATCH 458/471] Delete Install Sysmon.bat

---
 Install Sysmon.bat | 28 ----------------------------
 1 file changed, 28 deletions(-)
 delete mode 100644 Install Sysmon.bat

diff --git a/Install Sysmon.bat b/Install Sysmon.bat
deleted file mode 100644
index d14c506b..00000000
--- a/Install Sysmon.bat	
+++ /dev/null
@@ -1,28 +0,0 @@
-@echo off
-setlocal
-set hour=%time:~0,2%
-set minute=%time:~3,2%
-set /A minute+=2
-if %minute% GTR 59 (
- set /A minute-=60
- set /A hour+=1
-)
-if %hour%==24 set hour=00
-if "%hour:~0,1%"==" " set hour=0%hour:~1,1%
-if "%hour:~1,1%"=="" set hour=0%hour%
-if "%minute:~1,1%"=="" set minute=0%minute%
-set tasktime=%hour%:%minute%
-mkdir C:\ProgramData\sysmon
-pushd "C:\ProgramData\sysmon\"
-echo [+] Downloading Sysmon...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon.exe','C:\ProgramData\sysmon\sysmon.exe')"
-echo [+] Downloading Sysmon config...
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml','C:\ProgramData\sysmon\sysmonconfig-export.xml')"
-@powershell (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ion-storm/sysmon-config/master/Auto_Update.bat','C:\ProgramData\sysmon\Auto_Update.bat')"
-sysmon.exe -accepteula -i sysmonconfig-export.xml
-sc failure Sysmon actions= restart/10000/restart/10000// reset= 120
-echo [+] Sysmon Successfully Installed!
-echo [+] Creating Auto Update Task set to Hourly..
-SchTasks /Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR C:\ProgramData\sysmon\Auto_Update.bat /F /ST %tasktime%
-timeout /t 10
-exit
\ No newline at end of file

From 470a8b9e634a1b2074b17a0bb0890382cae3a005 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 08:34:25 -0400
Subject: [PATCH 459/471] Updating grammar and links.

---
 README.md | 46 +++++++++++++++++++++-------------------------
 1 file changed, 21 insertions(+), 25 deletions(-)

diff --git a/README.md b/README.md
index f41fe5e2..86b43a47 100644
--- a/README.md
+++ b/README.md
@@ -1,26 +1,26 @@
 # Sysmon ATT&CK Configuration #
-The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.
+The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Please beware that you may need to fine tune and add exclusions depending on your environment. High CPU usage may be seen if exclusions are not added and one or more rules are firing off multiple times every second. 
 
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)**
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/NerbalOne/sysmon-config/blob/master/sysmonconfig-export.xml)**
 
-Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git, tag your name with Author=YourName within the rulename field.
+Pull requests and issue tickets are welcomed. Any new additions will be credited in-line or on Git. Tag your name with Author=YourName within the rulename field.
 
-This Sysmon ATT&CK Configuration is designed "Explicitly" to enrich your SIEM for threat intelligence, forensics, UEBA, use cases.  You'll want to create a key-value parser for the
+This Sysmon ATT&CK Configuration is designed "Explicitly" to enrich your SIEM for threat intelligence, forensics, and UEBA use cases. You'll want to create a key-value parser for the
 rulename field to create field names per event within your SIEM.  
-Ideally this is best used with an Alerting Repository/Index where the "Alert=" field is marked and a non-alerting visibility index/repository where threat hunting, investigations can be done 
-that contains added context and story line information of user behavior and activity leading up to an attack.  Non-Alerting Visibility rules are tagged with Desc=, and Forensic= and are
-meant to provide contextual information for analysts to build cases and identify what is happening with SIEM enrichments.  Some of these non-alerting visibility rules can be graduated 
+Ideally this is best used with an Alerting Repository/Index where the "Alert=" field is marked and a non-alerting visibility index/repository where threat hunting and investigations can be done 
+that contains added context and story line information of user behavior and activity leading up to an attack. Non-Alerting visibility rules are tagged with "Desc=" and "Forensic=" and are
+meant to provide contextual information for analysts to build cases and identify what is happening with SIEM enrichments. Some of these non-alerting visibility rules can be graduated 
 to the Alerting rules or can be used with correlation rules within a SIEM/SOAR/XDR.  
 
 The goal with this configuration is a "Control" configuration that provides ultimate visibility that should be ran in conjunction with an EDR.  
-As we know, allot of EDR's today provide little contextual information, forensic information that is tagged, categorized, risk rated, some alerts EDR vendors choose to not alert
-on due to the differences between each environment and how hard it is to baseline some detections.  There is many use cases where EDR's fall short, they are not the greatest at 
-identifying suspicious activity that may fall short of being labeled as malicious.  The goal here is to detect all common user activity that would lead to exfiltration, infiltration, 
-malware, malicious activity, questionable activity.  If a user is poking around the registry, sending data to cloud storage, downloading and executing random attachments and files,
-copying files, we want to know.  We also want to leave an audit trail by monitoring the registry, artifact locations and provide our forensic analysts as much detail as possible.
+As we know, allot of EDR's today provide little contextual information, forensic information that is tagged, categorized, risk rated, and some alerts EDR vendors choose to not alert
+on due to the differences between each environment and how hard it is to baseline some detections. There is many use cases where EDR's fall short. They are not the greatest at 
+identifying suspicious activity that may fall short of being labeled as malicious. The goal here is to detect all common user activity that would lead to exfiltration, infiltration, 
+malware, malicious activity, and questionable activity. If a user is poking around the registry, sending data to cloud storage, downloading and executing random attachments and files, and/or
+copying files, we want to know. We also want to leave an audit trail by monitoring the registry, artifact locations, and provide our forensic analysts as much detail as possible.
 
-If you have forensic registry keys, file locations, artifacts, behavior detections and anything that may be beneficial here, feel free to put in a pull request.  
-The goal here is as much visibility as possible, with accurate alerts that are not noisy.  
+If you have forensic registry keys, file locations, artifacts, behavior detections, and anything that may be beneficial here, feel free to put in a pull request.  
+The goal here is as much visibility as possible with accurate alerts that are not noisy.  
 
 
 This now has an Auto Updater script to update to the latest Sysmon config hourly.  This is great for mass deployments without having to manually update thousands of systems.
@@ -28,24 +28,26 @@ This now has an Auto Updater script to update to the latest Sysmon config hourly
 ## Use ##
 
 ### Auto-Install with Auto Update Script:###
+The two below PowerShell scripts that are contained in this repo will download and install Sysmon and the config along with creating a scheduled task to run hourly to update the config.
 ~~~~
-Install Sysmon.bat
+Sysmon Install.ps1
+SysmonUpdateConfig.ps1
 ~~~~
 
 ### Install ###
-Run with administrator rights
+Run with administrator rights.
 ~~~~
 sysmon.exe -accepteula -i sysmonconfig-export.xml
 ~~~~
 
-### Update existing configuration ###
-Run with administrator rights
+### Update Existing Configuration ###
+Run with administrator rights.
 ~~~~
 sysmon.exe -c sysmonconfig-export.xml
 ~~~~
 
 ### Uninstall ###
-Run with administrator rights
+Run with administrator rights.
 ~~~~
 sysmon.exe -u
 ~~~~
@@ -56,9 +58,3 @@ Hide:
 sc sdset Sysmon D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
 Restore:
 sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
-
-~~~~
-
-### Graylog Configuration ###
-
-(https://github.com/ion-storm/Graylog_Sysmon)

From 3b462032a84334f4831383ec2034c7cd5b9ac329 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 08:38:08 -0400
Subject: [PATCH 460/471] Update README.md

---
 README.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/README.md b/README.md
index 86b43a47..f88e91ab 100644
--- a/README.md
+++ b/README.md
@@ -22,9 +22,6 @@ copying files, we want to know. We also want to leave an audit trail by monitori
 If you have forensic registry keys, file locations, artifacts, behavior detections, and anything that may be beneficial here, feel free to put in a pull request.  
 The goal here is as much visibility as possible with accurate alerts that are not noisy.  
 
-
-This now has an Auto Updater script to update to the latest Sysmon config hourly.  This is great for mass deployments without having to manually update thousands of systems.
-
 ## Use ##
 
 ### Auto-Install with Auto Update Script:###

From 559a4e799c68ebdbbaf06af7e6dcdba4b6c25187 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 08:38:19 -0400
Subject: [PATCH 461/471] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index f88e91ab..66dc3dbf 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,7 @@ copying files, we want to know. We also want to leave an audit trail by monitori
 If you have forensic registry keys, file locations, artifacts, behavior detections, and anything that may be beneficial here, feel free to put in a pull request.  
 The goal here is as much visibility as possible with accurate alerts that are not noisy.  
 
+
 ## Use ##
 
 ### Auto-Install with Auto Update Script:###

From e7830ee26fc7aa95571e62bc2e079c8c2e6ee2ed Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 08:38:51 -0400
Subject: [PATCH 462/471] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 66dc3dbf..b0bab9fc 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ The goal here is as much visibility as possible with accurate alerts that are no
 
 ## Use ##
 
-### Auto-Install with Auto Update Script:###
+### Auto Install with Auto Update Script ###
 The two below PowerShell scripts that are contained in this repo will download and install Sysmon and the config along with creating a scheduled task to run hourly to update the config.
 ~~~~
 Sysmon Install.ps1

From 6c3876d4404e8e1db1bb695b572dc549f951990c Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 13:09:28 -0400
Subject: [PATCH 463/471] Update Sysmon Install.ps1

---
 Sysmon Install.ps1 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Sysmon Install.ps1 b/Sysmon Install.ps1
index 4394b2ad..48ae560a 100644
--- a/Sysmon Install.ps1	
+++ b/Sysmon Install.ps1	
@@ -28,6 +28,7 @@ else {
 }
 
 # Download Sysmon, Config, and Update Script
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest -Uri $sysmonURL -OutFile $sysmonPath
 Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
 Invoke-WebRequest -Uri $sysmonUpdateConfig -OutFile $sysmonUpdatePath

From d34a18e011d2530aab296d5424b3f5acec363656 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 14:45:26 -0400
Subject: [PATCH 464/471] Added exclusions and fixed some rules.

---
 sysmonconfig-export.xml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index c2283c19..0905da02 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -7446,7 +7446,7 @@
 				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
 				<Image condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image>
 				<Image condition="excludes">C:\Program Files\Microsoft Office\root\integration\integrator.exe</Image>
-				<Image condition="excludes all">C:\Program Files\Google\Chrome Beta\Application\;\Installer\setup.exe</Image>
+				<Image condition="excludes all">\Installer\setup.exe;C:\Program Files\Google\Chrome Beta\Application\</Image>
 				<Image condition="excludes all">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\;\OfficeClickToRun.exe</Image>
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
@@ -9084,6 +9084,8 @@
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Anonymous Named Pipe Detected" groupRelation="and">
 				<PipeName condition="contains">Anonymous Pipe</PipeName>
+				<Image condition="excludes any">C:\Program Files\Cavelo\Cavelo Agent\cavelo_windows_amd64.exe;C:\Program Files\Cavelo\Cavelo Agent\parser.exe</Image> <!-- Cavelo Agent Exclusions -->
+				<Image condition="excludes any">C:\Program Files (x86)\N-Able Technologies\AutomationManagerAgent\AutomationManager.AgentService.exe;\AutomationManager.ScriptRunner64.exe</Image> <!-- NCentral RMM Exclusions -->
 			</Rule>
 			<!--Include Everything else to mark above rules-->
 			<!-- Disabled for now
@@ -9145,7 +9147,7 @@
 			<PipeName condition="is">\scerpc</PipeName>
 			<PipeName condition="is">\wkssvc</PipeName>
 			<PipeName condition="is">\ntapvsrq</PipeName>
-			<PipeName condition="contains">Anonymous Pipe</PipeName>
+			<PipeName condition="is">\AutomationManagerAgent</PipeName> <!-- Related to NCentral RMM -->
 		</PipeEvent>
 	</RuleGroup>
 	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
@@ -9383,6 +9385,7 @@
 			<Image condition="begin with">C:\Program Files (x86)\CheckPoint\</Image>
 			<Image condition="begin with">C:\Program Files (x86)\Fortinet\</Image>
 			<Image condition="begin with">C:\Program Files\SentinelOne\</Image>
+			<Image condition="end with">\Ranger\SentinelRanger.exe</Image>
 			<Image condition="begin with">C:\Program Files (x86)\OpenDNS\OpenDNS Connector</Image>
 			<Image condition="begin with">C:\Program Files (x86)\Razer\Razer Services\</Image>
 			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image>
@@ -9399,6 +9402,7 @@
 			<Image condition="image">C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe</Image>
 			<Image condition="image">C:\Program Files\VMware\vCenter Server\jre\bin\java.exe</Image>
 			<Image condition="image">C:\Program Files\VMware\vCenter Server\python\python.exe</Image>
+			<Image condition="image">C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Manager.exe</Image>
 			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
 			<Image condition="image">C:\Windows\System32\dsregcmd.exe</Image>
 			<Image condition="image">C:\Windows\sysmon64.exe</Image>
@@ -9675,7 +9679,7 @@
 		</FileDeleteDetected>
 	</RuleGroup>
 	<!-- SYSMON EVENT ID 29 : File Executable Detected -->
-	<!--Fields: ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes -->
+	<!-- Fields: ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes -->
 	<!-- Key Authors in this section are Florian Roth as a majority Contributer from: https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml -->
 	<RuleGroup name="RG=FileExecutable Includes" groupRelation="or">
 		<FileExecutableDetected onmatch="include">
@@ -9702,6 +9706,7 @@
 				<TargetFilename condition="not end with">.mui</TargetFilename>
 				<TargetFilename condition="not end with">.ime</TargetFilename>
 				<TargetFilename condition="not end with">.tsp</TargetFilename>
+				<TargetFilename condition="not end with">.ico</TargetFilename> <!-- Seen used by Fortinet Forticlient -->
 				<Image condition="excludes">C:\Windows\system32\MpSigStub.exe</Image> <!-- 	Related to Microsoft Windows Defender Virus Definition Module -->
 			</Rule>
 			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=,Risk=10,Alert=Powershell Creating Executables" groupRelation="and">

From dd4d07666ff369ac42c9fc292a3b4450014df7cc Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 14:45:58 -0400
Subject: [PATCH 465/471] Added line to force TLS 1.2

---
 SysmonUpdateConfig.ps1 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SysmonUpdateConfig.ps1 b/SysmonUpdateConfig.ps1
index 45db31db..c01ae1e5 100644
--- a/SysmonUpdateConfig.ps1
+++ b/SysmonUpdateConfig.ps1
@@ -9,6 +9,7 @@ $sysmonConfigPath = "C:\ProgramData\Sysmon\sysmonconfig-export.xml"
 $sysmonConfigURL = "https://raw.githubusercontent.com/NerbalOne/sysmon-config/master/sysmonconfig-export.xml"
 
 # Download the Latest Sysmon Config
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
 
 # Run sysmon.exe with Config

From 326413457ec318c041f1ad2c9e8649164dc61436 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 14:58:40 -0400
Subject: [PATCH 466/471] Delete sysmonconfig-export_blocking.xml

Not used
---
 sysmonconfig-export_blocking.xml | 7049 ------------------------------
 1 file changed, 7049 deletions(-)
 delete mode 100644 sysmonconfig-export_blocking.xml

diff --git a/sysmonconfig-export_blocking.xml b/sysmonconfig-export_blocking.xml
deleted file mode 100644
index 30796a47..00000000
--- a/sysmonconfig-export_blocking.xml
+++ /dev/null
@@ -1,7049 +0,0 @@
-<!--
-	   ____                           ___ ________________    _______ __
-	  / __/_ _____ __ _  ___  ___    / _ /_  __/_  __/ __/___/ ___/ //_/
-	 _\ \/ // (_-</  ' \/ _ \/ _ \  / __ |/ /   / /  > _/_ _/ /__/ ,<   
-	/___/\_, /___/_/_/_/\___/_//_/ /_/ |_/_/   /_/  |_____/ \___/_/|_|  
-		/___/                                                           
-	author:	ionstorm
-	project:	https://github.com/ion-storm/sysmon-config
-	license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
-	Methodology: Detect the Most Techniques per Data source in MITRE ATT&CK.
-				 Provide Visibility into Forensic Artifact Events for UEBA.
-				 Detect Exploitation events with wide CVE Coverage.
-				 Risk Scoring of CVE, UEBA, Forensic, MITRE ATT&CK Events.
-				 
-				 Primary Tags:
-				 Attack: Mitre ATT&CK Identifier
-				 Technique: Mitre ATT&CK Technique
-				 Tactic: Mitre ATT&CK Tactic
-				 DS: Mitre ATT&CK Datasource
-				 Alert: Alert Text for SIEM/XDR
-				 Info: Informational Alert Text
-				 Level: The level field contains one of five string values. It describes the criticality of a triggered rule. 
-				 While low and medium level events have an informative character, events with high and critical level should 
-				 lead to immediate reviews by security analysts.
-				 Desc: Description of non-alerting UEBA/Behavioral Based Rules
-				 Forensic: Forensic Artifacts
-				 CVE: CVE Vulnerability Identification
-				 FP: False Positive Rate
-				 Author: Author of rule
-				 
-				 Additional Tag Details:
-				 Rapid Response Tags: (for EDR/XDR/SIEM Response & Automation)
-				 kp=y 	Kill process with child processes
-				 kpp=y 	Kill Parent Processes & all Child Processes
-				 kc=y    Kill network connections
-				 ki=y    Kill Injected Thread
-				 sd=y 	Shutdown System
-				 fw=y	Add Windows Firewall Rule to block inbound/outbound network connectivity from process
-				 yara=y  Yara Scan file
-				 ydel=y  Delete on Yara Detection
-				 rf=y    Restore Deleted File
-				 nr=y 	Null route ip
-				 iso=y Isolate Host
-				 SD=y Service Desk Ticket
-				 SOC=y SOC Ticket Creation
-				 
-				 Risk Score ratings: (Risk=??)
-				 Low Risk: 1-39
-				 Medium Risk: 40-69
-				 High Risk: 70-89
-				 Critical Risk: 90-100
-				 
-				 Levels: (from Sigma)
-				 (0) informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered 
-				 by such rules because it is expected that a huge amount of events will match these rules.
-				 (1) low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. 
-				 Immediate reaction shouldn't be necessary, but a regular review is recommended.
-				 (2) medium: Relevant event that should be reviewed manually on a more frequent basis.
-				 (3) high: Relevant event that should trigger an internal alert and requires a prompt review.
-				 (4) critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
-				 
-				 False Positive Rates: (FP=?)
-				 (0) Zero False Positives rate
-				 (1) Some False Positives rate
-				 (2) Medium False Positive rate
-				 (3) High False Positive rate
-				 
-				 Properly Escape in XML:
-				 < &lt;
-				 > &gt;
-				 " &quot;
-				 ' &apos;
-				 & &amp;
-				 
-				 Other Notes:
-				 The Rulename field has a hard limit of 255 characters, make the best of the size available, shorten tags and descriptions as needed.
-				 Add exclusions in line enclosed within a Compound rule rather than a global exclusion list.
-				 
-				 Contribution Guidelines:
-				 Always submit new rule requests/pull requests in this format where possible, if the rule is highly accurate and should fire off a SIEM Alert replace Desc= with Alert=, 
-				 See Risk ratings and levels above for guidance.  
-				 Example Rule:
-				<Rule name="Attack=None,Technique=None,Tactic=None,DS=None,Level=0,Risk=10,Desc=Your Description Here,Author=YourTwitter/Github" groupRelation="and">
-					<Your Rule Here/>
-				</Rule> 
--->
-<Sysmon schemaversion="4.83">
-	<HashAlgorithms>md5,sha1,sha256,imphash</HashAlgorithms>
-	<CheckRevocation/>
-	<EventFiltering>
-	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
-	<RuleGroup name="RG=ProcessCreate Include Group" groupRelation="or">
-		<ProcessCreate onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Process: Process Creation,Level=3,Alert=Nessus Scan Detected,Risk=100" groupRelation="or">
-				<ParentCommandLine condition="contains any">TEMP\nessus_;nessus_task_list</ParentCommandLine>
-				<CommandLine condition="contains any">TEMP\nessus_;nessus_task_list</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Process: Process Creation,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe</CommandLine>
-				<OriginalFileName condition="is any">advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</OriginalFileName>
-				<Product condition="contains any">Network Scanner;Advanced IP Scanner</Product>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=4,Alert=ADFind.exe Discovery,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains">adfind</OriginalFileName>
-				<Product condition="contains">adfind</Product>
-				<CommandLine condition="contains any">-gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<Rule name="Attack=T1587,Technique=Develop Capabilities,Tactic=Resource Development,Level=3,DS=Process: Process Creation,Alert=PurpleSharp Indicator,Risk=40" groupRelation="or">
-				<CommandLine condition="contains any">PurpleSharp;xyz123456</CommandLine> 
-				<OriginalFileName condition="contains any">PurpleSharp</OriginalFileName> 
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<CommandLine name="Attack=T1584.002,Technique=Compromise Infrastructure: DNS Server,Tactic=Resource Development,DS=Process: Process Creation,Level=4,Alert=DNSCMD DLL exec" condition="contains">/serverlevelplugindll</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<Rule name="Attack=T1587.003,Technique=Develop Capabilities: Digital Certificates,Tactic=Resource Development,Level=3,DS=Process: Process Creation,Alert=netsh adding SSL Certificate,Risk=40" groupRelation="and">
-				<CommandLine condition="contains all">add;sslcert;http</CommandLine> 
-			</Rule>
-			<CommandLine name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=netsh removing SSL Certificate,Risk=40" condition="contains">http del sslcert</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Executed files within Outlook Attachments,Risk=30" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">Content.Outlook</Image>
-			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Arbitrary Shell Command Execution Via Settingcontent-Ms,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">.SettingContent-ms</CommandLine>
-				<CommandLine condition="excludes">immersivecontrolpanel</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1566.001,Technique=Phishing: Spear Phishing Attachment,Tactic=Initial Access,DS=Process: Process Creation,Level=0,Alert=Suspicious HWP Sub Processes,Risk=70" groupRelation="and">
-				<ParentImage condition="image">Hwp.exe</ParentImage>
-				<Image condition="image">gbb.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Browser Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-				<ParentCommandLine condition="excludes any">apt-config</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=Exploiting SetupComplete.cmd,CVE=CVE-2019-1378,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd</CommandLine>
-				<Image condition="excludes">C:\Windows\Setup</Image>
-				<Image condition="excludes">C:\Windows\SysWOW64</Image>
-				<Image condition="excludes">C:\Windows\System32</Image>
-				<Image condition="excludes">C:\Windows\WinSxS</Image>
-			</Rule>
-			<Rule name="Attack=T1189,Technique=Drive-by Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=IE Exploitation CVE-2019-1388,Risk=70" groupRelation="and">
-				<ParentImage condition="image">consent.exe</ParentImage>
-				<CommandLine condition="contains">http</CommandLine>
-				<Image condition="image">iexplore.exe</Image>
-				<User condition="contains">SYSTEM</User>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=IIS Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="image">w3wp.exe</ParentImage>
-				<Image condition="excludes any">\csc.exe;\TranscodingService.exe;\werfault.exe;\appcmd.exe</Image>
-				<!--Add wider coverage than specific lolbins, add exclusions above carefully, could be noisy, if too noisy comment above and uncomment below and add more lolbins-->
-				<!--<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>-->
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Suspicious IIS Module Registration,Risk=100,Author=Florian Roth/@ionstorm" groupRelation="and">
-				<ParentImage condition="image">w3wp.exe</ParentImage>
-				<Image condition="image">appcmd.exe</Image>
-				<CommandLine condition="contains any">appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">apache;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Web Server Spawned cmd shell,Risk=100" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>				
-				<CommandLine condition="excludes any">ping 127.0.0.1</CommandLine>				
-				<CurrentDirectory condition="is">c:\windows\system32\inetsrv\</CurrentDirectory>				
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,DS=Process: Process Creation,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
-				<ParentCommandLine condition="contains all">svchost.exe;termsvcs</ParentCommandLine>
-				<Image condition="excludes any">rdpclip.exe;csrss.exe;wininit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,CVE=CVE-2020-1350,DS=Process: Process Creation,Level=4,Alert=DNS Remote Code Execution,Risk=100" groupRelation="and">
-				<ParentImage condition="image">dns.exe</ParentImage>
-				<Image condition="excludes any">werfault.exe;conhost.exe;dnscmd.exe;dns.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2019-0708,DS=Process: Process Creation,Level=4,Alert=Terminal Service Process Spawn,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
-				<CommandLine condition="excludes any">perfenabled</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1190,Tactic=Initial Access,Technique=Exploit Public-Facing Application,CVE=CVE-2021-26857,DS=Process: Process Creation,Level=4,Alert=HAFNIUM APT Exchange UMS Process,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">UMWorkerProcess.exe;UMService.exe</ParentImage>
-				<CommandLine condition="excludes any">perfenabled</CommandLine>
-				<Image condition="excludes any">wemgr.exe;werfault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=wwwroot Web Server Exploitation Detected,Risk=100" groupRelation="and">
-				<Image condition="contains any">\wwwroot\</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Atlassian Confluence Remote Exploit,Risk=100,CVE=CVE-2021-26084" groupRelation="and">
-				<ParentImage condition="end with">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
-				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Desktop Central Remote Exploit,Risk=100,CVE=CVE-2020-10189,Author=Florian Roth" groupRelation="and">
-				<ParentImage condition="end with">DesktopCentral_Server\jre\bin\java.exe</ParentImage>
-				<CommandLine condition="contains any">cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Generic Java Webapp Remote Exploit,Risk=100" groupRelation="and">
-				<ParentImage condition="image">\jre\bin\java.exe</ParentImage>
-				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
-				<!--Allow Confluence Rule to fire-->
-				<ParentImage condition="excludes">\Atlassian\Confluence\jre\bin\java.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=3,Alert=SQL Server Exploitation Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">sqlservr</ParentImage>
-				<Image condition="contains any">arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Generic Java keytool Exploit,Risk=100" groupRelation="and">
-				<ParentImage condition="image">keytool.exe</ParentImage>
-				<Image condition="contains any">cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Apache Spark Exploit,CVE=CVE-2022-33891,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">bash.exe;cmd.exe;powershell.exe;pwsh.exe</ParentImage>
-				<CommandLine condition="contains any">id -Gn `;id /Gn `;id -Gn ';id /Gn '</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Attack=T1133,Technique=External Remote Services,Tactic=Initial Access,DS=Process: Process Creation,Level=2,Alert=Screenconnect Remote Access,Risk=50" groupRelation="and">
-				<CommandLine condition="contains all">e=Access&amp;;y=Guest&amp;;&amp;p=;&amp;c=;&amp;k=</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=WMI Execution Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">process;call;create</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious WMIC Commands,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains any">call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Execution Locations,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">C:\Users\;$Recycle;\Temp\;\Downloads\</ParentImage>
-				<CommandLine condition="is">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</CommandLine>
-				<Image condition="image">conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Console Host Parents,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe</ParentImage>
-				<Image condition="image">conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,DS=Process: Process Creation,Alert=Suspicious Console Host children,Risk=30" groupRelation="and">
-				<ParentImage condition="image">conhost.exe</ParentImage>
-				<Image condition="excludes any">:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,UEBA=Execution Command Line tools by user,Risk=45" groupRelation="and">
-				<Image condition="contains any">\cmd.exe;WindowsTerminal;powershell</Image>
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,UEBA=Powershell as cmd.exe child process,Risk=39" groupRelation="and">
-				<ParentImage condition="image">cmd.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<CommandLine condition="excludes">Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\</CommandLine>
-				<CommandLine condition="excludes">mysql server</CommandLine>
-				<CommandLine condition="excludes">select-object displayversion,displayname</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell ran from Scripting Utilities,Risk=50" groupRelation="and">
-				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Powershell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell ran from cscript or wscript,Risk=50" groupRelation="and">
-				<ParentImage condition="contains any">cscript.exe;wscript.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Powershell Launched from mshta,Risk=100" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<ParentImage condition="image">mshta.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,DS=Process: Process Creation,UEBA=Suspicious WSCRIPT Command Line,Risk=50" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<CommandLine condition="excludes any">IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and">
-				<Image condition="image">wscript.exe</Image>
-				<CommandLine condition="contains">.jse</CommandLine>
-				<CommandLine condition="contains">.js</CommandLine>
-				<CommandLine condition="contains">.vba</CommandLine>
-				<CommandLine condition="contains">.vbe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious scripting to dll commands,Risk=70" groupRelation="and">
-				<ParentImage condition="contains any">\wscript.exe;\cscript.exe</ParentImage>
-				<Image condition="contains any">\rundll32.exe;regsvr32.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious rundll32 commands,Risk=70" groupRelation="and">
-				<Image condition="contains any">\rundll32.exe;regsvr32.exe</Image>
-				<CommandLine condition="excludes any">.dll;.cpl;.ocx;localserver;enable-speech-input;auto-scan-plugin;enable-media-stream;CastMediaRouteProvider;-eoim;/eoim</CommandLine><!--Already have localserver com detection-->
-				<CommandLine condition="excludes all">setupapi;InstallHinfSection;DefaultInstall;SplunkUniversalForwarder\bin\spl;rundll32.exe "C:\Windows\Installer\MSI</CommandLine>
-				<CommandLine condition="excludes all">\MSI;.tmp",zzzInvokeManagerCustomActionOutOfProc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=cscript execution,Risk=60" groupRelation="and">
-				<Image condition="image">cscript.exe</Image>
-				<CommandLine condition="contains">.js</CommandLine>
-				<CommandLine condition="contains">.jse</CommandLine>
-				<CommandLine condition="contains">.vba</CommandLine>
-				<CommandLine condition="contains">.vbe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine>
-				<CommandLine condition="contains any">.jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1059.003,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Possible WinNTI Malware,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe</ParentImage>
-				<Image condition="contains any">C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,DS=Process: Process Creation,Tactic=Execution,UEBA=Registry Editor Opened by user,Risk=70" groupRelation="and">
-				<Image condition="image">regedit.exe</Image>
-				<ParentImage condition="image">explorer.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,UEBA=Unusual Child Process,Risk=30" groupRelation="and">
-				<Image condition="contains any">\svchost.exe;\taskhostw.exe;\userinit.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\lsass.exe;\logonui.exe;\services.exe</Image>
-				<Image condition="contains any">C:\windows\System32\;C:\windows\syswow64\</Image>
-				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe;\services.exe;\dwm.exe;System;\smss.exe;\svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,UEBA=Unusual Print Spooler Child Process,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">\spoolsv.exe;\PrintIsolationHost.exe</ParentImage>
-				<Image condition="excludes any">C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe</Image>
-				<CommandLine condition="excludes any">C:\Windows\system32\spool\DRIVERS</CommandLine>
-				<Company condition="excludes any">Brother Industries;Thomson Reuters</Company>
-			</Rule>
-			<ParentCommandLine name="Attack=T1059.001,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Metasploit Detection,Risk=90" condition="contains">COMSPEC</ParentCommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=ScriptFile execution" condition="contains">ScriptFile</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from 7z Archive File,Risk=50" condition="contains">\Temp\7z</CommandLine><!-- exec from 7zip -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from Explorer Archive File,Risk=50" condition="contains">\Temp\Temp1_</CommandLine><!-- exec from explorer -->
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Execution from winrar Archive File,Risk=50" condition="contains">\Temp\Rar$</CommandLine><!-- exec from winrar -->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell Launched from users folder,Risk=60" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<ParentImage condition="begin with">C:\users\</ParentImage>
-				<ParentImage condition="excludes">Microsoft VS Code\Code.exe</ParentImage>
-				<ParentImage condition="excludes">\Deployment tool extract\setupodt.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1059.001,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=invoke-shellcode,Risk=100" condition="contains">Shellcode</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=IronPython,Tactic=Privilege Escalation" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Python Execution,Tactic=Privilege Escalation" condition="image">python.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" condition="contains">-agentpath:</CommandLine>
-			<CommandLine name="Attack=T1059.007,Technique=PowerShell,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=JAVA DLL exec" condition="contains">-agentlib:</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Office Exploitation Detection,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe;msidb.exe</Image>
-				<CommandLine condition="excludes all">.cmd;-</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\system32\spool\DRIVERS\</CommandLine>
-				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
-				<CommandLine condition="end with">.html</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment 2,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
-				<CommandLine condition="end with">.html"</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed suspicious html attachment 2,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
-				<CommandLine condition="end with">.html"</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed pfd attachment,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="end with">.pdf"</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed pfd attachment 2,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="end with">.pdf</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed iso attachment,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="end with">.iso"</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed iso attachment 2,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="end with">.iso</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Link Clicks,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe;BrowserAssist.exe;\msedgewebview;\msedge.exe</Image>
-				<CommandLine condition="contains any">http:;https:;ftp:;mailto:;tel:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Attachments Executed to Common Download locations,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="excludes any">http:;https:;ftp:;mailto:;tel:</CommandLine>
-				<CommandLine condition="contains any">\Content.Outlook\;\Downloads\;\Documents\;:\Users\Public\;\Desktop\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Desc=Outlook Execution to UNC File Path,Risk=50" groupRelation="and">
-				<ParentImage condition="image">outlook.exe</ParentImage>
-				<CommandLine condition="contains any">\\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Alert=Office Spawning exe within: User Home Dirs,Risk=80" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
-				<Image condition="begin with">C:\Users\</Image>
-				<Image condition="end with">.exe</Image>
-				<Product condition="excludes">Zoom Video</Product>
-				<Product condition="excludes">Firefox</Product>
-				<Product condition="excludes">Microsoft Edge</Product>
-				<Product condition="excludes">Microsoft Teams</Product>
-				<Image condition="excludes">GrammarlyAddInSetupe</Image>
-				<Image condition="excludes">Teams.exe</Image>
-				<Image condition="excludes">Zoom.exe</Image>
-				<Image condition="excludes">browser_broker.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">edge.exe</Image>
-				<Image condition="excludes">firefox.exe</Image>
-				<Image condition="excludes">iexplore.exe</Image>
-				<Image condition="excludes">vivaldi.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Desc=Office Spawning exe within: ProgramData,Risk=70" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</ParentImage>
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<Product condition="excludes">Firefox</Product>
-				<Product condition="excludes">Microsoft Edge</Product>
-				<Product condition="excludes">Microsoft Teams</Product>
-				<Product condition="excludes">Zoom Video</Product>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Desc=Execution from within Zip File,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">.zip\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Adobe Exploitation Detection,Risk=80" groupRelation="and">
-				<ParentImage condition="contains any">acrobat.exe;acrord32.exe</ParentImage>
-				<Image condition="contains any">tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Office MSHTML Exploit,Risk=100,CVE=CVE-2021-40444" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;powerpnt.exe;excel.exe</ParentImage>
-				<Image condition="image">control.exe</Image>
-				<CommandLine condition="excludes any">input.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Follina msdt Exploit,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="image">msdt.exe</Image>
-				<OriginalFileName condition="is">msdt.exe</OriginalFileName>
-				<CommandLine condition="contains all">BrowseForFile=;PCWDiagnostic</CommandLine>
-				<CommandLine condition="contains any">/af;-af</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=msdt via answer file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="image">msdt.exe</Image>
-				<ParentImage condition="is not">pcwrun.exe</ParentImage>
-				<CommandLine condition="contains">PCWDiagnostic</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=msdt via diagcab file,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="image">msdt.exe</Image>
-				<CommandLine condition="contains any">/cab;-cab</CommandLine>
-				<CommandLine condition="contains">.diagcab</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=MSDT Executed with Suspicious Parent,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<ParentImage condition="contains any">powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe</ParentImage>
-				<Image condition="image">msdt.exe</Image>
-			</Rule>
-			<ParentImage condition="image" name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Exploit - Equation Editor starts application,CVE=CVE-2017-11882">EQNEDT32.EXE</ParentImage> <!-- https://app.any.run/tasks/dfea0112-6fbe-4091-9161-1e8f25f611b0/-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=EPS Processing 0day,Risk=100,CVE=CVE-2017-0261" groupRelation="and">
-				<ParentImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</ParentImage>
-				<Image condition="image">FLTLDR.EXE</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<CommandLine name="Attack=T1559.002,Technique=Dynamic Data Exchange,Tactic=Execution,DS=Process: Process Creation," condition="contains any">/dde;-dde</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=100" groupRelation="and">
-				<Image condition="image">schtasks.exe</Image>
-				<CommandLine condition="contains any">/create;-create;/change;-change</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
-			</Rule>
-			<OriginalFileName name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scheduled Task Created,Risk=1" condition="is">taskeng.exe</OriginalFileName>
-			<Rule name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Schtasks task Run,Risk=60" groupRelation="and">
-				<Image condition="image">schtasks.exe</Image>
-				<CommandLine condition="contains any">/Run;-run</CommandLine>
-				<CommandLine condition="excludes">Sentinel\AutoRepair</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Child process from schtasks" groupRelation="and">
-				<ParentImage condition="image">schtasks.exe</ParentImage>
-				<ParentCommandLine condition="excludes">schtasks /TN RtkAudUService64_BG</ParentCommandLine>
-				<ParentCommandLine condition="excludes any">-change;/change;-delete;/delete;-create;/create</ParentCommandLine>
-			</Rule>
-			<Image name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
-			<ParentImage name="Attack=T1053.002,Technique=Scheduled Task/Job: At,Tactic=Execution/Persistence/Privledge Escalation,DS=Process: Process Creation,Level=2,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
-			<Rule name="Attack=T1053.005,Technique=Scheduled Task/Job: Scheduled Task,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Scheduled Task Started,Risk=0" groupRelation="and">
-				<ParentImage condition="image">C:\Windows\System32\svchost.exe</ParentImage>
-				<ParentCommandLine condition="contains all">netsvcs;-p;-s;Schedule</ParentCommandLine>
-				<CommandLine condition="excludes all">netsvcs;-p;-s;Schedule</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Service Stop detected,Risk=0" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains">stop</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=NET.EXE Service Start detected,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains">start</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Impacket Detection 1,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
-				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;/Q /c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Impacket Detection 2,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">wmiprvse.exe;mmc.exe;explorer.exe;services.exe</ParentImage>
-				<CommandLine condition="contains all">&#38;1;cmd.exe;\\127.0.0.1\;-Q -c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PowerSploit/Empire Persistence,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">schtasks;Create;ONLOGON;TN;Updater;TR;powershell</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=2,Alert=Service added via SC,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains">create</CommandLine>
-				<CurrentDirectory condition="excludes any">\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=2,Alert=Service binpath modification,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains all">config;binpath</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Windows Service,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Shell as System Service,Risk=100" groupRelation="and">
-				<Image condition="contains any">cmd.exe;powershell.exe</Image>
-				<ParentImage condition="image">services.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1543.003,Technique=Windows Service,Tactic=Persistence,DS=Process: Process Creation,Level=2,Alert=Service added via Powershell,Risk=50" condition="contains">new-service</CommandLine>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSEXESVC Child Process,Risk=100" condition="image">psexesvc.exe</ParentImage>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Execution,Risk=100" groupRelation="or">
-				<Description condition="contains">Execute processes remotely</Description>
-				<Image condition="contains">psexe</Image>
-				<Description condition="contains">PsExec Service</Description> 
-				<Description condition="contains">PsExec Launched</Description> 
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals Initial Tool Execution,Risk=100" groupRelation="or">
-				<CommandLine condition="contains">accepteula</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec SYSTEM Execution,Risk=100" groupRelation="and">
-				<Description condition="contains">Execute processes remotely</Description>
-				<CommandLine condition="contains any">-s;/s</CommandLine>
-			</Rule>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=4,Alert=PSexec Child Process,Risk=100" condition="image">psexec.exe</ParentImage>
-			<ParentImage name="Attack=T1035,Technique=Service Execution,Tactic=Execution/Lateral Movement,DS=Process: Process Creation,Level=2,Alert=PSKill Execution,Risk=100" condition="image">pskill.exe</ParentImage>
-			<Image name="Attack=T1035,Technique=Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=PsKill Command" condition="contains">pskill</Image>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Network Service Child Processes,Risk=75" groupRelation="and">
-				<ParentCommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k NetworkService -p</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious LanmanWorkstation Child Processes,Risk=75" groupRelation="and">
-				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Network List Service Child Processes,Risk=75" groupRelation="and">
-				<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k netprofm -p -s netprofm</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Remote Procedure Call Service Anomaly,Risk=75" groupRelation="and">
-				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1569.002,Technique=System Services: Service Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Remote Procedure Call Service Crash detected,Risk=75" groupRelation="and">
-				<ParentCommandLine condition="contains all">C:\WINDOWS\system32\svchost.exe;RPCSS</ParentCommandLine>
-				<Image condition="image">werfault.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=AstraRoth Command Line detection" groupRelation="and">
-				<CommandLine condition="contains">&amp;&amp; type</CommandLine>
-				<CommandLine condition="contains">&gt;</CommandLine>
-				<CommandLine condition="contains">cmd.exe" /c cd</CommandLine>
-			</Rule>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious or Malicious Command Line events" groupRelation="and">
-				<CommandLine condition="contains any">ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg  save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s;export-mft;ApplicationImpersonation</CommandLine>
-			</Rule>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Powershell Suspicious or Malicious events" groupRelation="or">
-				<CommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</CommandLine>
-				<ParentCommandLine condition="contains any">ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy</ParentCommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Ramnit Banker Malware,Risk=100" condition="contains">--disable-http2 --disable-quic</CommandLine>
-			<CommandLine name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=DNSpionage Link click,Risk=100" condition="contains">/Client/Login?id=</CommandLine>
-			<ParentCommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Emotet Child Process Detected" condition="contains">JABzA</ParentCommandLine>
-			<Rule  name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Hash Detected" groupRelation="or">
-				<Hashes condition="contains any">2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB</Hashes>
-			</Rule>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=TajMahal APT Tool Detection,Risk=100" condition="contains any">22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">a53a02b997935fd8eedcb5f7abab9b9f</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=3,Alert=Windows-Credential Editor Detection,Risk=70" condition="contains">e96a73c7bf33a464c510ede582318bf2</Hashes> <!-- https://securelist.com/project-tajmahal/90240/ -->
-			<Image name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Emotet Execution Detected,Risk=100" condition="contains">serialfunc.exe</Image>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection" groupRelation="and">
-				<CommandLine condition="contains any">e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 2" groupRelation="and">
-				<CommandLine condition="contains all">FromBase64String</CommandLine>
-				<CommandLine condition="contains any">JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 3" groupRelation="and">
-				<CommandLine condition="contains any">/v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Emotet Command Line detection 4" groupRelation="and">
-				<CommandLine condition="contains any">JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Obfuscated Emotet Command Line detection" groupRelation="and">
-				<CommandLine condition="contains any">e^;^en^;^nc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Obfuscation Character" groupRelation="and">
-				<CommandLine condition="contains">^</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Directory Traversal" groupRelation="and">
-				<CommandLine condition="contains any">..\;\..</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
-				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=QBot Process Creation,Risk=100" condition="contains any">ping.exe -n 6 127.0.0.1 &#38;ping.exe /n 6 127.0.0.1 &#38; type</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Powershell RAW ping,Risk=100" condition="contains">System.Net.Networkinformation.ping</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<Image name="Attack=T1158,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Mofcomp execution or persistence,Risk=50" condition="image">mofcomp.exe</Image>
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=T1098,Technique=Account Manipulation,Tactic=Credential Access/Persistence,DS=Process: Process Creation,Level=3,Alert=Account Manipulation,Risk=80" groupRelation="and">
-				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
-				<CommandLine condition="contains any">user;group;localgroup</CommandLine>
-				<CommandLine condition="contains any">remove;delete;active;del</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<Rule name="Attack=T1098,Technique=Create Account,Tactic=Persistence,DS=Process: Process Creation,Level=3,Alert=Account Created,Risk=80" groupRelation="and">
-				<Image condition="contains any">net.exe;net1.exe;net2.exe</Image>
-				<CommandLine condition="contains">user</CommandLine>
-				<CommandLine condition="contains any">add</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod,Risk=100" condition="image">dsmod.exe</Image>
-			<Image name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Process: Process Creation,Level=3,Alert=Account Creation via command line,Alert=Account creation with dsadd,Risk=100" condition="image">dsadd.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion/Execution,DS=Process: Process Creation,Level=0,Alert=SilentProcessExit Execution from werfault S-Flag,Risk=75" groupRelation="and">
-				<ParentImage condition="image">WerFault.exe</ParentImage>
-				<ParentCommandLine condition="contains any">-s;/s</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike GetSystem escalation Detected" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<CommandLine condition="contains all">echo;\pipe\;&gt;</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike PSexec dll copy detected" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<CommandLine condition="contains all">/c;copy;dll;\\;admin$</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Exec DLL Detected" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;StartW</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Susp activity 1" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;update;appdata;temp;/i:</CommandLine>
-			</Rule>
-			<Rule name="Attack=S0154,Tactic=Cobalt Strike,Technique=Malware,DS=Process: Process Creation,Level=4,Alert=Cobalt Strike Susp activity 2" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,;update;appdata;temp;-i:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Process: Process Creation,Level=3,Alert=CMSTPLUA UAC Bypass Child Processes" groupRelation="and">
-				<ParentImage condition="image">dllhost.exe</ParentImage>
-				<ParentCommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Process: Process Creation,Level=3,Alert=CMSTPLUA UAC Bypass" groupRelation="and">
-				<Image condition="image">dllhost.exe</Image>
-				<CommandLine condition="contains any">{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<Rule name="Attack=T1548,Technique=Abuse Elevation Control Mechanism,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Abused Debug priviledge by Arbitrary Parent Process,Risk=100" groupRelation="and">
-				<ParentImage condition="contains any">winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe</ParentImage>
-				<Image condition="contains any">powershell.exe;pwsh.exe;cmd.exe</Image>
-				<User condition="contains any">AUTHORI;AUTORI</User>
-				<CommandLine condition="excludes any">route ; ADD </CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Risk=20" groupRelation="and">
-				<ParentImage condition="image">eventvwr.exe</ParentImage>
-				<Image condition="is not">c:\windows\system32\mmc.exe</Image>
-			</Rule>
-			<ParentImage name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation," condition="image">fodhelper.exe</ParentImage>
-			<Image name="Attack=T1118,Technique=InstallUtil,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=InstallUtil" condition="image">InstallUtil.exe</Image>
-			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">Invoke-PsUaCme</CommandLine>
-			<CommandLine name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=UAC Bypass" condition="contains">BypassUAC</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powerup Command Line events" condition="contains">PowerUp</CommandLine>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="is">computerdefaults.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="is">dism.exe</OriginalFileName>
-			<ParentImage name="Attack=T1548.002,Technique=Bypass User Account Control,Tactic=Defense Evasion,DS=Process: Process Creation" condition="image">fodhelper.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<Rule name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,Risk=90,DS=Process: Process Creation,Level=3,Alert=Priv Escalation to System" groupRelation="and">
-				<ParentUser condition="contains any">NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC</ParentUser>
-				<User condition="contains any">NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM</User>
-			</Rule>
-			<ParentCommandLine name="Attack=T1134.001,Technique=Access Token Manipulation: Token Impersonation/Theft,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=1,Desc=Possible Token manipulation" condition="begin with">c:\windows\system32\svchost.exe -k netsvcs -s Appinfo</ParentCommandLine>
-			<Image name="Attack=T1134,Technique=Access Token Manipulation,Tactic=NA,DS=Process: Process Creation,Level=2,Alert=Token Manipulation with runas.exe,Risk=70" condition="image">runas.exe</Image> 
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Utilman Lock Screen Bypass,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
-				<ParentImage condition="image">winlogon.exe</ParentImage>
-				<Image condition="image">utilman.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=sethc.exe Lock Screen Bypass,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">Cmd.Exe</OriginalFileName>
-				<ParentImage condition="image">winlogon.exe</ParentImage>
-				<Image condition="image">sethc.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=Utilman Priv Escalation" groupRelation="and">
-				<ParentImage condition="image">utilman.exe</ParentImage>
-				<Image condition="excludes any">C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe</Image>
-			</Rule>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=SETHC Priv Escalation" condition="image">sethc.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">osk.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">Magnify.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">DisplaySwitch.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">Narrator.exe</ParentImage>
-			<ParentImage name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation" condition="image">AtBroker.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Application Shimming-->
-			<Image name="Attack=T1138,Technique=Application Shimming,Tactic=Persistence/Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=0,Desc=Dwm Exploitation" groupRelation="and">
-				<ParentImage condition="image">dwm.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=7zip Priv Escalation Detection,CVE=CVE-2022-29072" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">7zFM.exe</ParentImage>
-				<CommandLine condition="excludes any">;/c;-c</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1546.008,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=4,Alert=Possible InstallerFileTakeOver LPE,CVE=CVE-2021-41379" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">elevation_service.exe</ParentImage>
-				<IntegrityLevel condition="contains">System</IntegrityLevel>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<Image condition="contains">unknown process</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" condition="contains">\LocalState\rootfs\</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=WSL Execution" condition="contains">\LocalState\rootfs\</ParentImage>			
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<Rule name="Attack=T1484.001,Technique=Group Policy Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Auditpol System Audit Policy Change - Should be set via group policy instead" groupRelation="and">
-				<OriginalFileName condition="contains">auditpol</OriginalFileName>
-				<CommandLine condition="contains any">/set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Hidden/SuperHidden File or Folder created" groupRelation="and">
-				<CommandLine condition="contains any">+s;+h</CommandLine>
-				<Image condition="image">attrib.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1164.001,Technique=Hidden Files and Directories,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Powershell Hidden File or Folder created" groupRelation="and">
-				<CommandLine condition="contains all">Hidden;Attributes</CommandLine>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
-				<Product condition="is">Sysinternals Sysmon</Product>
-				<CommandLine condition="contains any">/u;/c;-u;-c</CommandLine>
-				<CurrentDirectory condition="excludes">C:\ProgramdData\sysmon\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
-				<Image condition="image">MpCmdRun.exe</Image>
-				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools:  Disable Windows Event Logging-->
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SysmonEnte Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SysmonQuiet Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SharpEvtMute Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
-				<Hashes condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hashes>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Image condition="image" name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=PSTools PSKill,Risk=80">PsKill.exe</Image>
-			<Rule name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Disabling of Windows Defender Features,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe</CommandLine>
-				<CommandLine condition="contains any">RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv6 modification,Risk=40" condition="contains">interface ipv6 set</CommandLine>
-			<CommandLine name="Attack=T1629.003,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh ipv4 modification,Risk=40" condition="contains">interface ipv4 set</CommandLine>
-			<Image name="Attack=T1089,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Command Line task kill 2,Risk=30" condition="image">taskkill.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=netsh Firewall Rule Deletion,Risk=40" condition="contains">firewall delete</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" condition="contains">firewall add</CommandLine> 
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" condition="contains">firewall set opmode disable</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Possible Arp Spoofing attacks" condition="contains">Core Networking - Router Solicitation</CommandLine>
-			<CommandLine name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Windows Firewall Modifications,Risk=40" condition="contains">netsh advfirewall firewall</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<Rule name="Attack=T1070.001,Technique=Clear Windows Event Logs,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Eventlog Removal on Host,Risk=100" groupRelation="and">
-				<Image condition="image">wevtutil.exe</Image>
-				<CommandLine condition="contains"> cl </CommandLine>
-				<CommandLine condition="excludes">wevtutil im</CommandLine>
-				<CommandLine condition="excludes">wevtutil.exe im</CommandLine>
-				<CurrentDirectory condition="excludes">ClickToRun</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1562.006,Technique=Indicator Blocking,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Risk=50" groupRelation="and">
-				<OriginalFileName condition="is">fltMC.exe</OriginalFileName>
-				<CommandLine condition="contains any">detach;unload</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=IIS Log disablement,Risk=80" groupRelation="and">
-				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
-				<CommandLine condition="contains all">DontLog;True</CommandLine>
-				<Image condition="excludes">iisetup.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="or">
-				<CommandLine condition="contains all">set;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">New-ItemProperty;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">reg;add;dword;NGenAssemblyUsageLog</CommandLine>
-				<CommandLine condition="contains all">$env;NGenAssemblyUsageLog</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="or">
-				<CommandLine condition="contains all">set;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">New-ItemProperty;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">reg;add;dword;COMPlus_ETWEnabled</CommandLine>
-				<CommandLine condition="contains all">$env;COMPlus_ETWEnabled</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<Rule name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux exec,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">bash.exe;wsl.exe;ubuntu.exe;kali.exe</OriginalFileName>
-				<CommandLine condition="contains any">-e;/e;-u root;--exec bash;dev/tcp;~ -d;~ /d</CommandLine>
-			</Rule>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Windows Subsystem For Linux,Risk=20" condition="image">wsl.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Windows Subsystem For Linux,Risk=20" condition="image">wslhost.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Alert=Ubuntu Windows Subsystem For Linux,Risk=20" condition="image">ubuntu.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Kali Windows Subsystem For Linux,Risk=100" condition="image">kali.exe</ParentImage>
-			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Windows Subsystem For Linux,Risk=100" condition="contains any">distro-id;vm-id</CommandLine>
-
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on Windows Execution,Risk=30" condition="image">bash.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Bash on windows execution,Risk=30" condition="image">bash.exe</ParentImage>
-			<Image name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect Command Execution with forfiles" condition="image">forfiles.exe</Image>
-			<ParentImage name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Indirect command execution forfiles child process" condition="image">forfiles.exe</ParentImage>
-			<Image name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation" condition="end with">.com</Image>
-			<CommandLine name="Attack=T1202,Technique=Indirect Command Execution,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Scriptrunner exec" condition="contains">-appvscript</CommandLine>
-
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=suspicious execution path,Risk=30" groupRelation="and">
-				<Image condition="contains any">C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\</Image>
-			</Rule>
-			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Alert=Double File Extension,Risk=100" groupRelation="or">
-				<Image condition="end with">      .exe</Image>
-				<Image condition="end with">.7z.exe</Image>
-				<Image condition="end with">.doc.exe</Image>
-				<Image condition="end with">.doc.exe</Image>
-				<Image condition="end with">.docx.exe</Image>
-				<Image condition="end with">.ico.exe</Image>
-				<Image condition="end with">.iso.exe</Image>
-				<Image condition="end with">.lnk.exe</Image>
-				<Image condition="end with">.pdf.exe</Image>
-				<Image condition="end with">.ppt.exe</Image>
-				<Image condition="end with">.pptx.exe</Image>
-				<Image condition="end with">.rar.exe</Image>
-				<Image condition="end with">.rtf.exe</Image>
-				<Image condition="end with">.txt.exe</Image>
-				<Image condition="end with">.xls.exe</Image>
-				<Image condition="end with">.xlsx.exe</Image>
-				<Image condition="end with">.zip.exe</Image>
-				<Image condition="end with">______.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg add hkcu\software\classes\</CommandLine>
-			<CommandLine name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Registry Class changes with reg.exe,Risk=40" condition="contains">reg.exe add hkcu\software\classes\</CommandLine> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Registry Activity,Risk=39" condition="begin with">C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry</ParentCommandLine>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Alternate Data Streams with Regedit" groupRelation="and">
-				<OriginalFileName condition="is">regedit.exe</OriginalFileName>
-				<CommandLine condition="contains">:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=REG Registry Deletions" groupRelation="and">
-				<Image condition="image">reg.exe</Image>
-				<CommandLine condition="contains">delete </CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Regedit Registry Deletions" groupRelation="and">
-				<Image condition="image">regedit.exe</Image>
-				<CommandLine condition="contains any">/d;-d</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Powershell Registry Deletions" groupRelation="and">
-				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
-				<CommandLine condition="contains">remove-item</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Powershell Registry Modifications" groupRelation="and">
-				<CommandLine condition="contains any">HKCU:;HKLM</CommandLine>
-				<CommandLine condition="contains">set-item;new-item</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Code Page Switch,Risk=50" groupRelation="and">
-				<Image condition="image">chcp.exe</Image>
-				<CommandLine condition="contains">936</CommandLine>
-				<CommandLine condition="contains">1256</CommandLine>
-				<CommandLine condition="contains">864</CommandLine>
-				<CommandLine condition="contains">1258</CommandLine>
-				<CommandLine condition="contains">855</CommandLine>
-				<CommandLine condition="contains">866</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Encoded Command Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Hidden Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Execution Policy Bypass,Risk=75" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-ex;/ex</CommandLine>
-				<CommandLine condition="contains">bypass</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Powershell non-interactive Command" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">-noni;/noni</CommandLine>
-				<CommandLine condition="excludes">Import-Module FileServerResourceManager</CommandLine>
-				<CurrentDirectory condition="excludes">C:\Program Files\LogicMonitor</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1027,Tactic=Defense Evasion,Technique=Obfuscated Files or Information,DS=Process: Process Creation,Level=4,Alert=Powershell Obfuscation Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Encoded Offsets,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<CommandLine condition="contains any">SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Obfuscated Suspicious or Malicious Commands,Risk=70" groupRelation="and">
-				<CommandLine condition="contains any">C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information with IwAjACMAd,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Base 64 encoded cmds" condition="contains any">IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Alert=Obfuscated Hidden Powershell,Risk=70" condition="contains any">WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Command Line Obfuscation,Risk=75" condition="contains">^</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Type CON Command Line Redirection" condition="contains">TYPE CON ></CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Copy CON Command Line Redirection" condition="contains">copy CON ></CommandLine>
-			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Common Obfuscated Commands,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex</CommandLine>
-				<CommandLine condition="excludes all">ngen.exe;install</CommandLine>
-			</Rule>
-
-			<Rule name="Attack=T1105,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=CertUtil Decode,Risk=80" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains any">decode;encode</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Ping in Hexadecimal,Risk=60" groupRelation="and">
-				<Image name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Ping in Hexadecimal" condition="image">ping.exe</Image>
-				<CommandLine condition="contains">0x</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery-->
-			<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,DS=Process: Process Creation,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
-				<Image condition="image">csc.exe</Image>
-				<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent of Csc.exe,Risk=80" groupRelation="and">
-				<Image condition="image">csc.exe</Image>
-				<ParentImage condition="image">wscript.exe</ParentImage>
-				<ParentImage condition="image">cscript.exe</ParentImage>
-				<ParentImage condition="image">mshta.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=MOFComp compilation of .Mof File,Risk=80" groupRelation="and">
-				<Image condition="image">mofcomp.exe</Image>
-				<CommandLine condition="contains">.mof</CommandLine>
-				<CurrentDirectory condition="excludes">C:\WINDOWS\Installer\MSI</CurrentDirectory>
-				<ParentImage condition="excludes">MsMpEng.exe</ParentImage>
-				<ParentImage condition="excludes">aspnet_regiis.exe</ParentImage>
-				<ParentImage condition="excludes">msiexec.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1027.004,Technique=Compile After Delivery,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=CSC Compilation,Risk=80" groupRelation="and">
-				<ParentImage condition="image">csc.exe</ParentImage>
-				<CommandLine condition="contains any">out:;target:library</CommandLine>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Workflow Compiler https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb" condition="contains">Microsoft.Workflow.Compiler.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of Autochk,Risk=30" groupRelation="and">
-				<Image condition="image">autochk.exe</Image>
-				<ParentImage condition="excludes any">\smss.exe;\fontdrvhost.exe;\dwm.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of SMSS,Risk=30" groupRelation="and">
-				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
-				<ParentImage condition="excludes">\svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of consent/runtimebroke/tiworker,Risk=30" groupRelation="and">
-				<Image condition="contains any">\consent.exe;\Runtimebroker.exe;\TiWorker.exe</Image>
-				<ParentImage condition="excludes any">svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of searchindexer,Risk=30" groupRelation="and">
-				<Image condition="image">SearchProtocolHost.exe</Image>
-				<ParentImage condition="excludes any">\SearchIndexer.exe;\dllhost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of dllhost,Risk=30" groupRelation="and">
-				<Image condition="image">dllhost.exe</Image>
-				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of smss,Risk=30" groupRelation="and">
-				<Image condition="image">smss.exe</Image>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-				<ParentImage condition="is not">System</ParentImage>
-				<ParentImage condition="is not">-</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of csrss,Risk=30" groupRelation="and">
-				<Image condition="image">csrss.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\smss.exe;svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of wininit,Risk=30" groupRelation="and">
-				<Image condition="image">wininit.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of winlogon,Risk=30" groupRelation="and">
-				<Image condition="image">winlogon.exe</Image>
-				<ParentImage condition="excludes">\smss.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of lsass/LsaIso,Risk=30" groupRelation="and">
-				<Image condition="contains any">\lsass.exe;LsaIso.exe</Image>
-				<ParentImage condition="excludes">\wininit.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of LogonUI,Risk=30" groupRelation="and">
-				<Image condition="image">LogonUI.exe</Image>
-				<ParentImage condition="excludes any">\wininit.exe;\winlogon.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of services,Risk=30" groupRelation="and">
-				<Image condition="image">services.exe</Image>
-				<ParentImage condition="excludes">\wininit.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of svchost,Risk=30" groupRelation="and">
-				<Image condition="image">svchost.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\MsMpEng.exe;\services.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of spoolsv,Risk=30" groupRelation="and">
-				<Image condition="image">spoolsv.exe</Image>
-				<ParentImage condition="excludes">\services.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of taskhost,Risk=30" groupRelation="and">
-				<Image condition="image">taskhost.exe</Image>
-				<ParentImage condition="excludes any">\services.exe;\svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of userinit,Risk=30" groupRelation="and">
-				<Image condition="image">userinit.exe</Image>
-				<ParentImage condition="excludes any">\dwm.exe;\winlogon.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Parent process of wmiprvse/wsmprovhost/winrshost,Risk=30" groupRelation="and">
-				<Image condition="contains any">\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe</Image>
-				<ParentImage condition="is not">-</ParentImage>
-				<ParentImage condition="excludes any">\svchost.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe</ParentImage>
-				<Image condition="excludes any">\werfault.exe;\wermgr.exe;\WerFaultSecure.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of SearchProtocolHost/taskhost/csrss,Risk=30" groupRelation="and">
-				<ParentImage condition="image">autochk.exe</ParentImage>
-				<Image condition="excludes any">\chkdsk.exe;\doskey.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of smss,Risk=30" groupRelation="and">
-				<ParentImage condition="image">smss.exe</ParentImage>
-				<Image condition="excludes any">\autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of wermgr,Risk=30" groupRelation="and">
-				<ParentImage condition="image">wermgr.exe</ParentImage>
-				<Image condition="excludes any">\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Possible wermgr injection,Risk=30" groupRelation="and">
-				<Image condition="image">wermgr.exe</Image>
-				<CommandLine condition="end with">wermgr.exe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Possible qbot injection,Risk=30" groupRelation="and">
-				<ParentImage condition="contains any">\rundll32.exe;\regsvr32.exe</ParentImage>
-				<Image condition="contains any">\explorer.exe;\wermgr.exe;\msra.exe;\OneDriveSetup.exe;\mobsync.exe;\xwizard.exe</Image>
-				<CommandLine condition="end with">.exe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Privilege Escalation,DS=Process: Process Creation,Level=3,Alert=Suspicious Child process of conhost,Risk=30" groupRelation="and">
-				<ParentImage condition="image">conhost.exe</ParentImage>
-				<Image condition="excludes any">\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Powershell Injection Persistence Bypass - Execution - Lateral Movement - Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Injection persistence bypass,Risk=50" groupRelation="and">
-				<CommandLine condition="contains">System.Management.Automation</CommandLine>
-				<CommandLine condition="excludes all">"C:\Windows\Microsoft.NET\Framework\;\ngen.exe;install</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=InstallUtil 1" groupRelation="and">
-				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
-				<CommandLine condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=InstallUtil 2" groupRelation="and">
-				<OriginalFileName name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Risk=50" condition="is">InstallUtil.exe</OriginalFileName>
-				<CommandLine condition="contains all">-logfile=;-LogToConsole=false;-U</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.013,Technique=Mavinject,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Mavinject Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName>
-				<CommandLine condition="contains">INJECTRUNNING</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 1,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">/ni;/s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 2,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">/ns;/s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 3,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">-ni;-s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=CMSTP,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=CMSTP UAC Bypass Detected 4,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">CMSTP.exe</OriginalFileName>
-				<CommandLine condition="contains all">-ns;-s</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.002,Technique=Control Panel,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control_Rundll Detected,Risk=50" groupRelation="and">
-				<CommandLine condition="contains all">rundll32.exe;shell32.dll;_RunDLL</CommandLine>
-				<Image condition="is not">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.008,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Odbcconf Signed Binary Proxy Execution,Risk=50" groupRelation="and">
-				<Image condition="image">odbcconf.exe</Image>
-				<CommandLine condition="contains any">/S /A {REGSVR;-S -A {REGSVR</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Script:http Detected,Risk=75" condition="contains">script:http</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=Signed Script Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider exec,Risk=100" condition="contains">Register-cimprovider</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">Scriptrunner.exe -appvscript</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">bginfo</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">cbd</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=runscripthelper LOLBAS,Risk=40" condition="contains">runscripthelper.exe surfacecheck</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=xwizard LOLBAS,Risk=40" condition="contains">xwizard RunWizard</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=PresentationHost exec,Risk=100" condition="contains">PresentationHost</CommandLine>
-			<CommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=VBoxDrvInst.exe exec,Risk=100" condition="contains">driver executeinf</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1218.002,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Control Panel Execution,Risk=75" condition="contains">Control_RunDLL</CommandLine>
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">SyncAppvPublishingServer.exe</Image>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">Scriptrunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">ATBroker.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">Appvlp.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">InfDefaultInstall.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">PresentationHost.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">RegisterCimProvider2.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">RegisterCimProvider.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">ScriptRunner.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">csi.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">extexport.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">msconfig.EXE</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">rasdlui.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">tttracer.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">verclsid.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">wab.exe</OriginalFileName>
-			<OriginalFileName name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Register-cimprovider.exe,Risk=100" condition="contains">Register-cimprovider.exe</OriginalFileName>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">csi.exe</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine>
-			<ParentCommandLine name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="is">bginfo</ParentCommandLine>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">devtoolslauncher.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">wab.exe</ParentImage>
-			<ParentImage name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation" condition="image">wsreset.exe</ParentImage>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: CMSTP-->
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation" condition="contains any">cmstp.exe /ni /s;cmstp.exe -ni -s</CommandLine>
-			<CommandLine name="Attack=T1218.003,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=cmstp" condition="contains any">cmstp /ni /s;cmstp -ni -s</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="image">Mavinject.exe</Image>
-			<CommandLine name="Attack=T1218,Technique=Mavinject,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Mavinject Process Injection" condition="contains">INJECTRUNNING</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Potential rundll32.exe DllRegisterServer execution,Risk=70" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains">DllRegisterServer</CommandLine>
-				<CommandLine condition="excludes any">xapauthenticodesip.dll</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Regsvr32 loading in Appdata temp" groupRelation="and">
-				<Image condition="image">regsvr32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine> 
-			</Rule>
-			<Rule name="Attack=T1117,Technique=Regsvr32,Tactic=Defense Evasion/Execution,DS=Process: Process Creation,Level=4,Alert=Suspicious Regsvr32 loading in Public User folder" groupRelation="and">
-				<Image condition="image">regsvr32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Public</CommandLine> 
-			</Rule>
-			<Description name="Attack=T1117,Technique=Regsvr32,Tactic=Execution,DS=Process: Process Creation" condition="contains">Microsoft(C) Register Server</Description>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=SyncAppvPublishingServer Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=control panel execution" condition="image">control.exe</Image>
-			<Image name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=rasautou execution" condition="image">rasautou.exe</Image>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" condition="contains any">control.exe /name;control.exe -name</CommandLine>
-			<CommandLine name="Attack=T1196,Technique=Control Panel Items,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Control Panel Execution" condition="contains">Control_RunDLL</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Msiexec.exe DllRegisterServer execution,Risk=70" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<CommandLine condition="contains any">/y;-y</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\DartSock.dll</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\ImageViewer2.OCX</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\SysTray.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg6.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\tdbg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\todg7.ocx</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\todgub7.dll</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\SysWOW64\xarraydb.ocx</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSIExec Signed Binary Proxy Execution,Risk=70" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<CommandLine condition="contains any">/i;-i</CommandLine>
-				<CommandLine condition="contains any">http</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Rundll32-->
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Rundll32 Suspicious call by Ordinal,Risk=80" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">,;#</CommandLine>
-				<CommandLine condition="excludes">C:\Windows\resources\themes\Aero\AeroLite.msstyles</CommandLine>
-				<CommandLine condition="excludes">uxtheme.dll</CommandLine>
-				<CommandLine condition="excludes">ImageView_Fullscreen</CommandLine>
-				<CommandLine condition="excludes">EDGEHTML.dll</CommandLine>
-				<CommandLine condition="excludes">PhotoViewer.dll</CommandLine>
-				<CurrentDirectory condition="excludes">\AppData\Local\WebEx\WebEx\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Rundll32 Single Threaded Apartment Switch - check for com hijacks,Risk=75" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains any">-sta;/sta</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Rundll32 localserver Switch - check for com hijacks,Risk=75" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains any">-localserver;/localserver</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious OpenAs_RunDLL,Risk=30" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">shell32.dll;OpenAs_RunDLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Executing Powershell,Risk=70" groupRelation="and">
-				<ParentImage condition="image">RUNDLL32.EXE</ParentImage>
-				<OriginalFileName condition="contains">powershell</OriginalFileName>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious OpenURL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">url.dll;OpenURL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious FileProtocolHandler Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious RouteTheCall Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">zipfldr.dll;RouteTheCall</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious Control_RunDLL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains all">Shell32.dll;Control_RunDLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious javascript Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains">javascript:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Suspicious RegisterXLL Commands" groupRelation="and">
-				<OriginalFileName condition="is">RUNDLL32.EXE</OriginalFileName>
-				<CommandLine condition="contains">RegisterXLL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious Rundll32 loading in Public User folder" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image> 
-				<CommandLine condition="contains all">C:\Users;Public</CommandLine>
-				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine> 
-				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage> 
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious Rundll32 loading in Appdata Temp" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">C:\Users;Appdata;Temp</CommandLine>
-				<CommandLine condition="excludes any">ImageView_</CommandLine>
-				<ParentCommandLine condition="excludes any">rdpinit.exe</ParentCommandLine>
-				<ParentImage condition="excludes any">rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">advpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">ieadvpack.dll;LaunchINFSection</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">syssetup.dll;SetupInfObjectInstallAction</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="contains all">setupapi.dll;InstallHinfSection</CommandLine>
-			<CommandLine condition="contains">InstallHinfSection</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=infDefaultInstall" condition="image">infDefaultInstall.exe</Image>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=APT28 CHOPSTICK Detection,Risk=70" condition="contains">rundll32.exe "C:\Windows\twain_64.dll"</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Shdocvw exec via rundll32,Risk=70" condition="contains all">shdocvw.dll;OpenURL</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Testing advpack exec,Risk=70" condition="contains all">advpack.dll;RegisterOCX</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">Zipfldr.dll;RouteTheCall</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass technique FileProtocolHandler,Risk=100" condition="contains all">url.dll;FileProtocolHandler</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURLA;file:</CommandLine>
-			<CommandLine name="Attack=T1218.011,Technique=Rundll32,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=EDR Bypass OpenURLA,Risk=100" condition="contains all">OpenURL;file:</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MSHTA-->
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Suspicious child processes of mshta,Risk=100" groupRelation="and">
-				<ParentImage condition="image">mshta.exe</ParentImage>
-				<Image condition="contains any">cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin</Image>
-			</Rule>
-			<Rule name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution,Risk=100" groupRelation="and">
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">RunHTMLApplication</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">mshtml</CommandLine>
-			<CommandLine name="Attack=T1170,Technique=MSHTA,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSHTA Execution" condition="contains">vbscript:CreateObject</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Odbcconf-->
-			<Image name="Attack=T1218.008,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Possible driver load with odbcconf,Risk=40" condition="image">odbcconf.exe</Image>
-
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<CommandLine name="Attack=T1216,Technique=System Script Proxy Execution,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=manage-bde.wsf exec,Risk=100" condition="contains">manage-bde.wsf</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Powershell Calling MSBuild" groupRelation="and">
-				<ParentImage condition="contains any">powershell.exe;powershell_ise.exe</ParentImage>
-				<Image condition="image">msbuild.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Calling RegAsm" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<Image condition="image">regasm.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Calling useinit" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<Image condition="image">userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild Building from xml - Silent Trinity" groupRelation="and">
-				<ParentImage condition="image">msbuild.exe</ParentImage>
-				<ParentCommandLine condition="contains">.xml</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=RegAsm Parent process" groupRelation="and">
-				<ParentImage condition="image">regasm.exe</ParentImage>
-				<Image condition="excludes">\conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1127.001,Technique=Trusted Developer Utilities,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=MSBuild building from lnk file" groupRelation="and">
-				<Image condition="image">msbuild.exe</Image>
-				<CommandLine condition="contains">.lnk</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.csproj execution" condition="contains">.csproj</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-			<Image name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</Image>
-			<ParentImage name="Attack=T1220,Technique=XSL Script Processing,Tactic=Defense Evasion Execution,DS=Process: Process Creation,Level=4,Alert=XSL Script Processing" condition="image">msxsl.exe</ParentImage>
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Hawkeye Keylogger Detected" condition="contains">/stext</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">keylog</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">keyscan_</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">Get-Keystrokes</CommandLine>
-			<CommandLine name="Attack=T1056.001,Technique=Input Capture: Keylogging,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Possible Keylogger Detected" condition="contains">/scomma</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,DS=Process: Process Creation,Level=4,Alert=Network Sniffing tool Detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">sniff</CommandLine>
-				<CommandLine condition="excludes">C:\Program Files\Adobe\</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1040,Technique=Network Sniffing,Tactic=Credential Access/Discovery,DS=Process: Process Creation,Level=4,Alert=PCAP Sniffing tool Detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="is any">tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe</OriginalFileName>
-				<CommandLine condition="contains any">windump;tshark;tcpdump;windump;wireshark</CommandLine>
-				<CommandLine condition="contains all">netsh;trace;start;capture=yes</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Access with vss shadow copy,Risk=100" groupRelation="and">
-				<Image condition="image">vssadmin.exe</Image>
-				<CommandLine condition="contains any">create;shadow</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential access with wmic shadow copy creation,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">shadowcopy;call;create</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential access with wmic esentutl,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">call;create;esentutl;vss</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Powershell shadow copy creation,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">win32_shadowcopy;create;clientaccessible</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Symlink to Shadowcopy,Risk=100" groupRelation="and">
-				<CommandLine condition="contains all">mklink;GLOBALROOT;Shadow</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Copy of NTDS.dit from vss shadow copy,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">copy;NTDS\ntds.dit</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=ntdsutil credential dumping,Risk=100" groupRelation="or">
-				<Image condition="image">ntdsutil.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Copy of SYSTEM Registry from vss shadow copy,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">copy;System32\config\SYSTEM</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Malicious Reg Save Credential Dumping,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all">reg;save;HKLM</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Possible credential modification or disclosure with cmdkey,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">cmdkey</OriginalFileName>
-			</Rule>
-			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Credential Dumping Command rpcping,Risk=100" condition="is">rpcping.exe</OriginalFileName>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=100" condition="contains">nltest.exe</CommandLine>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Suspicious Cred Dumping Commands,Risk=60" groupRelation="and">
-				<CommandLine condition="contains any">-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultCloseVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultEnumerateItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultFree</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultGetItem</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">VaultOpenVault</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">Vaultcmd</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Via vaultcli.dll" condition="contains">vaultcli.dll</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping from firefox" condition="contains">select * from moz_login</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping" condition="contains">Invoke-WinEnum</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Dumping Cached Credentials,Risk=100" condition="contains">System.Net.CredentialCache</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=VSS Shadow file Created" condition="contains">create shadow</CommandLine>
-			<CommandLine name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Dumping,DS=Process: Process Creation,Level=4,Alert=Credential Theft: netsh wlan password export in cleartext,Risk=100" condition="contains all">wlan;export;profile;key=clear</CommandLine>
-			<CommandLine name="Attack=T1003.006,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command DCsync,Risk=100" condition="contains">dcsync</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" condition="contains any">HKCU /f password;HKCU -f password</CommandLine>
-			<CommandLine name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credentials in Registry" condition="contains any">HKLM /f password;HKLM -f password</CommandLine>
-			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command nltest,Risk=60" condition="image">nltest.exe</Image>
-			<Image name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" condition="image">ProcDump.exe</Image>
-			<OriginalFileName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Credential Dumping Command" condition="contains">ProcDump</OriginalFileName>
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">asktgt;asktgs</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">createnetonly /program:;createnetonly -program:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">dump /service:krbtgt;dump -service:krbtgt</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">harvest /interval:;harvest -interval:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains any">renew /ticket:;renew -ticket:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">asreproast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">impersonateuser:</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">kerberoast</CommandLine>
-			<CommandLine name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Steal or Forge Kerberos Tickets,Risk=70" condition="contains">ptt /ticket:</CommandLine>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=4,Alert=Kerberos Ticket Disclosure with klist,Risk=70" condition="image">klist.exe</Image>
-			<Image name="Attack=T1558,Technique=Steal or Forge Kerberos Tickets,Tactic=Credential Access,DS=Process: Process Creation,Level=0,Desc=Kerberos Ticket Disclosure,Risk=30" condition="image">hh.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-			<Rule name="Attack=T1552,Technique=Unsecured Credentials,Tactic=Credential Access,DS=Process: Process Creation,Level=3,Alert=Possible disclosure with IIS appcmd,Risk=100" groupRelation="and">
-				<OriginalFileName condition="is">appcmd.exe</OriginalFileName>
-				<CommandLine condition="contains all">list;text;password</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration/Discovery,Risk=30" condition="image">quser.exe</Image>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User or Group Discovery,Risk=50" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
-				<CommandLine condition="excludes">/domain</CommandLine>
-				<CommandLine condition="excludes">SUService</CommandLine>
-				<CommandLine condition="excludes">\users</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Domain User or Group Discovery,Risk=50" groupRelation="and">
-				<OriginalFileName condition="contains any">net.exe;net1.exe;net2.exe</OriginalFileName>
-				<CommandLine condition="contains any">group;localgroup; user</CommandLine>
-				<CommandLine condition="contains any">/domain</CommandLine>
-				<CommandLine condition="excludes">SUService</CommandLine>
-				<CommandLine condition="excludes">\users</CommandLine>
-				<ParentCommandLine condition="excludes">tvsu_tmp</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=4,Alert=Sharphound Discovery,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus</CommandLine>
-				<Company condition="contains any">sharphound;bloodhound</Company>
-				<Description condition="contains any">sharphound;bloodhound</Description>
-				<Image condition="contains any">sharphound;bloodhound</Image>
-				<OriginalFileName condition="contains any">sharphound;bloodhound</OriginalFileName>
-				<ParentImage condition="contains any">sharphound;bloodhound</ParentImage>
-				<Product condition="contains any">sharphound;bloodhound</Product>
-			</Rule>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Groups;dscl . list -Groups</CommandLine>
-			<CommandLine name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSclient Discovery,Risk=70" condition="contains any">dscl . list /Users;dscl . list -Users</CommandLine>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=DSQuery.EXE Discovery,Risk=70" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Query.EXE Discovery,Risk=30" condition="image">query.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<Image name="Attack=T1083,Technique=File and Directory Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=directory structure disclosure,Risk=30" condition="end with">tree.com</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<Rule name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Auditpol System/GP Audit Policy Discovery" groupRelation="and">
-				<OriginalFileName condition="contains">auditpol</OriginalFileName>
-				<CommandLine condition="contains any">/get;-get;/list;-list;/backup;-backup</CommandLine>
-			</Rule>
-			<Image name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with GPResult" condition="contains any">gpresult.exe</Image>
-			<CommandLine name="Attack=T1484.001,Technique=Group Policy Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Group Policy Discovery with Powershell" condition="contains any">get-gpo;get-gpresult;get-gpreg</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Process Discovery,Risk=0" condition="image">tasklist.exe</Image>
-			<Image name="Attack=T1057,Technique=Process Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Process Discovery,Risk=0" condition="image">qprocess.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg query</CommandLine>
-			<CommandLine name="Attack=T1012,Technique=Query Registry,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System information discovery with reg.exe,Risk=20" condition="contains">reg.exe query</CommandLine>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Driver Querying" condition="image">driverquery.exe</Image>
-
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Traceroute Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">tracert.exe</Image>
-			<Image name="Attack=T1018,Technique=Remote System Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Pathping Remote System Discovery,MitreURL=https://attack.mitre.org/techniques/T1018/,Risk=30" condition="image">pathping.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery: Security Software Discovery-->
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Alert=Sysmon Detection with driver altitude" groupRelation="or">
-				<CommandLine condition="contains all">find;385201</CommandLine>
-				<CommandLine condition="contains all">select-string;385201</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Alert=Antivirus/edr/siem Discovery" groupRelation="or">
-				<CommandLine condition="contains all">find;virus</CommandLine>
-				<CommandLine condition="contains all">select-string;virus</CommandLine>
-				<CommandLine condition="contains all">process;Description;virus</CommandLine>
-				<CommandLine condition="contains all">find;cb</CommandLine>
-				<CommandLine condition="contains all">select-string;cb</CommandLine>
-				<CommandLine condition="contains all">process;Description;cb</CommandLine>
-				<CommandLine condition="contains all">find;defender</CommandLine>
-				<CommandLine condition="contains all">select-string;defender</CommandLine>
-				<CommandLine condition="contains all">process;Description;defender</CommandLine>
-				<CommandLine condition="contains all">find;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">select-string;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">process;Description;crowdstrike</CommandLine>
-				<CommandLine condition="contains all">find;sentinel</CommandLine>
-				<CommandLine condition="contains all">select-string;sentinel</CommandLine>
-				<CommandLine condition="contains all">process;Description;sentinel</CommandLine>
-				<CommandLine condition="contains all">find;nessusd</CommandLine>
-				<CommandLine condition="contains all">select-string;nessusd</CommandLine>
-				<CommandLine condition="contains all">process;Description;nessusd</CommandLine>
-				<CommandLine condition="contains all">find;td-agent</CommandLine>
-				<CommandLine condition="contains all">select-string;td-agent</CommandLine>
-				<CommandLine condition="contains all">process;Description;td-agent</CommandLine>
-				<CommandLine condition="contains all">find;cbagentd</CommandLine>
-				<CommandLine condition="contains all">select-string;cbagentd</CommandLine>
-				<CommandLine condition="contains all">process;Description;cbagentd</CommandLine>
-				<CommandLine condition="contains all">find;sysmon</CommandLine>
-				<CommandLine condition="contains all">select-string;sysmon</CommandLine>
-				<CommandLine condition="contains all">process;Description;sysmon</CommandLine>
-				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">find;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">select-string;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">process;Description;winlogbeat</CommandLine>
-				<CommandLine condition="contains all">find;csfalcon</CommandLine>
-				<CommandLine condition="contains all">select-string;csfalcon</CommandLine>
-				<CommandLine condition="contains all">process;Description;csfalcon</CommandLine>
-				<CommandLine condition="contains all">find;splunk</CommandLine>
-				<CommandLine condition="contains all">select-string;splunk</CommandLine>
-				<CommandLine condition="contains all">process;Description;splunk</CommandLine>
-				<CommandLine condition="contains all">find;sidecar</CommandLine>
-				<CommandLine condition="contains all">select-string;sidecar</CommandLine>
-				<CommandLine condition="contains all">process;Description;sidecar</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation" groupRelation="or">
-				<OriginalFileName name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discover,DS=Process: Process Creationy" condition="is">fltMC.exe</OriginalFileName>
-				<CommandLine name="Attack=T1063,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation" condition="contains">misc::mflt</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=AV Product detection via WMI,Risk=30" condition="contains">AntiVirusProduct</CommandLine>
-			<CommandLine name="Attack=T1016,Technique=Security Software Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=Security Settings via WMI,Risk=30" condition="contains">root\SecurityCenter2</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<Image name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" condition="image">sysinfo.exe</Image>
-			<CommandLine name="Attack=T1016,Technique=System Information Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=System Information Discovery,Risk=30" condition="image">systeminfo</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection Discovery with netsh,Risk=60" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="contains any">get;list;show</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection Changes with netsh,Risk=60" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="excludes any">get;list;show</CommandLine>
-			</Rule>
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=ipconfig discovery,Risk=20" condition="image">ipconfig.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=System Network Connections Discovery,Risk=0" condition="image">netstat.exe</Image>
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp.exe -a</CommandLine> 
-			<CommandLine name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=ARP Table Lookup Detected,Risk=30" condition="contains">arp  -a</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=Account Discovery,Risk=50" groupRelation="and">
-				<Image condition="contains any">whoami.exe;whoami1.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=3,Alert=WMIC Account Discovery,Risk=30" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">get;useraccount</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=DNS encryption enabled with netsh,Risk=40" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="contains any">add;set</CommandLine>
-				<CommandLine condition="contains any">encryption;dohtemplate</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Network Connection modifications with netsh,Risk=40" groupRelation="and">
-				<Image condition="image">netsh.exe</Image>
-				<CommandLine condition="contains any">add;del;set</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=NBTStat DNS Lookup,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">nbtstat</CommandLine> 
-				<CommandLine condition="excludes">nessus</CommandLine> 
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=route.exe discovery,Risk=60" groupRelation="and">
-				<Image condition="image">route.exe</Image>
-				<CommandLine condition="contains">print</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=0,Desc=Route Modification,Risk=40" groupRelation="and">
-				<Image condition="image">route.exe</Image>
-				<CommandLine condition="contains any">ADD;DEL;CHANGE;-f</CommandLine>
-			</Rule>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Process: Process Creation,Level=2,Alert=User enumeration with qwinsta" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=rwinsta" condition="image">rwinsta.exe</Image>
-			
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Possible Lateral Movmt via Office Application,Risk=80" groupRelation="and">
-				<ParentImage condition="contains">Microsoft Office\root\Office</ParentImage>
-				<Image condition="excludes">Microsoft Office\root\Office</Image>
-				<ParentCommandLine condition="contains all">automation;Embedding</ParentCommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Tactic=Lateral Movement,Technique=SMB/Windows Admin Shares,DS=Process: Process Creation,Level=3,Alert=Command Ran over Admin Share" groupRelation="and">
-				<CommandLine condition="contains">admin$</CommandLine>
-				<CommandLine condition="excludes any">davclnt.dll</CommandLine>
-				<ParentCommandLine condition="excludes any">WebClientGroup</ParentCommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking: RDP Hijacking-->
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow Alert,Risk=100" condition="contains any">/shadow;-shadow</CommandLine>
-			<CommandLine name="Attack=T1563.002,Technique=RDP Hijacking,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">noConsentPrompt</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<Rule name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=RDP Hijack Detected" groupRelation="and">
-				<ParentImage name="Attack=T1076,Technique=Remote Desktop Protocol,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=RDP Hijack Detected,Risk=100" condition="image">tscon.exe</ParentImage>
-				<CommandLine condition="contains">dest:rdp-tcp:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Emotet Executed via WMI,Risk=100" groupRelation="and">
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-				<Image condition="contains">\Users\</Image>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Network Detective System Scan Detected,Risk=100" groupRelation="and">
-				<Image condition="contains">NetworkDetective</Image>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Remote Tenable Malware Scan Detected,Risk=100" groupRelation="and">
-				<Image condition="image">sc.exe</Image>
-				<CommandLine condition="contains">tenable</CommandLine>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=CMD.exe Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<Image condition="image">cmd.exe</Image>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-				<CommandLine condition="excludes any">do_vbsUpload;Spiceworks</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=regsvr32.exe Executed via WMI,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">regsvr32.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=CMD Executed via WMI,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">cmd.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Powershell Executed via WMI from recent Emotet Variants,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">powershell.exe</OriginalFileName>
-				<ParentImage condition="image">WmiPrvSE.exe</ParentImage>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=RSAT Tool Launch,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">dsa.msc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=HyperV Remote Management Tool Launch,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">virtmgmt.msc</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Potential Malicious Remote WMI Execution Detected,Risk=100" groupRelation="and">
-				<ParentImage condition="image">wmiprvse.exe</ParentImage>
-				<Image condition="excludes">CompMgmtLauncher.exe</Image>
-				<Image condition="excludes">DismHost.exe</Image>
-				<Image condition="excludes">Microsoft.NET\Framework</Image>
-				<Image condition="excludes">NetEvtFwdr.exe</Image>
-				<Image condition="excludes">ServerManager.exe</Image>
-				<Image condition="excludes">WerFault.exe</Image>
-				<Image condition="excludes">chcp.com</Image>
-				<Image condition="excludes">g2mupdate.exe</Image>
-				<Image condition="excludes">slack.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.006,Technique=Remote Services: Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Suspicious Processes Spawned by WinRM,Risk=100" groupRelation="and">
-				<ParentImage condition="image">wsmprovhost.exe</ParentImage>
-				<Image condition="image">cmd.exe</Image>
-				<Image condition="image">sh.exe</Image>
-				<Image condition="image">bash.exe</Image>
-				<Image condition="image">wsl.exe</Image>
-				<Image condition="image">powershell.exe</Image>
-				<Image condition="image">powershell_ise.exe</Image>
-				<Image condition="image">schtasks.exe</Image>
-				<Image condition="image">at.exe</Image>
-				<Image condition="image">certutil.exe</Image>
-				<Image condition="image">mshta.exe</Image>
-				<Image condition="image">whoami.exe</Image>
-				<Image condition="image">ping.exe</Image>
-				<Image condition="image">ping.exe</Image>
-				<Image condition="image">bitsadmin.exe</Image>
-			</Rule>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrs.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=2,Alert=Waitfor.exe Execution bypass" condition="image">waitfor.exe</Image>
-			<Image name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=WINRS remote shell execution,Risk=100" condition="image">winrshost.exe</ParentImage>
-			<ParentImage name="Attack=T1021.006,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
-			<Rule name="Attack=T1021.006,Technique=Remote WMIC/Execution,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Potential Malicious Document Execution,Risk=90" groupRelation="and">
-				<ParentImage condition="image">wmiprvse.exe</ParentImage>
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Secure Shell Execution,Risk=80" groupRelation="and">
-				<Image condition="contains any">ssh.exe;putty.exe;kitty.exe;kitty_portable.exe</Image>
-			</Rule>
-			<Product name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Putty utility detected,Risk=60">PuTTY suite</Product>
-			<Rule name="Attack=T1021.004,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Secure Shell FTP Execution,Risk=80" groupRelation="and">
-				<Image condition="contains any">sftp;psftp</Image>
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Possible SMBExec via Metasploit,Risk=100" groupRelation="and">
-				<CommandLine condition="is">rundll32.exe</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Trickbot,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">..\;,</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1021.002,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Trickbot 2,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">,StartW</CommandLine>
-			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PSService" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Remote Desktop" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=TFTP Execution" condition="image">tftp.exe</Image>
-			<CommandLine name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Process: Process Creation,Level=3,Alert=IIS powershellcustomhost exec" condition="contains">powershellcustomhost</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services: Distributed Component Object Model-->
-			<Rule name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation" groupRelation="and">
-				<ParentCommandLine condition="contains">-Embedding</ParentCommandLine>
-				<ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage>
-			</Rule>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=4,Alert=CrackmapExec - Malicious Command Line events,Tactic=Privilege Escalation" condition="contains all">--execm;atexec</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Background Intelligent Transfer Control Class 1.0" condition="contains">{4991d34b-80a1-4291-83b6-3328366b9097}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Excel.Application" condition="contains">{00020812-0000-0000-C000-000000000046}</CommandLine> 	  
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: HTML Application" condition="contains">{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: MMC20.APPLICATION" condition="contains">{7e0423cd-1119-0928-900c-e6d4a52a0715}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Outlook.Application" condition="contains">{0006F04A-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Powerpoint.Application" condition="contains">{048EB43E-2059-422F-95E0-557DA96038AF}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Shell.Application" condition="contains">{13709620-C279-11CE-A49E-444553540000}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellBrowserWindow" condition="contains">{c08afd90-f2a1-11d1-8455-00a0c91f3880}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: ShellWindows" condition="contains">9BA05972-F6A8-11CF-A442-00A0C90A8F39</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Visio.Application" condition="contains">{00021A20-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: WScript.Shell" condition="contains">{72C24DD5-D70A-438B-8A42-98424B88AFB8}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM: Word.Application" condition="contains">{00020906-0000-0000-C000-000000000046}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Suspicious Cmdline - JScript Engine CLSID">{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - chakra.dll">{1b7cd997-e5ff-4932-a7a6-2a9e636da385}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Execution - Unusual Scripting Engine in use - jscript9.dll">{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains any">rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta</CommandLine>
-			<CommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=Rundll32 DCOM: CommandLine Execution" condition="contains all">shell32.dll;SHCreateLocalServerRunDll</CommandLine>
-			<ParentCommandLine name="Attack=T1021.003,Technique=Distributed Component Object Model,Tactic=Lateral Movement,DS=Process: Process Creation,Level=0,Desc=DCOM Launch" condition="contains any">-k DcomLaunch;/k DcomLaunch</ParentCommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Dark Halo Protected zip file creation,Risk=100" groupRelation="and">
-				<Image condition="image">7z.exe</Image>
-				<CommandLine condition="contains any">a -mx9 -r0 -p;a -v500m -mx9 -r0 -p</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=7z Renamed,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">7z</OriginalFileName>
-				<Image condition="excludes">7z</Image>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winrar Renamed,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">winrar</OriginalFileName>
-				<Image condition="excludes">winrar</Image>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winrar Renamed,Risk=100" groupRelation="and">
-				<Product condition="contains">winrar</Product>
-				<Image condition="excludes">winrar</Image>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Winzip Renamed,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">winzip</OriginalFileName>
-				<Image condition="excludes">winzip</Image>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Archive Collected Data,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Powershell Compress-Archive,Risk=100" groupRelation="and">
-				<CommandLine condition="contains">Compress-Archive</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">WindowsAudioDevice-Powershell-Cmdlet</CommandLine>
-			<CommandLine name="Attack=T1123,Technique=Audio Capture,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Audio Capture Detected,Risk=100" condition="contains">SoundRecorder.exe</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<Image name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data injected into clipboard,Risk=30" condition="image">clip.exe</Image>
-			<CommandLine name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Creation,Level=3,Alert=Data pulled from clipboard,Risk=40" condition="contains">get-clipboard</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=Possible Email Collection/Exfiltration,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">New-MailboxExportRequest</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=Process: Process Creation,Level=4,Alert=New Exchange Management Role could be used for email exfiltration,Risk=70" groupRelation="and">
-				<CommandLine condition="contains all">add-pssnapin;exchange;new-managementroleassignment;applicationimpersonation</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">screencapture</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.Imaging</CommandLine>			
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.drawing.bitmap</CommandLine>
-			<CommandLine name="Attack=T1001,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Screencapture Commands,Risk=100" condition="contains">system.windows.forms.screen</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=base64 encoded URL https or http offset,Risk=80" groupRelation="and">
-				<CommandLine condition="contains any">odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v</CommandLine>
-				<Image condition="excludes any">ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe</Image>
-				<CommandLine condition="excludes any">wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI</CommandLine>
-				<OriginalFileName condition="excludes any">msedgeupdate.dll</OriginalFileName>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Double Base64 encoded executable,Risk=90" groupRelation="and">
-				<CommandLine condition="contains any">VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=base64 encoded powershell" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<CommandLine condition="contains any">AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Certutil file transfer,Risk=100" groupRelation="and">
-				<Image condition="image">certutil.exe</Image>
-				<CommandLine condition="contains all">urlcache;split;f</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Command Line file transfer,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest</CommandLine>
-				<Image condition="contains any">powershell.exe;cmd.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers,Risk=70" groupRelation="and">
-				<OriginalFileName condition="is">bitsadmin.exe</OriginalFileName>
-				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
-				<CommandLine condition="excludes all">util;setieproxy;localsystem;AUTODETECT</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers 2,Risk=70" groupRelation="and">
-				<Description condition="contains">BITS administration utility</Description>
-				<CommandLine condition="contains any">CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,DS=Process: Process Creation,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Tactic=Command And Control,Technique=Ingress Tool Transfer,DS=Process: Process Creation,Level=4,Alert=Linux Ingress transfer tools on Windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\curl.exe;\wget.exe;\www.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Certutil file download 1,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains all">split;f</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Certutil file download 2,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">certutil</OriginalFileName>
-				<CommandLine condition="contains any">verifyctl;URL</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
-				<CurrentDirectory condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</CurrentDirectory>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Potential Ingress Tool Transfer and tool usage within suspicious folders,Risk=100" groupRelation="and">
-				<Image condition="contains any">C:\Perflogs\;C:\Users\Public\;C:\root\</Image>
-			</Rule>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=BitsAdmin File Transfers,Risk=70" condition="image">start-bitstransfer</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" condition="contains">expand.exe \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" condition="contains">ieexec.exe http</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with Powercat,Risk=100" condition="contains">powercat</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl /y \\;esentutl -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=esentutl Ingress Tool Transfer,Risk=70" condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32 \\</CommandLine>
-			<CommandLine name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" condition="contains">extrac32.exe \\</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<CommandLine name="Attack=T1090,Technique=Connection Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=NetSH PortProxy,Risk=70" condition="contains">portproxy</CommandLine>
-			<Image name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Command and Control,DS=Process: Process Creation,Level=4,Alert=Tor Detected,Risk=100" condition="image">tor.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<Image name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=0,Desc=Teamviewer Unattended Session" condition="image">TeamViewer_Desktop.exe</Image>
-			<Rule name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=PSExec Command,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains any">psexec</OriginalFileName>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Exfiltration,DS=Process: Process Creation,Level=0,Desc=SCP Data exfiltration detected,Risk=100" groupRelation="and">
-				<Image condition="contains any">winscp.exe;winscp.com;scp.exe;pscp</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Data exfiltration Tool detected 3,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv &gt;&gt;;rsync -r</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=CredsLeaker exfiltration tool detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1020,Technique=Automated Exfiltration,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=merlin CnC exfiltration detected 4,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">.exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=DNS Exfil detected,Risk=100" groupRelation="and">
-				<CommandLine condition="contains any">-q=txt;/q=txt</CommandLine>
-				<Image condition="image">nslookup.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=Rclone detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains any">rclone</OriginalFileName>
-				<Description condition="contains any">Rsync for cloud storage</Description>
-				<Product condition="contains any">rclone</Product>
-				<Company condition="contains any">rclone</Company>
-				<Image condition="contains any">\rclone</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=S3browser detected,Risk=100" groupRelation="or">
-				<OriginalFileName condition="contains any">s3browser</OriginalFileName>
-				<Description condition="contains any">s3browser</Description>
-				<Product condition="contains any">s3browser</Product>
-				<Image condition="contains any">s3browser</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Process: Process Creation,Level=4,Alert=FTP exfiltration detected,Risk=100" groupRelation="or">
-				<CommandLine condition="contains any">add-ftp;.UploadFile(</CommandLine>
-				<Image condition="contains any">ftp.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1048,Tactic=Exfiltration,Technique=Exfiltration to Cloud Storage,DS=Process: Process Creation,Level=0,Desc=Webdav Share Mounted" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<CommandLine condition="contains all">davclnt.dll;DavSetCookie</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
-				<Image condition="image">bcdedit.exe</Image>
-				<CommandLine condition="contains">safeboot</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Command Detected,Risk=100" groupRelation="and">
-				<Image condition="image">bootcfg.exe</Image>
-				<CommandLine condition="contains">safeboot</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Possible Ransomware Virtual Machine,Risk=60" groupRelation="and">
-				<CommandLine condition="contains any">-startvm;vrun.exe -vm</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with vssadmin Detected,Risk=100" groupRelation="and">
-				<Image condition="image">vssadmin.exe</Image>
-				<CommandLine condition="contains any">delete;resize</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wmic shadowcopy delete Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains all">shadowcopy;delete</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wbadmin.exe</OriginalFileName>
-				<CommandLine condition="contains all">SYSTEMSTATEBACKUP;delete</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wmic shadowstorage Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains">wmic shadowstorage SET MaxSpace=</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Destructive WMIC Commands Detected,Risk=100" groupRelation="and">
-				<OriginalFileName condition="contains">wmic.exe</OriginalFileName>
-				<CommandLine condition="contains any">cleareventlog;call disable;nteventlog where filename</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with diskpart" groupRelation="and">
-				<OriginalFileName condition="contains">diskpart.exe</OriginalFileName>
-				<CommandLine condition="contains any">format;clean;delete;remove</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with manage-bde.exe" groupRelation="and">
-				<OriginalFileName condition="contains">manage-bde.exe</OriginalFileName>
-				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Data Destruction with manage-bde.wsf" groupRelation="and">
-				<CommandLine condition="contains">manage-bde.wsf</CommandLine>
-				<CommandLine condition="contains any">changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw</CommandLine>
-			</Rule>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Data Destruction with format" condition="begin with">format </CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">bootstatuspolicy ignoreallfailures</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with bcdedit Detected,Risk=100" condition="contains">recoveryenabled No</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with get-wmiobject Detected,Risk=100" condition="contains">Win32_Shadowcopy</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with sdelete Detected,Risk=100" condition="contains">sdelete</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with wbadmin Detected,Risk=100" condition="contains">wbadmin delete catalog</CommandLine>
-			<CommandLine name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Data Destruction with erase Detected,Risk=100" condition="contains">erase</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" condition="contains">-nw -exec=</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" condition="contains">-p -nw</CommandLine>
-			<Image name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" condition="contains">shred</Image>
-			<ParentImage name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Diskshadow Execution,Risk=70" condition="contains">diskshadow</ParentImage>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Command Line File Deletion,Risk=100" groupRelation="or">
-				<CommandLine condition="contains all"> del ; /f </CommandLine>
-				<CommandLine condition="contains all"> del ; -f </CommandLine>
-				<CommandLine condition="contains all"> rmdir ; /s ; /q </CommandLine>
-				<CommandLine condition="contains all"> rmdir ; -s ; -q </CommandLine>
-				<CommandLine condition="contains all"> rd ; /s ; /q </CommandLine>
-				<CommandLine condition="contains all"> rd ; -s ; -q </CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<CommandLine name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=3,Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and">
-				<Image condition="image">fsutil.exe</Image>
-				<CommandLine condition="contains">deletejournal</CommandLine>
-				<CommandLine condition="contains">usn</CommandLine>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<CommandLine name="Attack=T1059,Technique=Command-Line Interface,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Malicious Keywords from Exploitation Frameworks,Author=Florian Roth" condition="contains any">AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz</CommandLine>
-			<!--Crypto Currency Miner Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact" groupRelation="or">
-				<CommandLine condition="contains any">ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool</CommandLine>
-				<Description condition="contains any">CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner</Description>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Process: Process Creation,Level=4,Alert=Solarwinds/FireEye sunburst hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676</Hashes>
-			</Rule>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plink.exe 64bit imphash matched,Risk=40">87AECF008D87EC86EC8B00A2394B3E6C</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=plunk.exe 32bit imphash matched,Risk=40">FB3F0D0DE8B80EA8CFAB2A025EC6B833</Hashes>
-			<Hashes condition="end with" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=putty.exe 64bit imphash matched,Risk=40">F4067FBF7FFF6945D0BB485B727B39AA</Hashes>
-			<Hashes name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Generic APT Hash Detection,Risk=100" condition="contains any">4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee</Hashes>
-			<Hashes name="Attack=T1353,Technique=Post Compromise Tool Development,Tactic=Build Capabilities,DS=Process: Process Creation,Level=4,Alert=Windows Credential Editor Detection,Risk=70" condition="contains any">e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ransomware Hash Detection,Risk=100" condition="contains any">d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b</Hashes>
-			<Hashes name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Ursniff Bank Malware,Risk=100" condition="contains">53841a0c6a3ff92976db08bfdf95e083</Hashes>
-			<!--UEBA Activities-->
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: passwordless meeting Start,Risk=30" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="excludes">pwd=</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: Video and Audio Session Start" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="contains">zc=0</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Zoom: Screen Share,Risk=70" groupRelation="and">
-				<CommandLine condition="contains">zoommtg</CommandLine>
-				<CommandLine condition="contains">zc=1</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Microsoft Teams URL clicked" groupRelation="and">
-				<CommandLine condition="contains">msteams:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Webex URL clicked" groupRelation="and">
-				<CommandLine condition="contains">wbx:</CommandLine>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Executed files within Downloads,Risk=30" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">\Downloads\</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Executed files on Desktop,Risk=10" groupRelation="and">
-				<Image condition="contains">C:\Users\</Image>
-				<Image condition="contains">\Desktop\</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Linux tools installed on windows,Risk=30" groupRelation="and">
-				<Image condition="contains any">\awk.exe;\sed.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious Execution Locations,Risk=30" groupRelation="and">
-				<Image condition="contains any">C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=3,Desc=Suspicious Execution extensions,Risk=30" groupRelation="and">
-				<Image condition="contains any">C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\;\Downloads\</Image>
-				<CommandLine condition="contains any">.html;.hta;.iso;.js;.bat;.cmd;.cmdline;.vbs;.vb;.vbe;.reg;.com</CommandLine>
-			</Rule>
-			<CommandLine condition="contains">listena</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">-s -n -u -i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=LOLBins" condition="contains any">/s /n /u /i:http:</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">assoc </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">del </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">expand </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">md </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">move </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">rd </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">ren </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">set </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="begin with">setx </CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="contains any">bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt</CommandLine>
-			<CommandLine name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Interesting Command Line Events" condition="image">find.exe</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">grabff</CommandLine>
-			<CommandLine name="Attack=T1595,Technique=Hacking,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=FireEye/Fin6 Hacking tools" condition="contains">routerscan</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Hacking with python,Risk=70" condition="contains">pythonEngine.Execute</CommandLine>
-			<CommandLine name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Hacking with session hijacking,Risk=100" condition="contains">sesshijack</CommandLine>
-			<CommandLine name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=File Protocol Handler Execution" condition="contains">file://</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=HTML APP Host" condition="end with">HTML Application host</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Manager Profile Installer" condition="end with">Manager Profile Installer</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Microsoft Application Virtualization Injector" condition="contains">Microsoft Application Virtualization Injector</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=App Compat Database installer" condition="contains">Application Compatibility Database Installer</Description>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">popd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">pushd.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=LOLbin" condition="image">subst.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect aliases" condition="image">doskey.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=detect cls in batch scripts" condition="image">cls.exe</Image>
-			<Image name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Image begins with \,Risk=10" condition="begin with">\</Image> 
-			<ParentCommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=IIS Child Processes" condition="begin with">C:\Windows\system32\svchost.exe -k iissvcs</ParentCommandLine>
-			<ParentImage name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=UNC\Device Launches - Parent Image begins with \,Risk=10" condition="begin with">\</ParentImage> 
-			<ParentImage name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
-			<ParentImage name="Attack=T1059,DS=Process: Process Creation,Level=0,Desc=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" condition="image">java.exe</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Process Spawned from JAVA" condition="image">javaw.exe</ParentImage>
-			<!--Detection of Output Redirection-->
-			<!-- Disabled for now: Reason: Overrides other detections, waiting on Sysmon multiple rule firing
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">2></CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">&gt;</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Output Redirection" condition="contains">&lt;</CommandLine>
-			-->
-			<!--Detect Multiple Commands-->
-			<Rule  name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SVCHost Processes" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-			</Rule>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Permission Modifications with icacls or cacls" condition="image">cacls.exe</Image>
-			<Image name="Attack=T1222,Technique=File Permissions Modification,Tactic=Defense Evasion,DS=Process: Process Creation,Level=0,Desc=Ownership Permission Modifications with takeown" condition="image">takeown.exe</Image>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: MsAccess MACRO Exec">/x Macro</CommandLine>
-			<Rule  name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Desc=Suspicious pipe via commandline" groupRelation="and">
-				<CommandLine condition="contains">\pipe\</CommandLine>
-				<CommandLine condition="excludes">&gt;</CommandLine>
-			</Rule>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: RDP Port">/noprofile</CommandLine>
-			<CommandLine condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Suspicious Cmdline: Schtasks">/sc ONEVENT</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=Execution run from \\VBOXSVR share" condition="contains">\\VBOXSVR</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="contains">| more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="contains">|more</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Execution from \\tsclient share" condition="contains">\\tsclient</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Processor ARCH command Line" condition="contains">%PROCESSOR_ARCHITECTURE%</CommandLine>
-			<CommandLine name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=SysNative detected" condition="contains">sysnative</CommandLine>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=AutoIT Application Detected" condition="contains">AutoIt</Description>
-			<Description name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Windows Filter loader" condition="contains">Microsoft Filter Loader</Description> 
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=3,Alert=interactive command to slow output" condition="is">more.com</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Acrobat Reader Launches" condition="image">acrord32.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=Gpupdate Launched" condition="image">gpupdate.exe</Image>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=.Net Framework executables" condition="contains">:\Windows\Microsoft.NET\</ParentImage>
-			<ParentImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Desc=System Child Processes" condition="is">System</ParentImage>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Process: Process Creation,Level=0,Desc=Generic User Execution,Risk=0" groupRelation="and">
-				<ParentImage condition="image">explorer.exe</ParentImage>
-				<Image name="Allow other rules to fire" condition="excludes any">\regedit.exe;\cmd.exe;terminal;\powershell</Image>
-			</Rule>
-			<!-- Log other command line events, this sometimes conflicts with rules, add to exclusions as necessary-->
-			<!-- <ParentCommandLine name="Information=Uncategorized Events,DS=Process: Process Creation" condition="contains any">/;\;-;unknown;</ParentCommandLine>-->
-		</ProcessCreate>
-	</RuleGroup>
-	<RuleGroup name="RG=Process Create Exclude Group" groupRelation="or">
-		<ProcessCreate onmatch="exclude">
-			<Rule name="exclude werfault from wmi" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\WerFault.exe</Image>
-				<ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage>
-			</Rule>
-		</ProcessCreate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
-	<RuleGroup name="RG=FileCreateTime Include Group" groupRelation="or">
-		<FileCreateTime onmatch="include">
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="begin with">C:\Users</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="begin with">C:\ProgramData</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\Temp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\tmp\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\drivers\</Image>
-			<Image name="Attack=T1070.006,Technique=Timestomp,Tactic=Defense Evasion,DS=File: File Metadata" condition="contains">\Download</Image>
-		</FileCreateTime>
-	</RuleGroup>
-	<RuleGroup name="RG=FileCreateTime Exclude Group" groupRelation="or">
-		<FileCreateTime onmatch="exclude">
-			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
-			<Image condition="image">TrustedInstaller.exe</Image>
-			<Image condition="image">OneDrive.exe</Image>
-			<Image condition="image">vivaldi.exe</Image>
-			<Image condition="image">chrome.exe</Image>
-			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image>
-			<Image condition="contains">setup</Image>
-			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
-			<Image condition="end with">\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe</Image>
-		</FileCreateTime>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
-	<RuleGroup name="RG=NetworkConnect Include Group" groupRelation="or">
-		<NetworkConnect onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Census Network Connection,Risk=40" condition="contains">census</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=ResearchScan Network Connection,Risk=70" condition="contains">researchscan</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Scanhub Network Connection,Risk=70" condition="contains">scanhub</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shadow Network Connection,Risk=50" condition="contains">shadow</DestinationHostname>
-			<DestinationHostname name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Shodan Network Connection,Risk=50" condition="contains">shodan</DestinationHostname>
-			<Rule name="Attack=T1595,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Exchange 0day Attackers from September 2022,Risk=100" groupRelation="or">
-				<DestinationIp condition="is any">137.184.67.33;206.188.196.77;125.212.220.48;5.180.61.17;47.242.39.92;61.244.94.85;86.48.6.69;86.48.12.64;94.140.8.48;94.140.8.113;103.9.76.208;103.9.76.211;104.244.79.6;112.118.48.186;122.155.174.188;125.212.241.134;185.220.101.182;194.150.167.88;212.119.34.11</DestinationIp>
-				<DestinationIp condition="begin with">137.184.67.</DestinationIp>
-				<DestinationHostname condition="is any">httpbin.org</DestinationHostname>
-			</Rule>
-			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Advanced IP scanner Detected,Risk=90"  groupRelation="or">
-				<DestinationHostname condition="contains any">advanced-ip-scanner.com</DestinationHostname>
-			</Rule>
-			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Kali Linux Distribution Download/Apt URL,Risk=90"  groupRelation="or">
-				<DestinationHostname condition="contains any">kali.download</DestinationHostname>
-			</Rule>
-			<DestinationHostname condition="contains">shodan</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<Rule name="Attack=T1059,Technique=Visual Basic,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=WSCRIPT Network connection,Risk=80" groupRelation="and">
-				<Image condition="image">wscript.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=AT.EXE Task Scheduler Network Connection,Risk=30" condition="image">at.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Scheduled Task,Tactic=Execution/Persistence/Privilege Escalation,DS=Network Traffic: Network Connection Creation,Level=4,Alert=SCHTasks.exe Task Scheduler Network Connection,Risk=30" condition="image">schtasks.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Temp file location network connection,Risk=30" groupRelation="and">
-				<Image condition="contains">\temp\</Image>
-				<DestinationIp condition="excludes any">127.0.0.1</DestinationIp>		
-			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from wwwroot folder: Possible webshell,Risk=100" groupRelation="and">
-				<Image condition="contains">\wwwroot\</Image>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in addins" condition="contains">\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from Windows\repair Folder,Risk=70" condition="begin with">C:\Windows\repair\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from htdocs folder,Risk=70" condition="contains">\htdocs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network Connection from systemprofile Folder,Risk=30" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Intel logs,Risk=100" condition="begin with">C:\Intel\Logs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\Addins Folder,Risk=70" condition="begin with">C:\Windows\addins\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from Windows\security Folder,Risk=100" condition="begin with">C:\Windows\security\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection from windows help folder,Risk=70" condition="begin with">C:\Windows\Help\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Suspicious network connection from Recycle bin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Debug folder,Risk=100" condition="begin with">C:\Windows\Debug\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Network connection in Windows Font folder,Risk=100" condition="begin with">C:\Windows\Fonts\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Perflogs unusual network connection,Risk=70" condition="begin with">C:\PerfLogs\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Unusual network connection from Recycle bin,Risk=100" condition="contains">:\$Recycle.bin\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from Default User folder,Risk=30" condition="contains">:\Users\Default\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network Connection from NetworkService User folder,Risk=30" condition="begin with">C:\Users\NetworkService\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection from Public User folder,Risk=30" condition="begin with">C:\Users\Public\</Image>
-			<Image name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Network connection within Media Folder,Risk=30" condition="begin with">C:\Windows\Media\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Input Method Network Connection" condition="contains">\Windows\IME\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Programdata Network Connection" condition="begin with">C:\ProgramData</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=T1027.004,Tactic=Defense Evasion,Technique=Compile After Delivery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=CSC Network Conections" groupRelation="and">
-				<Image condition="image">CSC.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<Image name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=infDefaultInstall Network Connection" condition="image">infDefaultInstall.exe</Image>
-			<Image name="Attack=T1218,Technique=Control Panel,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Control Panel network connection" condition="image">SyncAppvPublishingServer.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Installutil-->
-			<Image name="Attack=T1218.004,Technique=InstallUtil,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=InstallUtil network connection" condition="image">InstallUtil.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Msiexec-->
-			<Image name="Attack=T1218.007,Technique=MSIExec,Tactic=Defense Evasion,DS=Network Traffic: Network Connection Creation,Level=4,Alert=MSIExec Network connection,Risk=70" condition="image">msiexec.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvcs/regasm-->
-			<Rule name="Attack=T1218,Technique=Signed Binary Proxy Execution,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=RegAsm shellcode C2 connection" groupRelation="and">
-				<Image condition="contains any">regasm.exe;regsvcs.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Mavinject-->
-			<Image name="Attack=T1218.013,Technique=Signed Binary Proxy Execution: Mavinject,Tactic=Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Mavinject detected,Risk=80" condition="image">Mavinject.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<Rule name="Attack=T1127,Tactic=Defense Evasion,Technique=Signed Binary Proxy Execution,DS=Network Traffic: Network Connection Creation,Level=4,Alert=MSBuild Network Conections" groupRelation="and">
-				<Image condition="image">msbuild.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<Image name="Attack=T1482,Technique=Domain Trust Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<Image name="Attack=T1518,Technique=Software Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DriverQuery Network Connection" condition="image">driverquery.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<Image name="Attack=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=4,Alert=NBTSTAT Query,Risk=30" condition="image">nbtstat.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net.exe</Image>
-			<Image name="Attack=T1021,Technique=System Network Configuration Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=net.exe nework connection,Risk=30" condition="image">net1.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=2,Alert=QWinsta User enumeration,Risk=30" condition="image">qwinsta.exe</Image>
-			<Image name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=3,Alert=RWinsta Forced User Logoff,Risk=30" condition="image">rwinsta.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Suspicious RDP Connection 3389,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
-				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
-				<Image condition="excludes">FSAssessment.exe</Image>
-				<Image condition="excludes">FSDiscovery.exe</Image>
-				<Image condition="excludes">MobaRTE.exe</Image>
-				<Image condition="excludes">RDCMan.exe</Image>
-				<Image condition="excludes">RSSensor.exe</Image>
-				<Image condition="excludes">RTS2App.exe</Image>
-				<Image condition="excludes">RTSApp.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager.exe</Image>
-				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
-				<Image condition="excludes">Terminals.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">mRemote.exe</Image>
-				<Image condition="excludes">mRemoteNG.exe</Image>
-				<Image condition="excludes">mstsc.exe</Image>
-				<Image condition="excludes">spiceworks-finder.exe</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<Image condition="excludes">thor64.exe</Image>
-				<Image condition="excludes">thor.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Suspicious RDP Connection 3391,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3391</DestinationPort>
-				<Image condition="excludes">AutomationManager.ScriptRunner64.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\VMware\VMware Remote Console\vmrc.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_</Image>
-				<Image condition="excludes">CtxLicUsageRecorder.exe</Image>
-				<Image condition="excludes">FSAssessment.exe</Image>
-				<Image condition="excludes">FSDiscovery.exe</Image>
-				<Image condition="excludes">MobaRTE.exe</Image>
-				<Image condition="excludes">RDCMan.exe</Image>
-				<Image condition="excludes">RSSensor.exe</Image>
-				<Image condition="excludes">RTS2App.exe</Image>
-				<Image condition="excludes">RTSApp.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager64.exe</Image>
-				<Image condition="excludes">RemoteDesktopManager.exe</Image>
-				<Image condition="excludes">RemoteDesktopManagerFree.exe</Image>
-				<Image condition="excludes">Terminals.exe</Image>
-				<Image condition="excludes">chrome.exe</Image>
-				<Image condition="excludes">mRemote.exe</Image>
-				<Image condition="excludes">mRemoteNG.exe</Image>
-				<Image condition="excludes">mstsc.exe</Image>
-				<Image condition="excludes">spiceworks-finder.exe</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<Image condition="excludes">thor64.exe</Image>
-				<Image condition="excludes">thor.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Localhost RDP Tunneling Detection,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
-			</Rule>
-			<Rule name="Attack=T1021.001,Tactic=Lateral Movement,Technique=Remote Desktop Protocol,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Link-Local RDP Tunnel Detection,Risk=70" groupRelation="and">
-				<Initiated>true</Initiated>
-				<DestinationPort condition="is">3389</DestinationPort>
-				<DestinationIp condition="begin with">fe80:0</DestinationIp>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=SSH Connection with Putty,Risk=80" groupRelation="and">
-				<Image condition="contains any">putty.exe;kitty.exe;kitty_portable.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows Remote Management connection,Risk=0" groupRelation="and">
-				<Image condition="image">wsmprovhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PSFTP Connection,Risk=70" groupRelation="and">
-				<Image condition="image">psftp.exe</Image>
-			</Rule>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=30" condition="image">reg.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote Registry via command line,Risk=80" condition="contains">psshutdown</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote password change with PSPasswd,Risk=80" condition="contains">PsPasswd</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Remote querying of services,Risk=80" condition="contains">psservice</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=SSH Connection with ssh.exe,Risk=30" condition="image">ssh.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Sysinternals PSEXE Tools,Risk=100" condition="contains">psexe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=TSFTP Connection,Risk=70" condition="image">tftp.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Telnet Connection,Risk=30" condition="image">telnet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=MSTSC Remote Desktop Connection" condition="image">mstsc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote WMIC commands,Risk=30" condition="image">wmic.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SC.exe Network Connection" condition="image">sc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Sysinternals PSKILL Tools,Risk=80" condition="contains">pskill</Image>
-			<Image name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DSQuery network connection" condition="image">dsquery.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Automated SSH Connection with Putty PLink,Risk=30" condition="image">plink.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC" condition="image">vnc.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Viewer" condition="image">vncviewer.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=3,Alert=VNC Service" condition="image">vncservice.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" condition="image">omniinet.exe</Image>
-			<Image name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation" condition="image">hpsmhd.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Cobalt Strike Team Server port,Risk=70" groupRelation="and">
-				<DestinationPort condition="is">50050</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound SMTP Email Sending,Risk=10" groupRelation="and">
-				<DestinationPort condition="is">25</DestinationPort>
-				<Image condition="excludes any">\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe</Image>
-				<Initiated>true</Initiated>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Network Connection,Risk=30" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<DestinationIp condition="excludes any">0:0:0:0:0:0:0:;127.0.0.1</DestinationIp>
-			</Rule>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=MSHTA Network Connection,Risk=100" condition="image">mshta.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=CMD Prompt network Connection,Risk=20" condition="image">cmd.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Certutil Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Bitsadmin Connecting to network,Risk=20" condition="image">certutil.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Notepad Network Connection" condition="image">notepad.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVCS Network Connection,Risk=30" condition="image">regsvcs.exe</Image>
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RegSVR32 Network Connection,Risk=30" condition="image">regsvr32.exe</Image> 
-			<Image name="Attack=T1053.005,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Network Traffic: Network Connection Creation,Level=0,Desc=RunDLL32 Network Connection,Risk=30" condition="image">rundll32.exe</Image>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<Image name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor Connection" condition="image">tor.exe</Image>
-			<DestinationHostname name="Attack=T1090.003,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Tor2Web,Risk=100" condition="contains any">hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=DNS Over HTTPS" condition="contains any">dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Desc=privatlab.com Cloud Exfiltration" condition="contains all">privatlab.com</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=Mega.co.nz Cloud Exfiltration" condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
-			<DestinationHostname name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=3,Alert=PCloud Cloud storage Exfiltration" condition="contains any">.pcloud.com</DestinationHostname>
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Crypto Currency Miner Detected,Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,Risk=100" condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool</DestinationHostname>
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--UEBA Rules-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Inbound Windows SVCHost Network Connection" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-				<DestinationPort condition="is not">3389</DestinationPort>
-				<DestinationPort condition="is not">22</DestinationPort>
-				<DestinationPort condition="is not">21</DestinationPort>
-				<DestinationPort condition="is not">5985</DestinationPort>
-				<Initiated>false</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Windows SVCHost Network Connection" groupRelation="and">
-				<Image condition="image">C:\Windows\system32\svchost.exe</Image>
-				<Initiated>true</Initiated>
-				<SourcePort condition="is not">135</SourcePort>
-				<SourcePort condition="is not">445</SourcePort>
-				<DestinationPort condition="is not">5985</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Non-System port 445 SMB connections" groupRelation="and">
-				<Image condition="is not">System</Image>
-				<Image condition="excludes">svchost.exe</Image>
-				<DestinationPort condition="is">445</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Outbound Non-System port 389 LDAP connections" groupRelation="and">
-				<Image condition="is not">System</Image>
-				<Image condition="excludes any">svchost.exe;lsass.exe</Image>
-				<DestinationPort condition="is">389</DestinationPort>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Inbound LDAP Connections" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
-				<DestinationPort condition="is">389</DestinationPort>
-				<DestinationIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</DestinationIp>
-				<SourceHostname condition="excludes any">EXCH</SourceHostname>
-				<SourceIp condition="excludes any">127.0.0.1;0:0:0:0:0:0:0:1;fe80:0</SourceIp>
-				<Initiated>false</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Notepad connecting to the internet" groupRelation="and">
-				<Image condition="image">notepad.exe</Image>
-				<DestinationIp condition="excludes">127.0.0.1</DestinationIp>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Browsers accessing non-standard ports" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
-				<DestinationPort condition="is not">80</DestinationPort>
-				<DestinationPort condition="is not">443</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">github</DestinationHostname> 
-			<DestinationHostname name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Connection to Github,Risk=30" condition="contains">githubusercontent.com</DestinationHostname>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=Dropbox Cloud Exfiltration" groupRelation="and">
-				<DestinationHostname condition="end with">dropboxapi.com</DestinationHostname>
-				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=OneDrive Cloud Exfiltration" groupRelation="and">
-				<DestinationHostname condition="contains">1drv</DestinationHostname>
-				<!--We're looking for alternative Programs accessing Onedrive, If Onedrive is not allowed, uncomment onedrive exe exclusions-->
-				<Image condition="excludes any">C:\Program Files\Microsoft OneDrive\OneDrive.exe;\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=0,Alert=Box.com Cloud Exfiltration" groupRelation="and">
-				<DestinationHostname condition="contains all">.box.com;upload</DestinationHostname>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
-				<DestinationHostname condition="contains any">mega.nz;mega.co.nz</DestinationHostname>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
-				<DestinationHostname condition="contains any">privatlab.com</DestinationHostname>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Social Networking" groupRelation="or">
-				<DestinationHostname condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</DestinationHostname>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
-				<DestinationHostname condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</DestinationHostname>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
-				<DestinationHostname condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</DestinationHostname>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Apache Webserver" groupRelation="and">
-				<Image condition="image">apache.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=JAVA Network Connections" groupRelation="and">
-				<Image condition="image">java.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Microsoft IIS Webserver" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=PHP Webserver" groupRelation="and">
-				<Image condition="contains any">\php-cgi.exe;\php.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Setup Network connectivity" groupRelation="and">
-				<Image condition="contains">setup</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tomcat Webserver connectivity" groupRelation="and">
-				<Image condition="contains">tomcat</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Uninstaller Network connectivity" groupRelation="and">
-				<Image condition="contains">unins</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Unknown Process Connecting to network" groupRelation="and">
-				<Image condition="contains">unknown process</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows Explorer Network Connection" groupRelation="and">
-				<Image condition="image">explorer.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Windows SMTP Server" groupRelation="and">
-				<Image condition="image">inetinfo.exe</Image>
-			</Rule>
-			<!--3rd Party tools-->
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Netcat network connection Detected" condition="contains any">netcat.exe;nc.exe;nc64.exe;ncat.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Procdump Detected" condition="contains any">procdump</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=PSExec Network Connection" condition="contains any">psexe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Network Connection" condition="contains any">vnc;vncs;vncv</Image>
-			<Rule name="Attack=T1595.002,Technique=Vulnerability Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Port Scan Tool Detected,Risk=100" groupRelation="or">
-				<Image condition="contains any">rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe</Image>
-			</Rule>
-			<!--Destination Ports to Monitor-->
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5985</DestinationPort>
-			<DestinationPort name="Attack=T1028,Technique=Windows Remote Management,Tactic=Lateral Movement,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Powershell Remoting,Risk=0" condition="is">5986</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=IPSec" condition="is">1293</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=L2TP" condition="is">1701</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=OpenVPN,Risk=39" condition="is">1194</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Assistance Connection,Risk=20" condition="is">3540</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Remote Desktop Connection,Risk=20" condition="is">3389</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=SSH Port,Risk=30" condition="is">22</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 1080" condition="is">1080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 3128" condition="is">3128</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Socks Proxy Port 8080" condition="is">8080</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=TOR Port" condition="is">1723</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Telnet Port,Risk=30" condition="is">23</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port" condition="is">4500</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" condition="is">9001</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Tor Port,Risk=50" condition="is">9030</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC Port" condition="is">5900</DestinationPort>
-			<DestinationPort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC,Risk=50" condition="is">5800</DestinationPort>
-			<!--Source Ports to Monitor-->
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Port: 0" condition="is">0</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTP" condition="is">80</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=LDAPS" condition="is">636</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=VNC" condition="is">5900</SourcePort>
-			<SourcePort name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=HTTPS" condition="is">443</SourcePort>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTP Connections" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
-				<DestinationPort condition="is">80</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTPS" groupRelation="and">
-				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPortName condition="is">https</DestinationPortName>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Non-Browsers Accessing HTTP" groupRelation="and">
-				<Image condition="excludes any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe</Image>
-				<DestinationPortName condition="is">http</DestinationPortName>
-				<Initiated>true</Initiated>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=Web Browser HTTPS Connections" groupRelation="and">
-				<Image condition="contains any">\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe</Image>
-				<DestinationPort condition="is">443</DestinationPort>
-				<Initiated>true</Initiated>
-			</Rule>
-			<!--Suspicious network connections-->
-			<DestinationHostname name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Connection Creation,Level=4,Alert=Dynamic DNS Connection" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</DestinationHostname>
-		</NetworkConnect>
-	</RuleGroup>
-	<RuleGroup name="RG=NetworkConnect Exclude Group" groupRelation="or">
-		<NetworkConnect onmatch="exclude">
-			<Protocol condition="contains">udp</Protocol>
-			<Rule name="exclude interprocess communications with localhost" groupRelation="and">
-				<Image condition="contains any">System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe</Image>
-				<SourceIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
-				<DestinationIp condition="is any">127.0.0.1;0:0:0:0:0:0:0:1</DestinationIp>
-			</Rule>
-			<!--SECTION: Custom -->
-			<Rule name="exclude dest ldap port 88" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\lsass.exe</Image>
-				<DestinationPort condition="is">88</DestinationPort>
-			</Rule>
-			<!--Disable Monitoring of Protocols-->
-			<DestinationPortName condition="is">epmap</DestinationPortName>
-			<DestinationPortName condition="is">llmnr</DestinationPortName>
-			<DestinationPortName condition="is">microsoft-ds</DestinationPortName>
-			<DestinationPortName condition="is">netbios-dgm</DestinationPortName>
-			<DestinationPortName condition="is">ntp</DestinationPortName>
-			<DestinationPortName condition="is">ssdp</DestinationPortName>
-			<SourcePortName condition="is">epmap</SourcePortName>
-			<SourcePortName condition="is">llmnr</SourcePortName>
-			<SourcePortName condition="is">microsoft-ds</SourcePortName>
-			<SourcePortName condition="is">netbios-dgm</SourcePortName>
-			<SourcePortName condition="is">ntp</SourcePortName>
-			<SourcePortName condition="is">ssdp</SourcePortName>
-			<!--Disable Monitoring on Ports-->
-			<DestinationPort name="Service=DNS" condition="is">53</DestinationPort>
-			<DestinationPort name="Service=DNS" condition="is">67</DestinationPort>
-			<DestinationPort name="Service=Bootp" condition="is">68</DestinationPort>
-			<DestinationPort name="Service=SQL Noise" condition="is">1434</DestinationPort>
-			<DestinationPort name="Service=Radius" condition="is">1812</DestinationPort>
-			<DestinationPort name="Service=Teredo" condition="is">3544</DestinationPort>
-			<DestinationPort name="Service=WS-Discovery" condition="is">3702</DestinationPort>
-			<DestinationPort name="Service=Google Chrome Safe Search" condition="is">5228</DestinationPort>
-			<DestinationPort name="Service=Bonjour/Avahi" condition="is">5353</DestinationPort>
-			<DestinationPort name="Service=WSD API" condition="is">5357</DestinationPort>
-			<DestinationPort name="Service=Vcenter Secure server for CIM" condition="is">5989</DestinationPort>
-			<DestinationPort name="Service=Exchange WMI" condition="is">6007</DestinationPort>
-			<DestinationPort name="Service=DFRS/ADFS Replication 1" condition="is">49154</DestinationPort>
-			<DestinationPort name="Service=DFRS/ADFS Replication 2" condition="is">49209</DestinationPort>
-			<DestinationPort name="Service=DFRS/ADFS Replication 3" condition="is">52176</DestinationPort>
-			<DestinationPort name="Service=DFRS/ADFS Replication 4" condition="is">59241</DestinationPort>
-			<SourcePort name="Service=DNS" condition="is">53</SourcePort>
-			<SourcePort name="Service=Bootp" condition="is">67</SourcePort>
-			<SourcePort name="Service=Bootp" condition="is">68</SourcePort>
-			<SourcePort name="Service=Radius" condition="is">1812</SourcePort>
-			<SourcePort name="Service=WS-Discovery" condition="is">3702</SourcePort>
-			<SourcePort name="Service=Exchange WMI" condition="is">6007</SourcePort>
-			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">49154</SourcePort>
-			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">49209</SourcePort>
-			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">50646</SourcePort>
-			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">52176</SourcePort>
-			<SourcePort name="Service=DFRS/ADFS Replication" condition="is">59241</SourcePort>
-			<!--SECTION: Microsoft -->
-			<DestinationHostname condition="end with">.bing.com</DestinationHostname>
-			<DestinationHostname condition="end with">.cloudapp.net</DestinationHostname>
-			<DestinationHostname condition="end with">.lync.com</DestinationHostname>
-			<DestinationHostname condition="end with">.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">.outlook.com</DestinationHostname>
-			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname>
-			<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
-			<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
-			<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
-			<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
-			<DestinationHostname condition="end with">ctldl.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">cy2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">fe3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">fe3.delivery.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">g.akamaiedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">g.live.com</DestinationHostname>
-			<DestinationHostname condition="end with">g.msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">geo-prod.do.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">geo-prod.dodsp.mp.microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">ile-service.weather.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
-			<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
-			<DestinationHostname condition="end with">msn.com</DestinationHostname>
-			<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
-			<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
-			<DestinationHostname condition="end with">odern.watson.data.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
-			<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
-			<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
-			<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">sls.update.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">storecatalogrevocation.storequality.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">storeedgefd.dsx.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">telecommand.telemetry.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">tile-service.weather.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">tlu.dl.delivery.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
-			<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
-			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
-			<DestinationHostname condition="end with">windows.net</DestinationHostname>
-			<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
-			<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
-			<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
-			<Image condition="image">EdgeTransport.exe</Image>
-			<Image condition="image">MSExchangeDelivery.exe</Image>
-			<Image condition="image">MSExchangeFrontendTransport.exe</Image>
-			<Image condition="image">MSExchangeHMWorker.exe</Image>
-			<Image condition="image">MSExchangeSubmission.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Connection Creation,Level=0,Desc=UNC Path Network Connections" condition="begin with">\</Image>
-			<!--SECTION: Antivirus Exclusions -->
-			<Rule name="Antivirus Exclusions" groupRelation="or">
-				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
-				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
-				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
-				<Image condition="begin with">C:\Program Files\ESET</Image>
-			</Rule>
-		</NetworkConnect>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
-
-		<!--DATA: UtcTime, State, Version, SchemaVersion-->
-		<!--Cannot be filtered.-->
-
-	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
-		<!--COMMENT:	Useful data in building infection timelines.-->
-		<RuleGroup name="RG=ProcessTerminate Include Group" groupRelation="or">
-		<ProcessTerminate onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in System32" groupRelation="and">
-				<Image condition="begin with">C:\Windows\system32\</Image>
-				<Image condition="excludes">config\systemprofile\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination of Sysmon" groupRelation="and">
-				<Image condition="contains any">C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Root folders" groupRelation="and">
-				<Image condition="contains any">A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\</Image>
-				<Image condition="excludes">:\PROGRA~</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\Program Files</Image>
-				<Image condition="excludes">:\ProgramData\</Image>
-				<Image condition="excludes">:\Users\</Image>
-				<Image condition="excludes">:\Windows\</Image>
-				<Image condition="excludes">:\inetpub\</Image>
-				<Image condition="excludes">:\$SysReset</Image>
-				<Image condition="excludes">:\$WinREAgent</Image>
-				<Image condition="excludes">:\inetpub\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events of UNC File Paths" groupRelation="and">
-				<Image condition="begin with">\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Users Directory" groupRelation="and">
-				<Image condition="begin with">C:\Users\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in ProgramData Directory" groupRelation="and">
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<Image condition="excludes any">C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Program Files Directories" groupRelation="and">
-				<Image condition="contains any">C:\Program Files;C:\PROGRA~</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in inetpub Directories" groupRelation="and">
-				<Image condition="begin with">C:\inetpub\</Image>
-			</Rule>
-		<!-- Useful data in building infection timelines.-->
-			<Image name="Attack=T1036,Tactic=Masquerading,Technique=Defense Evasion,DS=Process: Process Termination,Level=4,Alert=Process Termination in Recyclebin,Risk=100" condition="contains">$RECYCLE.BIN</Image>
-			<Image name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Process: Process Termination,Level=0,Desc=Process Terminate: Killing of Log Shippers" condition="contains any">packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination in System Profile" condition="begin with">C:\Windows\sysWOW64\config\systemprofile\</Image>
-			<Image condition="contains">\Temp\</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=User Process Terminations" condition="contains">C:\Users\</Image>
-		</ProcessTerminate>
-	</RuleGroup>
-	<RuleGroup name="RG=ProcessTerminate Exclude Group" groupRelation="or">
-			<ProcessTerminate onmatch="exclude">
-			<Image condition="end with">Microsoft\Teams\current\Teams.exe</Image>
-			<Image condition="end with">\git.exe</Image>
-			<Image condition="end with">Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe</Image>
-			<Image condition="begin with">C:\ProgramData\Lenovo\ImController\</Image>
-		</ProcessTerminate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
-	<RuleGroup name="RG=DriverLoad Include Group" groupRelation="or">
-		<DriverLoad onmatch="include">
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Driver: Driver Load,Level=4,Alert=Solarwinds/FireEye sunburst driver hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Dell Drivers Detected,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=DumpExt.dll driver loaded,Risk=100" condition="contains">DumpExt.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=Mimikatz driver loaded,Risk=100" condition="contains">mimidrv</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=PWDump6 driver loaded,Risk=100" condition="contains">lsremora</ImageLoaded>
-			<ImageLoaded name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Driver: Driver Load,Level=4,Alert=wceaux.dll driver loaded,Risk=100" condition="contains">wceaux.dll</ImageLoaded>
-			<ImageLoaded name="Attack=T1040,Tactic=Discovery,Technique=Network Sniffing,DS=Driver: Driver Load,Level=4,Alert=NPCap packet capture driver loaded,Risk=100" condition="contains">npcap</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Temp" condition="contains">\Temp</ImageLoaded>
-			<ImageLoaded name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Driver Loaded in Users Directories" condition="contains">:\Users</ImageLoaded>
-			<Signature name="Attack=T1019,Technique=System Firmware,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=UEFI Rootkit detection,Risk=100" condition="contains">ChongKim Chan</Signature>
-			<SignatureStatus condition="contains">?</SignatureStatus>
-			<SignatureStatus condition="contains">Revoked</SignatureStatus>
-			<SignatureStatus condition="contains">Unavailable</SignatureStatus>
-			<SignatureStatus condition="contains">Valid</SignatureStatus>
-			<Signed name="Attack=None,Technique=None,Tactic=None,DS=Driver: Driver Load,Level=0,Desc=Unsigned Driver loaded into Kernel" condition="contains">false</Signed>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Driver: Driver Load,Level=4,Alert=Vulnerable Driver Loaded,Risk=100,Author=Nasreddine Bencherchali,Risk=75" groupRelation="or">
-				<!--# List below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT-->
-				<Hashes condition="contains">SHA1=2261198385d62d2117f50f631652eded0ecc71db</Hashes>
-				<Hashes condition="contains">SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc</Hashes>
-				<Hashes condition="contains">SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f</Hashes>
-				<Hashes condition="contains">SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd</Hashes>
-				<Hashes condition="contains">SHA1=21e6c104fe9731c874fab5c9560c929b2857b918</Hashes>
-				<Hashes condition="contains">SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2</Hashes>
-				<Hashes condition="contains">SHA1=2f991435a6f58e25c103a657d24ed892b99690b8</Hashes>
-				<Hashes condition="contains">SHA1=f02af84393e9627ba808d4159841854a6601cf80</Hashes>
-				<Hashes condition="contains">SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe</Hashes>
-				<Hashes condition="contains">SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba</Hashes>
-				<Hashes condition="contains">SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705</Hashes>
-				<Hashes condition="contains">SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa</Hashes>
-				<Hashes condition="contains">SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124</Hashes>
-				<Hashes condition="contains">SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2</Hashes>
-				<Hashes condition="contains">SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b</Hashes>
-				<Hashes condition="contains">SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc</Hashes>
-				<Hashes condition="contains">SHA1=72966ca845759d239d09da0de7eebe3abe86fee3</Hashes>
-				<Hashes condition="contains">SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de</Hashes>
-				<Hashes condition="contains">SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7</Hashes>
-				<Hashes condition="contains">SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e</Hashes>
-				<Hashes condition="contains">SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741</Hashes>
-				<Hashes condition="contains">SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95</Hashes>
-				<Hashes condition="contains">SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86</Hashes>
-				<Hashes condition="contains">SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65</Hashes>
-				<Hashes condition="contains">SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13</Hashes>
-				<Hashes condition="contains">SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b</Hashes>
-				<Hashes condition="contains">SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb</Hashes>
-				<Hashes condition="contains">SHA1=468e2e5505a3d924b14fedee4ddf240d09393776</Hashes>
-				<Hashes condition="contains">SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8</Hashes>
-				<Hashes condition="contains">SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f</Hashes>
-				<Hashes condition="contains">SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123</Hashes>
-				<Hashes condition="contains">SHA1=623cd2abef6c92255f79cbbd3309cb59176771da</Hashes>
-				<Hashes condition="contains">SHA1=1f3a9265963b660392c4053329eb9436deeed339</Hashes>
-				<Hashes condition="contains">SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c</Hashes>
-				<Hashes condition="contains">SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d</Hashes>
-				<Hashes condition="contains">SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb</Hashes>
-				<Hashes condition="contains">SHA1=c834c4931b074665d56ccab437dfcc326649d612</Hashes>
-				<Hashes condition="contains">SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c</Hashes>
-				<Hashes condition="contains">SHA1=51b60eaa228458dee605430aae1bc26f3fc62325</Hashes>
-				<Hashes condition="contains">SHA1=3270720a066492b046d7180ca6e60602c764cac7</Hashes>
-				<Hashes condition="contains">SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131</Hashes>
-				<Hashes condition="contains">SHA1=19bd488fe54b011f387e8c5d202a70019a204adf</Hashes>
-				<Hashes condition="contains">SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e</Hashes>
-				<Hashes condition="contains">SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344</Hashes>
-				<Hashes condition="contains">SHA1=205c69f078a563f54f4c0da2d02a25e284370251</Hashes>
-				<Hashes condition="contains">SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6</Hashes>
-				<Hashes condition="contains">SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac</Hashes>
-				<Hashes condition="contains">SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7</Hashes>
-				<Hashes condition="contains">SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843</Hashes>
-				<Hashes condition="contains">SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417</Hashes>
-				<Hashes condition="contains">SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181</Hashes>
-				<Hashes condition="contains">SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526</Hashes>
-				<Hashes condition="contains">SHA1=0307d76750dd98d707c699aee3b626643afb6936</Hashes>
-				<Hashes condition="contains">SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a</Hashes>
-				<Hashes condition="contains">SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946</Hashes>
-				<Hashes condition="contains">SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d</Hashes>
-				<Hashes condition="contains">SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0</Hashes>
-				<Hashes condition="contains">SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe</Hashes>
-				<Hashes condition="contains">SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0</Hashes>
-				<Hashes condition="contains">SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e</Hashes>
-				<Hashes condition="contains">SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d</Hashes>
-				<Hashes condition="contains">SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0</Hashes>
-				<Hashes condition="contains">SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2</Hashes>
-				<Hashes condition="contains">SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57</Hashes>
-				<Hashes condition="contains">SHA1=c948ae14761095e4d76b55d9de86412258be7afd</Hashes>
-				<Hashes condition="contains">SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad</Hashes>
-				<Hashes condition="contains">SHA1=745bad097052134548fe159f158c04be5616afc2</Hashes>
-				<Hashes condition="contains">SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754</Hashes>
-				<Hashes condition="contains">SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce</Hashes>
-				<Hashes condition="contains">SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d</Hashes>
-				<Hashes condition="contains">SHA1=ac13941f436139b909d105ad55637e1308f49d9a</Hashes>
-				<Hashes condition="contains">SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b</Hashes>
-				<Hashes condition="contains">SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1</Hashes>
-				<Hashes condition="contains">SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809</Hashes>
-				<Hashes condition="contains">SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387</Hashes>
-				<Hashes condition="contains">SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1</Hashes>
-				<Hashes condition="contains">SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee</Hashes>
-				<Hashes condition="contains">SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3</Hashes>
-				<Hashes condition="contains">SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0</Hashes>
-				<Hashes condition="contains">SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1</Hashes>
-				<Hashes condition="contains">SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4</Hashes>
-				<Hashes condition="contains">SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d</Hashes>
-				<Hashes condition="contains">SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd</Hashes>
-				<Hashes condition="contains">SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9</Hashes>
-				<Hashes condition="contains">SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312</Hashes>
-				<Hashes condition="contains">SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643</Hashes>
-				<Hashes condition="contains">SHA1=27eab595ec403580236e04101172247c4f5d5426</Hashes>
-				<Hashes condition="contains">SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8</Hashes>
-				<Hashes condition="contains">SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c</Hashes>
-				<Hashes condition="contains">SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef</Hashes>
-				<Hashes condition="contains">SHA1=9c256edd10823ca76c0443a330e523027b70522d</Hashes>
-				<Hashes condition="contains">SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e</Hashes>
-				<Hashes condition="contains">SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0</Hashes>
-				<Hashes condition="contains">SHA1=054a50293c7b4eea064c91ef59cf120d8100f237</Hashes>
-				<Hashes condition="contains">SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2</Hashes>
-				<Hashes condition="contains">SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e</Hashes>
-				<Hashes condition="contains">SHA1=14bf0eaa90e012169745b3e30c281a327751e316</Hashes>
-				<Hashes condition="contains">SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79</Hashes>
-				<Hashes condition="contains">SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08</Hashes>
-				<Hashes condition="contains">SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614</Hashes>
-				<Hashes condition="contains">SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a</Hashes>
-				<Hashes condition="contains">SHA1=879fcc6795cebe67718388228e715c470de87dca</Hashes>
-				<Hashes condition="contains">SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a</Hashes>
-				<Hashes condition="contains">SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67</Hashes>
-				<Hashes condition="contains">SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03</Hashes>
-				<Hashes condition="contains">SHA1=a7bd05de737f8ea57857f1e0845a25677df01872</Hashes>
-				<Hashes condition="contains">SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e</Hashes>
-				<Hashes condition="contains">SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3</Hashes>
-				<Hashes condition="contains">SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc</Hashes>
-				<Hashes condition="contains">SHA1=d62fa51e520022483bdc5847141658de689c0c29</Hashes>
-				<Hashes condition="contains">SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9</Hashes>
-				<Hashes condition="contains">SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b</Hashes>
-				<Hashes condition="contains">SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd</Hashes>
-				<Hashes condition="contains">SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be</Hashes>
-				<Hashes condition="contains">SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646</Hashes>
-				<Hashes condition="contains">SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b</Hashes>
-				<Hashes condition="contains">SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60</Hashes>
-				<Hashes condition="contains">SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430</Hashes>
-				<Hashes condition="contains">SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b</Hashes>
-				<Hashes condition="contains">SHA1=0b8b83f245d94107cb802a285e6529161d9a834d</Hashes>
-				<Hashes condition="contains">SHA1=c969f1f73922fd95db1992a5b552fbc488366a40</Hashes>
-				<Hashes condition="contains">SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451</Hashes>
-				<Hashes condition="contains">SHA1=da9cea92f996f938f699902482ac5313d5e8b28e</Hashes>
-				<Hashes condition="contains">SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53</Hashes>
-				<Hashes condition="contains">SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260</Hashes>
-				<Hashes condition="contains">SHA1=f052dc35b74a1a6246842fbb35eb481577537826</Hashes>
-				<Hashes condition="contains">SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf</Hashes>
-				<Hashes condition="contains">SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e</Hashes>
-				<Hashes condition="contains">SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15</Hashes>
-				<Hashes condition="contains">SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2</Hashes>
-				<Hashes condition="contains">SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939</Hashes>
-				<Hashes condition="contains">SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e</Hashes>
-				<Hashes condition="contains">SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1</Hashes>
-				<Hashes condition="contains">SHA1=7fb52290883a6b69a96d480f2867643396727e83</Hashes>
-				<!--# The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ -->
-				<Hashes condition="contains">SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab</Hashes>
-				<Hashes condition="contains">SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2</Hashes>
-				<Hashes condition="contains">SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d</Hashes>
-				<Hashes condition="contains">SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299</Hashes>
-				<Hashes condition="contains">SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c</Hashes>
-				<Hashes condition="contains">SHA1=fe10018af723986db50701c8532df5ed98b17c39</Hashes>
-				<Hashes condition="contains">SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b</Hashes>
-				<Hashes condition="contains">SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347</Hashes>
-				<Hashes condition="contains">SHA1=82ba5513c33e056c3f54152c8555abf555f3e745</Hashes>
-				<Hashes condition="contains">SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa</Hashes>
-				<Hashes condition="contains">SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4</Hashes>
-				<Hashes condition="contains">SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436</Hashes>
-				<Hashes condition="contains">SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891</Hashes>
-				<Hashes condition="contains">SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748</Hashes>
-				<Hashes condition="contains">SHA1=c771ea59f075170e952c393cfd6fc784b265027c</Hashes>
-				<Hashes condition="contains">SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1</Hashes>
-				<Hashes condition="contains">SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b</Hashes>
-				<Hashes condition="contains">SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04</Hashes>
-				<!--# The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c -->
-				<Hashes condition="contains">SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89</Hashes>
-				<Hashes condition="contains">SHA1=15df139494d2c40a645fb010908551185c27f3c5</Hashes>
-				<Hashes condition="contains">SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de</Hashes>
-				<Hashes condition="contains">SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75</Hashes>
-				<Hashes condition="contains">SHA1=490109fa6739f114651f4199196c5121d1c6bdf2</Hashes>
-				<Hashes condition="contains">SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5</Hashes>
-				<Hashes condition="contains">SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de</Hashes>
-				<Hashes condition="contains">SHA1=3f223581409492172a1e875f130f3485b90fbe5f</Hashes>
-				<Hashes condition="contains">SHA1=5db61d00a001fd493591dc919f69b14713889fc5</Hashes>
-				<!--# https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md -->
-				<Hashes condition="contains">SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f</Hashes>
-				<Hashes condition="contains">SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370</Hashes>
-				<Hashes condition="contains">SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c</Hashes>
-				<Hashes condition="contains">SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676</Hashes>
-				<Hashes condition="contains">SHA1=c6bd965300f07012d1b651a9b8776028c45b149a</Hashes>
-				<Hashes condition="contains">SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f</Hashes>
-				<Hashes condition="contains">SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1</Hashes>
-				<Hashes condition="contains">SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9</Hashes>
-				<Hashes condition="contains">SHA1=dc55217b6043d819eadebd423ff07704ee103231</Hashes>
-				<Hashes condition="contains">SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4</Hashes>
-				<Hashes condition="contains">SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f</Hashes>
-				<Hashes condition="contains">SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab</Hashes>
-				<Hashes condition="contains">SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63</Hashes>
-				<Hashes condition="contains">SHA1=c6d349823bbb1f5b44bae91357895dba653c5861</Hashes>
-				<Hashes condition="contains">SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2</Hashes>
-				<Hashes condition="contains">SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825</Hashes>
-				<Hashes condition="contains">SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d</Hashes>
-				<Hashes condition="contains">SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6</Hashes>
-				<Hashes condition="contains">SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162</Hashes>
-				<Hashes condition="contains">SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb</Hashes>
-				<Hashes condition="contains">SHA1=29a190727140f40cea9514a6420f5a195e36386b</Hashes>
-				<Hashes condition="contains">SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77</Hashes>
-				<Hashes condition="contains">SHA1=7667b72471689151e176baeba4e1cd9cd006a09a</Hashes>
-				<Hashes condition="contains">SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5</Hashes>
-				<Hashes condition="contains">SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8</Hashes>
-				<Hashes condition="contains">SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e</Hashes>
-				<Hashes condition="contains">SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403</Hashes>
-				<Hashes condition="contains">SHA1=d702d88b12233be9413446c445f22fda4a92a1d9</Hashes>
-				<Hashes condition="contains">SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1</Hashes>
-				<Hashes condition="contains">SHA1=643383938d5e0d4fd30d302af3e9293a4798e392</Hashes>
-				<Hashes condition="contains">SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07</Hashes>
-				<!--# The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver -->
-				<!--# These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules -->
-				<Hashes condition="contains">SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816</Hashes>
-				<Hashes condition="contains">SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e</Hashes>
-				<Hashes condition="contains">SHA1=166759fd511613414d3213942fe2575b926a6226</Hashes>
-				<Hashes condition="contains">SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4</Hashes>
-				<Hashes condition="contains">SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca</Hashes>
-				<Hashes condition="contains">SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8</Hashes>
-				<Hashes condition="contains">SHA1=4de33d03fee52f396a1c788000ca868d56ac30de</Hashes>
-				<Hashes condition="contains">SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0</Hashes>
-				<Hashes condition="contains">SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d</Hashes>
-				<Hashes condition="contains">SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1</Hashes>
-				<Hashes condition="contains">SHA1=943593e880b4d340f2548548e6e673ef6f61eed3</Hashes>
-				<Hashes condition="contains">SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd</Hashes>
-				<Hashes condition="contains">SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28</Hashes>
-				<Hashes condition="contains">SHA1=aa2ea973bb248b18973e57339307cfb8d309f687</Hashes>
-				<Hashes condition="contains">SHA1=3a5d176c50f97b71d139767ed795d178623f491d</Hashes>
-				<Hashes condition="contains">SHA1=25d812a5ece19ea375178ef9d60415841087726e</Hashes>
-				<Hashes condition="contains">SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07</Hashes>
-				<Hashes condition="contains">SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0</Hashes>
-				<Hashes condition="contains">SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02</Hashes>
-				<Hashes condition="contains">SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c</Hashes>
-				<Hashes condition="contains">SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a</Hashes>
-				<Hashes condition="contains">SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed</Hashes>
-				<Hashes condition="contains">SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b</Hashes>
-				<Hashes condition="contains">SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d</Hashes>
-				<Hashes condition="contains">SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef</Hashes>
-				<Hashes condition="contains">SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001</Hashes>
-				<Hashes condition="contains">SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c</Hashes>
-				<Hashes condition="contains">SHA1=9401389fba314d1810f83edce33c37e84a78e112</Hashes>
-				<Hashes condition="contains">SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371</Hashes>
-				<Hashes condition="contains">SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7</Hashes>
-				<Hashes condition="contains">SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0</Hashes>
-				<Hashes condition="contains">SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4</Hashes>
-				<Hashes condition="contains">SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2</Hashes>
-				<Hashes condition="contains">SHA1=38571f14fc014487194d1eecfa80561ee8644e09</Hashes>
-				<Hashes condition="contains">SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2</Hashes>
-				<Hashes condition="contains">SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8</Hashes>
-				<Hashes condition="contains">SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba</Hashes>
-				<Hashes condition="contains">SHA1=4c18754dca481f107f0923fb8ef5e149d128525d</Hashes>
-				<Hashes condition="contains">SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f</Hashes>
-				<Hashes condition="contains">SHA1=cde32654a041fedc7b0fa1083f6005b950760062</Hashes>
-				<Hashes condition="contains">SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a</Hashes>
-				<Hashes condition="contains">SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332</Hashes>
-				<Hashes condition="contains">SHA1=4f7a8e26a97980544be634b26899afbefb0a833c</Hashes>
-				<!--# The list below is from https://github.com/namazso/physmem_drivers -->
-				<Hashes condition="contains">SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748</Hashes>
-				<Hashes condition="contains">SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA</Hashes>
-				<Hashes condition="contains">SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA</Hashes>
-				<Hashes condition="contains">SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F</Hashes>
-				<Hashes condition="contains">SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414</Hashes>
-				<Hashes condition="contains">SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D</Hashes>
-				<Hashes condition="contains">SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA</Hashes>
-				<Hashes condition="contains">SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00</Hashes>
-				<Hashes condition="contains">SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E</Hashes>
-				<Hashes condition="contains">SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7</Hashes>
-				<Hashes condition="contains">SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602</Hashes>
-				<Hashes condition="contains">SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8</Hashes>
-				<Hashes condition="contains">SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A</Hashes>
-				<Hashes condition="contains">SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4</Hashes>
-				<Hashes condition="contains">SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4</Hashes>
-				<Hashes condition="contains">SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C</Hashes>
-				<Hashes condition="contains">SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B</Hashes>
-				<Hashes condition="contains">SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A</Hashes>
-				<Hashes condition="contains">SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9</Hashes>
-				<Hashes condition="contains">SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB</Hashes>
-				<Hashes condition="contains">SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC</Hashes>
-				<Hashes condition="contains">SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF</Hashes>
-				<Hashes condition="contains">SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A</Hashes>
-				<Hashes condition="contains">SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3</Hashes>
-				<Hashes condition="contains">SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5</Hashes>
-				<Hashes condition="contains">SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB</Hashes>
-				<Hashes condition="contains">SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94</Hashes>
-				<Hashes condition="contains">SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0</Hashes>
-				<Hashes condition="contains">SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F</Hashes>
-				<Hashes condition="contains">SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C</Hashes>
-				<Hashes condition="contains">SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8</Hashes>
-				<Hashes condition="contains">SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4</Hashes>
-				<Hashes condition="contains">SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303</Hashes>
-				<Hashes condition="contains">SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469</Hashes>
-				<Hashes condition="contains">SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B</Hashes>
-				<Hashes condition="contains">SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E</Hashes>
-				<Hashes condition="contains">SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608</Hashes>
-				<Hashes condition="contains">SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685</Hashes>
-				<Hashes condition="contains">SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71</Hashes>
-				<Hashes condition="contains">SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2</Hashes>
-				<Hashes condition="contains">SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293</Hashes>
-				<Hashes condition="contains">SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57</Hashes>
-				<Hashes condition="contains">SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A</Hashes>
-				<Hashes condition="contains">SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A</Hashes>
-				<Hashes condition="contains">SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659</Hashes>
-				<Hashes condition="contains">SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA</Hashes>
-				<Hashes condition="contains">SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2</Hashes>
-				<Hashes condition="contains">SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7</Hashes>
-				<Hashes condition="contains">SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57</Hashes>
-				<Hashes condition="contains">SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92</Hashes>
-				<Hashes condition="contains">SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184</Hashes>
-				<Hashes condition="contains">SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457</Hashes>
-				<Hashes condition="contains">SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A</Hashes>
-				<Hashes condition="contains">SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4</Hashes>
-				<Hashes condition="contains">SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F</Hashes>
-				<Hashes condition="contains">SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8</Hashes>
-				<Hashes condition="contains">SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165</Hashes>
-				<Hashes condition="contains">SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E</Hashes>
-				<Hashes condition="contains">SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A</Hashes>
-				<Hashes condition="contains">SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C</Hashes>
-				<Hashes condition="contains">SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653</Hashes>
-				<Hashes condition="contains">SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028</Hashes>
-				<Hashes condition="contains">SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3</Hashes>
-				<Hashes condition="contains">SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D</Hashes>
-				<Hashes condition="contains">SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5</Hashes>
-				<Hashes condition="contains">SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3</Hashes>
-				<Hashes condition="contains">SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955</Hashes>
-				<Hashes condition="contains">SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339</Hashes>
-				<Hashes condition="contains">SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25</Hashes>
-				<Hashes condition="contains">SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0</Hashes>
-				<Hashes condition="contains">SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357</Hashes>
-				<Hashes condition="contains">SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21</Hashes>
-				<Hashes condition="contains">SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D</Hashes>
-				<Hashes condition="contains">SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF</Hashes>
-				<Hashes condition="contains">SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B</Hashes>
-				<Hashes condition="contains">SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4</Hashes>
-				<Hashes condition="contains">SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097</Hashes>
-				<Hashes condition="contains">SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6</Hashes>
-				<Hashes condition="contains">SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD</Hashes>
-				<Hashes condition="contains">SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492</Hashes>
-				<Hashes condition="contains">SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1</Hashes>
-				<Hashes condition="contains">SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558</Hashes>
-				<Hashes condition="contains">SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6</Hashes>
-				<Hashes condition="contains">SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219</Hashes>
-				<Hashes condition="contains">SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE</Hashes>
-				<Hashes condition="contains">SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250</Hashes>
-				<Hashes condition="contains">SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB</Hashes>
-				<Hashes condition="contains">SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5</Hashes>
-				<Hashes condition="contains">SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A</Hashes>
-				<Hashes condition="contains">SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E</Hashes>
-				<Hashes condition="contains">SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3</Hashes>
-				<Hashes condition="contains">SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5</Hashes>
-				<Hashes condition="contains">SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005</Hashes>
-				<Hashes condition="contains">SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793</Hashes>
-				<Hashes condition="contains">SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7</Hashes>
-				<Hashes condition="contains">SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52</Hashes>
-				<Hashes condition="contains">SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3</Hashes>
-				<Hashes condition="contains">SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4</Hashes>
-				<Hashes condition="contains">SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57</Hashes>
-				<Hashes condition="contains">SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94</Hashes>
-				<Hashes condition="contains">SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE</Hashes>
-				<Hashes condition="contains">SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B</Hashes>
-				<Hashes condition="contains">SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7</Hashes>
-				<Hashes condition="contains">SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8</Hashes>
-				<Hashes condition="contains">SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1</Hashes>
-				<Hashes condition="contains">SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449</Hashes>
-				<Hashes condition="contains">SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499</Hashes>
-				<Hashes condition="contains">SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526</Hashes>
-				<Hashes condition="contains">SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D</Hashes>
-				<Hashes condition="contains">SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B</Hashes>
-				<Hashes condition="contains">SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB</Hashes>
-				<Hashes condition="contains">SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B</Hashes>
-				<Hashes condition="contains">SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889</Hashes>
-				<Hashes condition="contains">SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530</Hashes>
-				<Hashes condition="contains">SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482</Hashes>
-				<Hashes condition="contains">SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1</Hashes>
-				<Hashes condition="contains">SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A</Hashes>
-				<Hashes condition="contains">SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA</Hashes>
-				<Hashes condition="contains">SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0</Hashes>
-				<Hashes condition="contains">SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D</Hashes>
-				<Hashes condition="contains">SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03</Hashes>
-				<Hashes condition="contains">SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C</Hashes>
-				<Hashes condition="contains">SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008</Hashes>
-				<Hashes condition="contains">SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC</Hashes>
-				<Hashes condition="contains">SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004</Hashes>
-				<Hashes condition="contains">SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D</Hashes>
-				<Hashes condition="contains">SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB</Hashes>
-				<Hashes condition="contains">SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA</Hashes>
-				<Hashes condition="contains">SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980</Hashes>
-				<Hashes condition="contains">SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099</Hashes>
-				<Hashes condition="contains">SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C</Hashes>
-				<Hashes condition="contains">SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E</Hashes>
-				<Hashes condition="contains">SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8</Hashes>
-				<Hashes condition="contains">SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84</Hashes>
-				<!--# The list below is from https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ -->
-				<Hashes condition="contains">SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b</Hashes>
-				<Hashes condition="contains">SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790</Hashes>
-				<Hashes condition="contains">SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22</Hashes>
-				<Hashes condition="contains">SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44</Hashes>
-				<Hashes condition="contains">SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8</Hashes>
-				<Hashes condition="contains">SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009</Hashes>
-				<Hashes condition="contains">SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df</Hashes>
-				<Hashes condition="contains">SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead</Hashes>
-				<Hashes condition="contains">SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16</Hashes>
-				<Hashes condition="contains">SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7</Hashes>
-				<Hashes condition="contains">SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5</Hashes>
-				<Hashes condition="contains">SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495</Hashes>
-				<Hashes condition="contains">SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd</Hashes>
-				<Hashes condition="contains">SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c</Hashes>
-				<Hashes condition="contains">SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427</Hashes>
-				<!--# The list below is from https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c -->
-				<Hashes condition="contains">SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4</Hashes>
-				<Hashes condition="contains">SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6</Hashes>
-				<Hashes condition="contains">SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062</Hashes>
-				<Hashes condition="contains">SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b</Hashes>
-				<Hashes condition="contains">SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece</Hashes>
-				<Hashes condition="contains">SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374</Hashes>
-				<Hashes condition="contains">SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50</Hashes>
-				<Hashes condition="contains">SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6</Hashes>
-				<Hashes condition="contains">SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e</Hashes>
-				<!--# https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md -->
-				<Hashes condition="contains">SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc</Hashes>
-				<Hashes condition="contains">SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d</Hashes>
-				<Hashes condition="contains">SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65</Hashes>
-				<Hashes condition="contains">SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347</Hashes>
-				<Hashes condition="contains">SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9</Hashes>
-				<Hashes condition="contains">SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219</Hashes>
-				<Hashes condition="contains">SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8</Hashes>
-				<Hashes condition="contains">SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813</Hashes>
-				<Hashes condition="contains">SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a</Hashes>
-				<Hashes condition="contains">SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f</Hashes>
-				<Hashes condition="contains">SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc</Hashes>
-				<Hashes condition="contains">SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de</Hashes>
-				<Hashes condition="contains">SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073</Hashes>
-				<Hashes condition="contains">SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890</Hashes>
-				<Hashes condition="contains">SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0</Hashes>
-				<Hashes condition="contains">SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200</Hashes>
-				<Hashes condition="contains">SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf</Hashes>
-				<Hashes condition="contains">SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2</Hashes>
-				<Hashes condition="contains">SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173</Hashes>
-				<Hashes condition="contains">SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6</Hashes>
-				<Hashes condition="contains">SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8</Hashes>
-				<Hashes condition="contains">SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508</Hashes>
-				<Hashes condition="contains">SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3</Hashes>
-				<Hashes condition="contains">SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52</Hashes>
-				<Hashes condition="contains">SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129</Hashes>
-				<Hashes condition="contains">SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993</Hashes>
-				<Hashes condition="contains">SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d</Hashes>
-				<Hashes condition="contains">SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd</Hashes>
-				<Hashes condition="contains">SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35</Hashes>
-				<Hashes condition="contains">SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33</Hashes>
-				<Hashes condition="contains">SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29</Hashes>
-				<!--# The list below is derived from the ELASTIC yara rules https://github.com/elastic/protections-artifacts/search?q=VulnDriver -->
-				<!--# These are the hashes mentioned in the "reference_sample" section that ELASTIC used to create their rules -->
-				<Hashes condition="contains">SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838</Hashes>
-				<Hashes condition="contains">SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b</Hashes>
-				<Hashes condition="contains">SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82</Hashes>
-				<Hashes condition="contains">SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7</Hashes>
-				<Hashes condition="contains">SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038</Hashes>
-				<Hashes condition="contains">SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89</Hashes>
-				<Hashes condition="contains">SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e</Hashes>
-				<Hashes condition="contains">SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3</Hashes>
-				<Hashes condition="contains">SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6</Hashes>
-				<Hashes condition="contains">SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89</Hashes>
-				<Hashes condition="contains">SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf</Hashes>
-				<Hashes condition="contains">SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea</Hashes>
-				<Hashes condition="contains">SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5</Hashes>
-				<Hashes condition="contains">SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a</Hashes>
-				<Hashes condition="contains">SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f</Hashes>
-				<Hashes condition="contains">SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3</Hashes>
-				<Hashes condition="contains">SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003</Hashes>
-				<Hashes condition="contains">SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7</Hashes>
-				<Hashes condition="contains">SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498</Hashes>
-				<Hashes condition="contains">SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22</Hashes>
-				<Hashes condition="contains">SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4</Hashes>
-				<Hashes condition="contains">SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c</Hashes>
-				<Hashes condition="contains">SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53</Hashes>
-				<Hashes condition="contains">SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de</Hashes>
-				<Hashes condition="contains">SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330</Hashes>
-				<Hashes condition="contains">SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46</Hashes>
-				<Hashes condition="contains">SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347</Hashes>
-				<Hashes condition="contains">SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026</Hashes>
-				<Hashes condition="contains">SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15</Hashes>
-				<Hashes condition="contains">SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91</Hashes>
-				<Hashes condition="contains">SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf</Hashes>
-				<Hashes condition="contains">SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c</Hashes>
-				<Hashes condition="contains">SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64</Hashes>
-				<Hashes condition="contains">SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59</Hashes>
-				<Hashes condition="contains">SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6</Hashes>
-				<Hashes condition="contains">SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b</Hashes>
-				<Hashes condition="contains">SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9</Hashes>
-				<Hashes condition="contains">SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351</Hashes>
-				<Hashes condition="contains">SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5</Hashes>
-				<Hashes condition="contains">SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c</Hashes>
-				<Hashes condition="contains">SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b</Hashes>
-				<Hashes condition="contains">SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05</Hashes>
-				<Hashes condition="contains">SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433</Hashes>
-			</Rule>
-		</DriverLoad>
-	</RuleGroup>
-	<RuleGroup name="RG=DriverLoad Exclude Group" groupRelation="or">
-		<DriverLoad onmatch="exclude">
-		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
-				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
-		</DriverLoad>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
-		<!--COMMENT:	Can cause high system load, disabled by default.-->
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
-	<RuleGroup name="RG=Image Load Includes" groupRelation="or">
-		<ImageLoad onmatch="include">
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Module: Module Load,Level=4,Alert=MSDT Loading diagnostic library: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<Image condition="image">msdt.exe</Image>
-				<ImageLoaded condition="contains">sdiageng.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE7 Macro Image Loads with wshom,Risk=70" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx</ImageLoaded>
-				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Suspicious Process Loading ntkrnlmp.exe,Risk=50" groupRelation="and">
-				<ImageLoaded condition="image">ntkrnlmp.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,CVE=CVE-2021-1675,DS=Module: Module Load,Level=0,Desc=Printer Expoit,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\</ImageLoaded>
-				<Image condition="contains any">spoolsv.exe;printisolationhost.exe</Image>
-				<SignatureStatus condition="excludes">Valid</SignatureStatus>
-				<Company condition="excludes any">Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard</Company>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=Module: Module Load,Level=0,Desc=DLL Image Load by System in Suspicious Locations" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<ImageLoaded condition="contains any">\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\</ImageLoaded>
-				<ImageLoaded condition="excludes any">\Program Files</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Equation editor loading itself,Risk=50" groupRelation="and">
-				<Image condition="image">EQNEDT32.EXE</Image>
-				<ImageLoaded condition="contains">EQNEDT32.EXE</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Module: Module Load,Level=2,Alert=Windows Active Directory Services DLL Loading in Susicious Directories,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
-				<Image condition="contains any">C:\Users;\Temp\;\ProgramData\</Image>
-			</Rule>
-			<Rule name="Attack=T1033,Technique=System Owner/User Discovery,Tactic=Discovery,DS=Module: Module Load,Level=2,Alert=Windows Active Directory Services DLL Loading by Suspicious Process,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
-				<Image condition="contains any">\wscript.exe;\cscript.exe;\powershell.exe;\powershell_ise.exe;\rundll32.exe;\msbuild.exe;\csc.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx</ImageLoaded>
-				<ImageLoaded condition="excludes all">wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE7 Macro Image Loads with wmi,Risk=30" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE6 Macro Image Loads with wmi,Risk=50" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="contains all">VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office taskschd.dll Load" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WScript taskschd.dll Load" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WMI taskschd.dll Load" groupRelation="and">
-				<Image condition="image">wmiprvse.exe</Image>
-				<ImageLoaded condition="end with">taskschd.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Loading MSI.dll" groupRelation="and">
-				<Image condition="image">powershell.exe</Image>
-				<ImageLoaded condition="end with">msi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Loading AMSI.dll" groupRelation="and">
-				<Image condition="contains">powershell</Image>
-				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Powershell Not Loading AMSI.dll" groupRelation="and">
-				<Image condition="excludes">powershell</Image>
-				<ImageLoaded condition="end with">amsi.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Monitor logoncli.dll dll loads for injection - potential qbot activity" groupRelation="and">
-				<ImageLoaded condition="end with">logoncli.dll</ImageLoaded>
-				<Image condition="is not">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office clr.dll Load" groupRelation="and">
-				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
-				<ImageLoaded condition="end with">clr.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Suspicious clr windows management dll Load" groupRelation="and">
-				<ImageLoaded condition="contains all">clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Wscript Internet Access library Loads" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="contains all">msxml;wshom.ocx</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Wscript Internet Access library Loads 2" groupRelation="and">
-				<Image condition="contains any">wscript.exe;cscript.exe</Image>
-				<ImageLoaded condition="contains all">winhttp.dll;mswsock.dll;IPHLPAPI.DLL</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Interesting Installutil DLL Loads" groupRelation="and">
-				<Image condition="contains any">installutil.exe</Image>
-				<ImageLoaded condition="contains all">CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Automation NI DLL Loaded" groupRelation="and">
-				<ImageLoaded condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
-				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Automation DLL Loaded" groupRelation="and">
-				<ImageLoaded condition="end with">System.Management.Automation.dll</ImageLoaded>
-				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\</ImageLoaded>
-				<ImageLoaded condition="excludes any">Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Credential Manager DLL Loaded" groupRelation="and">
-				<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
-				<Image condition="excludes any">\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=UNC Path Image Loaded" groupRelation="and">
-				<ImageLoaded condition="begin with">\\</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Word\Startup\</ImageLoaded>
-				<ImageLoaded condition="end with">.wll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Excel\Startup\</ImageLoaded>
-				<ImageLoaded condition="end with">.xll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
-				<ImageLoaded condition="contains">\Microsoft\Addins\</ImageLoaded>
-				<ImageLoaded condition="contains any">.xla</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1090.003,Technique=Proxy: Multi-hop Proxy,Tactic=Defense Evasion,DS=Module: Module Load,Level=4,Alert=Ransomware detected tor library,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains">tor-lib.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Cred Dumping,Risk=90" groupRelation="and">
-				<ImageLoaded condition="is any">C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Mimikatz Cred Dumping,Risk=100" groupRelation="and">
-				<Image condition="image">rundll32.exe</Image>
-				<ImageLoaded condition="contains all">vaultcli.dll;wlanapi.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">combase.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">cryptdll.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">imm32.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">logoncli.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">netapi32.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">ntasn1.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">ntdsapi.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">samlib.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">shcore.dll</ImageLoaded>
-				<ImageLoaded condition="excludes">srvcli.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Potential C3 Framework,Risk=100" groupRelation="and">
-				<ImageLoaded condition="contains all">odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Explorer Loading Powershell in memory,Risk=100" groupRelation="and">
-				<Image condition="image">C:\Windows\Explorer.EXE</Image>
-				<ImageLoaded condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Programdata Image Loading exe Image from Programdata" groupRelation="and">
-				<Image condition="begin with">C:\ProgramData\</Image>
-				<ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded>
-				<ImageLoaded condition="end with">.exe</ImageLoaded>
-				<Company condition="excludes">Adobe</Company>
-				<Image condition="excludes">C:\ProgramData\Lenovo\</Image>
-				<ImageLoaded condition="excludes">C:\ProgramData\Microsoft\Windows Defender\</ImageLoaded>
-				<ImageLoaded condition="excludes">C:\ProgramData\sysmon\sysmon64.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Module: Module Load,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
-				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
-				<ImageLoaded condition="end with">.exe</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=Module: Module Load,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
-				<ImageLoaded condition="contains any">C:\Users\Default\;C:\Users\Public\</ImageLoaded>
-				<ImageLoaded condition="end with">.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Module: Module Load,Level=4,Alert=Solarwinds/FireEye sunburst image hashes,Risk=100" groupRelation="and">
-				<Hashes condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hashes><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Module: Module Load,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
-				<Hashes condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hashes><!--Exchange Zero Day Dropped DLL-->
-				<Hashes condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hashes><!--Exchange Zero Day Dropped DLL-->
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=SVCHost loading Unsigned DLL" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
-				<Signed condition="is">false</Signed>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Revoked Signature Libraries Loaded" groupRelation="and">
-				<SignatureStatus condition="is">Revoked</SignatureStatus>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=Expired Signature Libraries Loaded" groupRelation="and">
-				<SignatureStatus condition="is">Expired</SignatureStatus>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=4,Alert=HTA Exec with IE JS Engine AMSI Bypass" groupRelation="and">
-				<ImageLoaded condition="end with">jscript9.dll</ImageLoaded>
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<ImageLoaded condition="end with">scrobj.dll</ImageLoaded>
-			<ImageLoaded condition="end with">crypt0.dll</ImageLoaded>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Module: Module Load,Level=0,Desc=Wireless Credential Dumping" groupRelation="and">
-				<ImageLoaded condition="end with">C:\Windows\System32\wlanapi.dll</ImageLoaded>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe</Image>
-				<Image condition="excludes">C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience</Image>
-				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-				<Image condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\AppHostRegistrationVerifier.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\CompatTelRunner.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\DeviceCensus.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</Image>
-				<Image condition="excludes">C:\Windows\System32\LogonUI.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\MoNotificationUx.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\SystemSettingsBroker.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\dxgiadaptercache.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\netsh.exe</Image>
-				<Image condition="excludes">C:\Windows\System32\wlanext.exe</Image>
-				<Image condition="excludes">C:\Windows\UUS\amd64\MoUsoCoreWorker.exe</Image>
-				<Image condition="excludes">C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_</Image>
-				<Image condition="excludes">C:\Windows\explorer.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=Module: Module Load,Level=2,Desc=Python DLL Loaded,Risk=30" groupRelation="and">
-				<ImageLoaded condition="contains any">python</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Unsigned Global Assembly Cache Load" groupRelation="and">
-				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
-				<Signed condition="is">false</Signed>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=1,Desc=Signed Global Assembly Cache Load" groupRelation="and">
-				<ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded>
-				<Signed condition="is">true</Signed>
-			</Rule>
-		</ImageLoad>
-	</RuleGroup>
-	<RuleGroup name="RG=Image Load Excludes" groupRelation="or">
-		<ImageLoad onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
-				<Image condition="contains">\Microsoft Office\</Image>
-				<ImageLoaded condition="end with">\mscorlib.ni.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=XLL Office Application Startup removal" groupRelation="and">
-				<Image condition="contains">\Microsoft Office\</Image>
-				<ImageLoaded condition="end with">\sppc.dll</ImageLoaded>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=SVCHost Signed DLL" groupRelation="and">
-				<Image condition="image">C:\Windows\System32\svchost.exe</Image>
-				<Signed condition="is">true</Signed>
-			</Rule>
-			<!--Universal Exclusions: Be Careful-->
-			<Rule name="Antivirus Exclusions" groupRelation="or"> 
-				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
-				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
-				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
-				<Image condition="begin with">C:\Program Files\ESET</Image>
-				<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</Image>
-			</Rule>
-			<Company condition="contains">Fortinet</Company>
-			<Company condition="contains">Lenovo</Company>
-			<Company condition="contains">Sophos</Company>
-			<Image condition="end with">mscorsvw.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\InstallAgentUserBroker.exe</Image>
-			<Image condition="image">C:\Windows\System32\RuntimeBroker.exe</Image>
-			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="image">C:\Windows\System32\SettingSyncHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\backgroundTaskHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\sppsvc.exe</Image>
-			<Image condition="image">C:\Windows\System32\taskhost.exe</Image>
-			<Image condition="image">C:\Windows\System32\taskhostw.exe</Image>
-			<Image condition="image">C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe</Image>
-			<Image condition="image">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
-			<Image condition="image">HxTsr.exe</Image>
-			<Image condition="image">SearchUI.exe</Image>
-			<ImageLoaded condition="contains">C:\Program Files (x86)\Common Files\BIExcelFunctions1.1\32bit\Sage.</ImageLoaded>
-			<ImageLoaded condition="contains">C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Pfx.</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Adist64.dll</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files (x86)\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL</ImageLoaded>
-			<ImageLoaded condition="is">C:\Windows\SysWOW64\sppc.dll</ImageLoaded>
-			<ImageLoaded condition="end with">Microsoft.Office.Interop.VisOcx.dll</ImageLoaded>
-			<ImageLoaded condition="end with">Microsoft.Office.Interop.Word.dll</ImageLoaded>
-			<ImageLoaded condition="end with">Microsoft.Vbe.Interop.dll</ImageLoaded>
-			<ImageLoaded condition="end with">OFFICE.DLL</ImageLoaded>
-		</ImageLoad>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
-	<RuleGroup name="RG=CreateRemoteThread Include Group" groupRelation="or">
-		<CreateRemoteThread onmatch="include">
-			<!--Custom Rules-->
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Modification,Level=4,Alert=Credential Dumping from lsass,Risk=100" groupRelation="and">
-				<StartAddress condition="is">0x001A0000</StartAddress>
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privledge Escalation,DS=Process: Process Modification,Level=4,Alert=CreateRemoteThread with msiexec,Risk=100" groupRelation="and">
-				<SourceImage condition="contains any">msiexec.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Remote Thread Injection Targetting Web Browser,Risk=70" groupRelation="and">
-				<TargetImage condition="contains any">chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe;opera.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Process: Process Modification,Level=0,Desc=LSASS Credential dumping,Risk=70" groupRelation="and">
-				<StartAddress condition="is">0x001A0000</StartAddress>
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Tactic=Credential Access,Technique=OS Credential Dumping,DS=Process: Process Modification,Level=0,Desc=Rundll32 LSASS Credential dumping,Risk=70" groupRelation="and">
-				<TargetImage condition="image">c:\windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="image">c:\windows\system32\rundll32.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,DS=Process: Process Modification,Level=4,Alert=Remote Thread Process debugging detected,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">DbgUiRemoteBreakin</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,DS=Process: Process Modification,Level=0,Desc=Remote Query Debug info,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">QueryProcessDebugInformationRemote</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Event Triggered Execution: Image File Execution Options Injection,Tactic=Persistence,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Query Debug info 2,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">isdebuggerpresent</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1546.012,Technique=Process Debugging Detected,Tactic=Defense Evasion,DS=Process: Process Modification,Level=3,Alert=Process Debug of active Process,Risk=30" groupRelation="and">
-				<StartFunction condition="contains">DebugActiveProcess</StartFunction>
-				<TargetImage condition="excludes">nacl64.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1055.001,Technique=Process Injection: Dynamic-link Library Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=3,Alert=LoadLibrary DLL Injection,Risk=70" groupRelation="and">
-				<StartFunction condition="contains">LoadLibrary</StartFunction>
-				<SourceImage condition="excludes">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\DriverStore\FileRepository\</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\igfxEM.exe</SourceImage>
-				<SourceImage condition="excludes">C:\Windows\System32\igfxHK.exe</SourceImage>
-				<SourceImage condition="excludes">Enterprise\Common7\IDE\devenv.exe</SourceImage>
-				<TargetImage condition="excludes">C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe</TargetImage>
-				<SourceImage condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=CreateFileMapping,Risk=70" groupRelation="and">
-				<StartFunction condition="contains any">CreateFileMapping;MapViewOfFile</StartFunction>
-			</Rule>			
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=LdrLoadDll DLL Injection,Risk=70" groupRelation="and">
-				<StartFunction condition="contains any">LdrLoadDll</StartFunction>
-			</Rule>
-			<Rule name="Attack=T1106,Technique=Native API,Tactic=Execution,DS=Process: Process Modification,Level=0,Desc=Crypt API Usage" groupRelation="and">
-				<StartFunction condition="contains any">CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey</StartFunction>
-			</Rule>
-			<Rule name="Attack=T1115,Technique=Clipboard Data,Tactic=Collection,DS=Process: Process Modification,Level=0,Desc=Clipboard Usage Detected" groupRelation="and">
-				<SourceImage condition="image">c:\windows\system32\csrss.exe</SourceImage>
-				<StartFunction condition="contains">CrtlRoutine</StartFunction>
-			</Rule>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 1,Risk=100" condition="end with">0B80</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 2,Risk=100" condition="end with">0C7C</StartAddress>
-			<StartAddress name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=4,Alert=Cobalt Strike Detected 3,Risk=100" condition="end with">0C88</StartAddress>
-			<TargetImage name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Modification,Level=0,Desc=Remote Desktop injection,Risk=30" condition="image">c:\windows\system32\mstsc.exe</TargetImage>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Modification,Alert=Potentially Detect EtwEventWrite Tampering with remote threads" groupRelation="and">
-				<StartModule condition="is">C:\WINDOWS\SYSTEM32\ntdll.dll</StartModule>
-				<StartFunction condition="contains">EtwEventWrite</StartFunction>
-			</Rule>
-		</CreateRemoteThread>
-	</RuleGroup>
-	<RuleGroup name="RG=CreateRemoteThread Exclude Group" groupRelation="or">
-		<CreateRemoteThread onmatch="exclude">
-			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
-			<SourceImage condition="image">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\audiodg.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\services.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\svchost.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\wininit.exe</SourceImage>
-			<SourceImage condition="image">C:\Windows\system32\winlogon.exe</SourceImage>
-		</CreateRemoteThread>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
-	<RuleGroup name="RG=RawAccessRead Include Group" groupRelation="or">
-		<RawAccessRead onmatch="include">
-		</RawAccessRead>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
-	<RuleGroup name="RG=ProcessAccess Include Group" groupRelation="or">
-		<ProcessAccess onmatch="include">
-			<!--Custom Rules-->
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CSShellExecute_ExecuteAssoc,Risk=30" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\System32\SHELL32.dll+9b5bd</CallTrace>
-				<TargetImage condition="excludes">\LocalBridge.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=WSHellExec,Risk=50" groupRelation="and">
-				<CallTrace condition="contains any">C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CWbemProviderGlueExecMethodAsync,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2cb3e</CallTrace>
-				<TargetImage condition="excludes any">C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1047.005,Technique=Windows Management Instrumentation,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=ProviderExecMethod 1,Risk=60" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\framedynos.dll+2b496</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=MiniDumpWriteDump,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\SYSTEM32\dbgcore.DLL+6cfb</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003.001,Technique=Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=PssCaptureSnapShot,Risk=50" groupRelation="and">
-				<CallTrace condition="contains">C:\Windows\System32\KernelBase.dll+de67e</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Dotnet Debugging detected,Risk=30" groupRelation="and">
-				<CallTrace condition="contains">ntdll.dll+a0044</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Alert=DInvoke detected,Risk=100" groupRelation="and">
-				<CallTrace condition="contains any">clr.dll+6c23;clr.dll+6b38</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 1,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 2,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">"UNKNOWN(;)|UNKNOWN(</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1055,Tactic=Defense Evasion,Technique=Process Injection,DS=Process: Process Access,Level=0,Desc=Suspicious In-Memory Module Execution 3,Risk=30" groupRelation="and">
-				<CallTrace condition="contains all">"UNKNOWN</CallTrace>
-				<GrantedAccess condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Process: Process Access,Level=0,Desc=Office Macro Injection Detected,Risk=100" groupRelation="and">
-				<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
-				<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
-				<TargetImage condition="excludes">C:\Program Files (x86)\Intuit\</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Credential Access,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1FFFFF</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-				<CallTrace condition="excludes">WmiPerfClass.dll</CallTrace>
-				<SourceImage condition="excludes any">C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=Mimikatz through Windows Remote Management,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="image">C:\Windows\system32\wsmprovhost.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS process access by LaZagne,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1FFFFF</GrantedAccess>
-				<CallTrace condition="contains all">python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS process access by Mimikatz,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="begin with">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Cobalt Strike Monitor,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-				<CallTrace condition="contains all">|C:\WINDOWS\System32\KERNELBASE.dll+;|UNKNOWN(</CallTrace>
-				<CallTrace condition="excludes any">wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange</CallTrace>
-				<SourceImage condition="excludes any">C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Rubeus Mimikatz Like Detection,Risk=70" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\winlogon.exe</TargetImage>
-				<GrantedAccess>0x1F3FFF</GrantedAccess>
-				<CallTrace condition="contains any">C:\Windows\Microsoft.NET;UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Suspicious Process Accessing Sysmon,Risk=50" groupRelation="and">
-				<SourceImage condition="end with">.exe</SourceImage>
-				<TargetImage condition="contains any">C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe</TargetImage>
-				<GrantedAccess>0x1C00</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1F1FFF</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access 2,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1010</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=LSASS Access 3,Risk=20" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x143A</GrantedAccess>
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=LSASS Memory Dump,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<GrantedAccess>0x1fffff</GrantedAccess>
-				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=0,Desc=Process access with dbghelp,Risk=30" groupRelation="and">
-				<CallTrace condition="contains any">dbghelp.dll;dbgcore.dll</CallTrace>
-				<TargetImage condition="excludes">C:\Windows\system32\lsass.exe</TargetImage>
-				<SourceImage condition="excludes">C:\wfx32\</SourceImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Powershell accessing another process memory" groupRelation="and">
-				<SourceImage condition="image">powershell.exe</SourceImage>
-				<TargetImage condition="excludes any">C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe</TargetImage>
-				<CallTrace condition="excludes all">C:\WINDOWS\SYSTEM32\ntdll.dll+;|C:\WINDOWS\System32\KERNELBASE.dll+;|C:\ProgramData\Microsoft\Windows Defender\Platform\;\MPCLIENT.DLL;\MpOav.dll+;|C:\WINDOWS\SYSTEM32\amsi.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Potential Keylogger detected,Risk=100" groupRelation="and">
-				<CallTrace condition="contains">getasynckeystate</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Access,Level=0,Desc=CMSTP UAC Bypass" groupRelation="and">
-				<CallTrace condition="contains">cmlua.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1086,Technique=PowerShell,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Powershell without Powershell,Risk=30" groupRelation="and">
-				<CallTrace condition="contains">System.Management.Automation</CallTrace>
-				<CallTrace condition="excludes">C:\ProgramData\Microsoft\Windows Defender\platform\</CallTrace>
-				<CallTrace condition="excludes">ctiuser.dll</CallTrace>
-				<SourceImage condition="is not">C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Microsoft\Exchange Server\V16\bin\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\SysWOW64\sdiagnhost.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>
-				<SourceImage condition="is not">C:\Windows\Temp\ExchangeSetup\ExSetupUI.exe</SourceImage>
-				<SourceImage condition="is not">C:\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe</SourceImage>
-				<TargetImage condition="is not">C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\HOSTNAME.EXE</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\ROUTE.exe</TargetImage>
-				<TargetImage condition="is not">C:\Windows\system32\query.exe</TargetImage>
-				<TargetImage condition="is not">MsMpEng.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=3,Alert=Kaodic credential access detected,Risk=100" groupRelation="and">
-				<TargetImage condition="image">C:\Windows\system32\lsass.exe</TargetImage>
-				<CallTrace condition="contains">comsvcs.dll</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Office Macro Execution VBE7,Risk=80" groupRelation="and">
-				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=Office Macro Execution VBE6,Risk=80" groupRelation="and">
-				<CallTrace condition="contains any">VBE6.dll;VBEUI.DLL;VBE6INTL.DLL</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Access,Level=3,Alert=verclsid Office Execution,Risk=80" groupRelation="and">
-				<SourceImage condition="contains">Office</SourceImage>
-				<TargetImage condition="contains">verclsid.exe</TargetImage>
-				<CallTrace condition="contains any">VBE7.dll;VBEUI.DLL;VBE7INTL.DLL</CallTrace>
-				<CallTrace condition="contains any">|UNKNOWN(</CallTrace>
-				<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CreateProcessW,Risk=70" groupRelation="and">
-				<SourceImage condition="contains">C:\Program Files\Microsoft Office\Root\Office</SourceImage>
-				<CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
-			</Rule>
-			<Rule name="Attack=T1059.005,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=Process: Process Access,Level=0,Desc=CSShellExecute_DoExecute,Risk=30" groupRelation="and">
-				<CallTrace condition="contains" >C:\Windows\System32\SHELL32.dll+ae3b9</CallTrace>
-				<TargetImage condition="excludes">C:\WINDOWS\system32\sihost.exe</TargetImage>
-				<TargetImage condition="excludes">C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub</TargetImage>
-			</Rule>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=CobaltStrike BOF using OpenProcess/NtOpenProcess" condition="begin with">UNKNOWN</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=Typical ProcessAccess Pattern of CobaltStrike BOF" groupRelation="and">
-				<CallTrace condition="contains">|UNKNOWN(</CallTrace>
-				<CallTrace condition="begin with">C:\WINDOWS\SYSTEM32\ntdll.dll+</CallTrace>
-				<CallTrace condition="contains">|C:\WINDOWS\System32\KERNELBASE.dll+</CallTrace>
-				<CallTrace condition="end with">)</CallTrace>
-				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
-				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe</SourceImage>
-				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
-				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
-				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=3,Alert=Potential MalDoc Behavior" groupRelation="and">
-				<SourceImage condition="contains any">winword.exe;excel.exe;powerpnt.exe</SourceImage>
-				<CallTrace condition="contains all">:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN</CallTrace>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=4,Alert=Potential Metasploit Process Migration" groupRelation="and">
-				<CallTrace condition="contains">UNKNOWN</CallTrace>
-				<GrantedAccess condition="contains">0x147a</GrantedAccess>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Access,Level=4,Alert=SysmonEnte Detection,DS=Process: Process Access,Level=4,Risk=100" groupRelation="and">
-				<TargetImage condition="contains any">C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe</TargetImage>
-				<SourceImage condition="is not">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe</SourceImage>
-				<SourceImage condition="is not">C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe</SourceImage>
-				<SourceImage condition="excludes any">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</SourceImage>
-				<GrantedAccess condition="contains">0x1400</GrantedAccess>
-			</Rule>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE: possible memory injection -->
-			<GrantedAccess name="Attack=T1093,Technique=Process Hollowing,Tactic=Defense Evasion,DS=Process: Process Access,Level=4,Alert=Process Hollowing Detected,Risk=100">0x0800</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator">0x0810</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Access,Level=0,Desc=Possible Memory Dump,Risk=70">0x0820</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME -->
-			<GrantedAccess name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=70">0x810</GrantedAccess>
-			<!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ: possible memory dump to extract sensitive information -->
-			<GrantedAccess name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Process: Process Modification,Risk=70">0x820</GrantedAccess>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=CScript accessing another process memory,Risk=30" condition="end with">cscript.exe</SourceImage>
-			<SourceImage name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=WScript accessing another process memory,Risk=30" condition="end with">wscript.exe</SourceImage>
-			<SourceImage condition="end with">jjs.exe</SourceImage>
-			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">dump</CallTrace>
-			<CallTrace name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Process: Process Access,Level=4,Alert=Credential Dumping from Memory indicator,Risk=100" condition="contains">mimikatz</CallTrace>
-			<CallTrace name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=ProcessAccess with CorperfmontExt.dll,Risk=70" condition="contains">CorperfmontExt.dll</CallTrace>
-		</ProcessAccess>
-	</RuleGroup>
-	<RuleGroup name="RG=ProcessAccess Exclude Group" groupRelation="or">
-		<ProcessAccess onmatch="exclude">
-			<Rule name="wmi accessing lsass" groupRelation="and">
-				<SourceImage condition="image">wmiprvse.exe</SourceImage>
-				<TargetImage condition="image">lsass.exe</TargetImage>
-			</Rule>
-			<Rule name="lsass accessing winlogon" groupRelation="and">
-				<SourceImage condition="image">lsass.exe</SourceImage>
-				<TargetImage condition="image">winlogon.exe</TargetImage>
-			</Rule>
-			<!-- These binaries appear to access lsass legitimately -->
-			<Rule name="legitimate lsass access" groupRelation="and">
-				<TargetImage condition="image">lsass.exe</TargetImage>
-				<SourceImage condition="excludes any">C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; <!-- Exchange Process -->\EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe</SourceImage>
-			</Rule>
-			<!-- These binaries get or access processes running .NET -->
-			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
-			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
-			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
-			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Access,Level=0,Desc=Direct System Call Events" groupRelation="and">
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>  
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
-				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
-			</Rule>
-			<Rule name="Antivirus Exclusions" groupRelation="or"> 
-				<SourceImage condition="begin with">C:\Program Files (x86)\Kaspersky Lab</SourceImage> 
-				<SourceImage condition="begin with">C:\Program Files\Kaspersky Lab</SourceImage>
-				<SourceImage condition="begin with">C:\Program Files (x86)\ESET</SourceImage>
-				<SourceImage condition="begin with">C:\Program Files\ESET</SourceImage>
-				<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</SourceImage>
-			</Rule>
-		</ProcessAccess>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
-		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
-	<RuleGroup name="RG=FileCreate Include Group" groupRelation="or">
-		<FileCreate onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<TargetFilename name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=File: File Creation,Level=4,Alert=Nessus Temp Files Created,Risk=100" condition="contains">\TEMP\nessus_</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Solarwinds sunburst suspicious file writes,Risk=100" groupRelation="and">
-				<Image condition="contains any">solarwinds.businesslayerhost</Image>
-				<TargetFilename condition="contains any">.exe;.dll;.ps1;.mz;.jpg;.png</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Solarwinds sunburst malware dll,Risk=100" groupRelation="and">
-				<TargetFilename condition="is">C:\WINDOWS\SysWOW64\netsetupsvc.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=4,Alert=Dark Halo Software location,Risk=100" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution</TargetFilename>
-				<TargetFilename condition="is not">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe</TargetFilename>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Creation,Level=0,Desc=MSBuild Source Files created" groupRelation="or">
-				<TargetFilename condition="end with">proj</TargetFilename>
-				<TargetFilename condition="end with">.targets</TargetFilename>
-				<TargetFilename condition="end with">.build</TargetFilename>
-				<TargetFilename condition="end with">.props</TargetFilename>
-				<TargetFilename condition="end with">.tasks</TargetFilename>
-				<TargetFilename condition="end with">.sln</TargetFilename>
-				<TargetFilename condition="end with">.cs</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File scripting: Batch scripts" condition="end with">.bat</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy btm Extension" condition="end with">.btm</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy cmd Extension" condition="end with">.cmd</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch scripting: Legacy com Extension" condition="end with">.com</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=CMDLine File Created" condition="end with">.cmdline</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Batch File Created" condition="end with">.bas</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=BIN file created" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WMI Shell artifacts" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WS Scripting" condition="end with">.ws</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSC Scripting" condition="end with">.wsc</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSF Scripting" condition="end with">.wsf</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=WSH Scripting" condition="end with">.wsh</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=PIF Scripting" condition="end with">.pif</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: MSHTA-->
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=MSHTA Scripting" condition="end with">.hta</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Python-->
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=IronPython,Risk=90" condition="contains">IronPython</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.py</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyc</TargetFilename>
-			<TargetFilename name="Attack=T1059.006,Technique=Command and Scripting Interpreter: Python,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Python" condition="end with">.pyd</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Powershell-->
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell file types,Risk=100" groupRelation="or">
-				<TargetFilename condition="end with">.cdxml</TargetFilename>
-				<TargetFilename condition="end with">.ps1</TargetFilename>
-				<TargetFilename condition="end with">.ps1xml</TargetFilename>
-				<TargetFilename condition="end with">.psc1</TargetFilename>
-				<TargetFilename condition="end with">.psd1</TargetFilename>
-				<TargetFilename condition="end with">.psm1</TargetFilename>
-				<TargetFilename condition="end with">.pssc</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=2,Desc=Powershell Creating Files,Risk=10" groupRelation="and">
-				<Image condition="contains any">powershell.exe;powershell_ise.exe</Image>
-				<TargetFilename condition="excludes">\Recent\CustomDestinations\</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell directory modifications" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\System32\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Persistence: PowerShell default profile" condition="begin with">c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\powershell.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Powershell Console History" condition="end with">PSReadLine\ConsoleHost_history.txt</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter: Javascript-->
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=vbs script created" condition="end with">.vbs</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Java JRE Timestamp usage for DFIR" condition="contains">.oracle_jre_usage\</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" condition="end with">.js</TargetFilename>
-			<TargetFilename name="Attack=T1059.007,Technique=Command and Scripting Interpreter: JavaScript,Tactic=Execution,DS=File: File Creation,Level=0,Desc=JavaScript" condition="end with">.jse</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vb</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vbe</TargetFilename>
-			<TargetFilename name="Attack=T1059.005,Technique=Command and Scripting Interpreter: VisualBasic,Tactic=Execution,DS=File: File Creation,Level=0,Desc=VisualBasicScripting" condition="end with">.vbsript</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=CVE-2019-1315,Risk=70" groupRelation="and">
-				<TargetFilename condition="end with">Report.wer.tmp</TargetFilename>
-				<TargetFilename condition="excludes">\WER\</TargetFilename>
-				<Image condition="image">C:\Windows\system32\wermgr.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Office App Creating Exe File,Risk=70" groupRelation="and">
-				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</Image>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Users</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Office App Creating DLL File,Risk=70" groupRelation="and">
-				<Image condition="contains any">winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe</Image>
-				<TargetFilename condition="end with">.dll</TargetFilename>
-				<TargetFilename condition="begin with">C:\Users</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
-			<Rule name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Generic Ransomware Detection" groupRelation="and">
-				<TargetFilename condition="contains any">!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy</TargetFilename>
-				<TargetFilename condition="excludes all">C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\</TargetFilename>
-				<TargetFilename condition="excludes any">C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="contains">crackmapexec</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._AES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Cipher._DES.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Hash._SHA256.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Random.OSRNG.winrandom.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\Crypto.Util.strxor.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\crackmapexec.exe.manifest</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Common Files of CrackMapExec,Risk=100" condition="end with">\greenlet.pyd</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=KeeFarce.exe default injected DLL name,Risk=100" condition="end with">BootStrapDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=MegaCortex Ransomware,Risk=100" condition="begin with">C:\windows\temp\wininit.exe</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Mimikatz Files" condition="contains any">lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=RDP Wrapper,Risk=100" condition="end with">rdpwrap.dll</TargetFilename>
-			<TargetFilename name="Attack=T1204.002,Technique=Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=winspool.drv dropped" condition="end with">winspool.drv</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
-			<TargetFilename name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-			<Image name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=File: File Creation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" condition="contains">\Programs\Startup\</TargetFilename>
-			<TargetFilename name="Attack=T1547.001,Technique=Registry Startup Folder,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Autorun Folder Entries" condition="contains">\Startup\</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Word\STARTUP\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Office Application Startup modification" condition="contains">\Excel\XLSTART\</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" condition="end with">.dotm</TargetFilename>
-			<TargetFilename name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=File: File Creation" condition="end with">.XLSB</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Scheduled Task Modified" condition="begin with">C:\Windows\Tasks\</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Exchange 0day from September 2022 overwriting legit file,Risk=80" groupRelation="and">
-				<TargetFilename condition="end with">RedirSuiteServiceProxy.aspx</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 1,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.aspx</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 2,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.asp</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 3,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.ashx</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Alert=Web Shells Dropped 4,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.php</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Alert=Web Shells Dropped 5,Risk=80" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.aaa</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=Web Shells Dropped 6,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">\wwwroot\aspnet_client\;\FrontEnd\HttpProxy\owa\auth</TargetFilename>
-				<TargetFilename condition="contains any">.aspx;.php;.ashx</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1190,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=3,Alert=IIS Dropping Ps1 file,Risk=100" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.ps1</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping Bat file,Risk=100" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.bat</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping DLL file,Risk=100" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping VBS file,Risk=100" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.vbs</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Exploit Public-Facing Application,Tactic=Initial Access,DS=File: File Creation,Level=3,Alert=IIS Dropping HTA file,Risk=100" groupRelation="and">
-				<Image condition="image">w3wp.exe</Image>
-				<TargetFilename condition="end with">.hta</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot directory,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">\wwwroot\</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\aspnet_client\;jpg</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=ASP Files dropped outside wwwroot directory" groupRelation="and">
-				<TargetFilename condition="end with">.asp</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1505.003,Technique=Server Software Component: Web Shell,Tactic=Persistence,DS=File: File Creation,Level=0,Desc=ASPX Files dropped outside wwwroot directory" groupRelation="and">
-				<TargetFilename condition="end with">.aspx</TargetFilename>
-				<TargetFilename condition="excludes any">\wwwroot\</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ECP directory,Risk=80" condition="contains">\ecp\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OAB directory,Risk=80" condition="contains">\oab\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange OWA directory,Risk=80" condition="contains">\owa\auth\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange RPC directory,Risk=80" condition="contains">httpproxy\rpc\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in Exchange ecp directory,Risk=80" condition="contains">ClientAccess\ecp\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files dropped in wwwroot htdocs directory" condition="contains">\htdocs\</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=Printer Exploitation Detected,Risk=20" groupRelation="and">
-				<TargetFilename condition="end with">.SPL</TargetFilename>
-				<Image condition="excludes any">spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=Printer Spooler Created exe file,Risk=40" groupRelation="and">
-				<Image condition="image">spoolsv.exe</Image>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="excludes">C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=0,Desc=InstallerFileTakeOver,Risk=80,CVE=CVE-2021-41379" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-				<TargetFilename condition="contains">\Microsoft\Edge\Application</TargetFilename>
-				<TargetFilename condition="end with">elevation_service.exe</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WSL Locations" condition="contains">\LocalState\rootfs\</TargetFilename>
-
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Monitor Common Masquarading Locations" groupRelation="or">
-				<TargetFilename condition="begin with">C:\PerfLogs\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Temp\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\Default\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename> 
-				<TargetFilename condition="contains">\AppData\Temp\</TargetFilename>
-			</Rule>
-			<TargetFilename condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recycle bin files created">$Recycle.Bin</TargetFilename>
-			<Image condition="contains" name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files Created from">$Recycle.Bin</Image>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Files Created within System Profile" groupRelation="and">
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<TargetFilename condition="contains">\config\systemprofile\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,Risk=20,DS=File: File Creation,Level=0,Desc=Files Created from System Profile executable" groupRelation="and">
-				<Image condition="begin with">C:\Windows\</Image>
-				<Image condition="contains">\config\systemprofile\</Image>
-			</Rule>
-			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Alert=Block double extensions" groupRelation="or">
-				<TargetFilename condition="end with">      .exe</TargetFilename>
-				<TargetFilename condition="end with">.7z.exe</TargetFilename>
-				<TargetFilename condition="end with">.doc.exe</TargetFilename>
-				<TargetFilename condition="end with">.doc.exe</TargetFilename>
-				<TargetFilename condition="end with">.docx.exe</TargetFilename>
-				<TargetFilename condition="end with">.ico.exe</TargetFilename>
-				<TargetFilename condition="end with">.iso.exe</TargetFilename>
-				<TargetFilename condition="end with">.lnk.exe</TargetFilename>
-				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
-				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
-				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
-				<TargetFilename condition="end with">.rar.exe</TargetFilename>
-				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
-				<TargetFilename condition="end with">.txt.exe</TargetFilename>
-				<TargetFilename condition="end with">.xls.exe</TargetFilename>
-				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
-				<TargetFilename condition="end with">.zip.exe</TargetFilename>
-				<TargetFilename condition="end with">______.exe</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Compiled HTML File-->
-			<TargetFilename name="Attack=T1223,Technique=Compiled HTML File,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">.chm</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">proj</TargetFilename>
-			<TargetFilename name="Attack=T1127,Technique=Trusted Developer Utilities Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation" condition="end with">.sln</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<Rule name="Attack=T1203,Technique=Exploitation of Remote Services,Tactic=Lateral Movement,DS=File: File Creation,Level=4,Alert=Exchange Exploitation UM Service File Creation,Risk=80,CVE=CVE-2021-26858" groupRelation="and">
-				<Image condition="contains any">UMWorkerProcess.exe;UMService.exe</Image>
-				<TargetFilename condition="contains any">.</TargetFilename>
-				<TargetFilename condition="excludes any">.log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.7zip</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.arj</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=7zip Archive" condition="end with">.s7z</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=.A Archive" condition="end with">.a</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ACE Archive" condition="end with">.ace</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=AR Archive" condition="end with">.ar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ARC Archive" condition="end with">.arc</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=BIN" condition="end with">.bin</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=CAB Archive" condition="end with">.cab</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Game PAK Archive" condition="end with">.pak</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Gzip Archive" condition="end with">.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=IMG Archive" condition="end with">.img</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ISO Archive" condition="end with">.iso</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZM Archive" condition="end with">.lzm</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=LZMA Archive" condition="end with">.lzma</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR Archive Extraction" condition="contains">Temp\Rar$</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=RAR Archive" condition="end with">.rar</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RAR SFX Archive Extraction" condition="contains">RarSFX</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SFX Archive" condition="end with">.sfx</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=SZ Archive" condition="end with">.sz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR Archive" condition="end with">.tar</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tar.gz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=TAR.GZ Archive" condition="end with">.tgz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=XZ Archive" condition="end with">.xz</TargetFilename>
-			<TargetFilename name="Attack=T1560,Technique=Archive Collected Data,Tactic=Collection,DS=File: File Creation,Level=0,Desc=ZIP Archive" condition="end with">.zip</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .OST Created,Risk=30" condition="end with">.ost</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=0,Desc=Possible Email Collection/Exfiltration: .PST Created,Risk=30" condition="end with">.pst</TargetFilename>
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<Rule name="Attack=T1132,Technique=Data Encoding,Tactic=Command and Control,DS=File: File Creation,Level=4,Alert=Cyrillic Letter obfuscation,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created by Teamviewer" condition="image">Teamviewer.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created by rundll32" condition="image">rundll32.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Created with Remote Desktop Client" condition="image">mstsc.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Created with command shell,Risk=30" condition="image">cmd.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with IronPython.exe,Risk=50" condition="image">ipy.exe</Image>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped with WScript.exe,Risk=30" condition="image">WScript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with cscript.exe,Risk=30" condition="image">cscript.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with mshta.exe,Risk=100" condition="image">mshta.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with python.exe,Risk=30" condition="image">python.exe</Image>
-			<Image name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=0,Desc=File Dropped with wmic.exe,Risk=30" condition="image">wmic.exe</Image>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
-				<TargetFilename condition="end with">.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command and Control,DS=File: File Creation,Level=3,Alert=Suspicious Image loaded within Default or Public Directory,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">C:\Users\Default\;C:\Users\Public\</TargetFilename>
-				<TargetFilename condition="end with">.exe</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy: Multi-hop Proxy-->
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Hidden Service,Risk=100" condition="contains">HiddenService</TargetFilename>
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="end with">torrc</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">\tor.exe</TargetFilename> 
-			<TargetFilename name="Attack=T1090.003,Tactic=Command and Control,Technique=Multi-hop Proxy,DS=File: File Creation,Level=4,Alert=Potential Tor Files,Risk=100" condition="contains">tor-gencert</TargetFilename> 
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible rclone Exfiltration,Risk=30" condition="contains">rclone</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Possible s3browser Exfiltration,Risk=30" condition="contains">s3browser</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
-			<TargetFilename name="Attack=T1114,Technique=Email Collection,Tactic=Collection,DS=File: File Creation,Level=4,Alert=Browser Credential exfiltration,Risk=30" condition="contains">grabff.exe</TargetFilename>
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Snatch Ransomware Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains all">RESTORE_;_FILES.txt</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Snatch2 Ransomware Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains all">DECRYPT_;_FILES.txt</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=Nanocore Detected,Risk=100" groupRelation="and">
-				<TargetFilename condition="contains any">\run.dat;\task.dat;\storage.dat</TargetFilename>
-				<TargetFilename condition="contains">AppData</TargetFilename>
-				<TargetFilename condition="excludes any">Symantec</TargetFilename>
-				<TargetFilename condition="excludes any">BlueJeans</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=File: File Creation,Level=4,Alert=RagnarLocker Virtualbox files: susceptible to FP,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">VBoxRT.dll;VboxC.dll</TargetFilename>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!--UEBA Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious files within Content.IE5,Risk=40" groupRelation="and">
-				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
-				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.dll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Unusual OLE ActiveX execution from Microsoft Office,Risk=20" groupRelation="and">
-				<TargetFilename condition="contains any">MSForms.exd</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected in System32" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\windows\system32\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected in Windows Directory" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\windows\</TargetFilename> 
-				<TargetFilename condition="excludes">\system32\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected Outside Windows Directory" groupRelation="and">
-				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
-				<TargetFilename condition="excludes">C:\windows\</TargetFilename> 
-				<TargetFilename condition="excludes">C:\Users\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Executable File Detected Inside User Directory" groupRelation="and">
-				<TargetFilename condition="contains any">.dll;.exe</TargetFilename> 
-				<TargetFilename condition="begin with">C:\Users\</TargetFilename> 
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WLL Office Application Startup" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Word\Startup\</TargetFilename>
-				<TargetFilename condition="end with">.wll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc= Windows Defender Application Control changes" groupRelation="and">
-				<TargetFilename condition="begin with">C:\windows\system32\CodeIntegrity\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=XLL Office Application Startup" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Excel\Startup\</TargetFilename>
-				<TargetFilename condition="end with">.xll</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook Macro Execution,Risk=90" groupRelation="and">
-				<TargetFilename condition="end with">\Microsoft\Outlook\VbaProject.OTM</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office Application Startup Generic" groupRelation="and">
-				<TargetFilename condition="contains">\Microsoft\Addins\</TargetFilename>
-				<TargetFilename condition="contains any">.xla</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office VSTO Addin detected,Risk=20" groupRelation="and">
-				<TargetFilename condition="end with">.vsto</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New bat file dropped to C:\Windows\,Risk=70" groupRelation="and">
-				<TargetFilename condition="end with">.bat</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<Image condition="excludes any">C:\ProgramData\Lenovo\SystemUpdate\sessionSE\</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New dll file dropped to C:\Windows\" groupRelation="and">
-				<TargetFilename condition="end with">.dll</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Driver sys file dropped to C:\Windows\" groupRelation="and">
-				<TargetFilename condition="end with">.sys</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
-				<TargetFilename condition="excludes any">C:\Windows\System32\;C:\windows\syswow64\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New Exe file dropped to C:\Windows\System32" groupRelation="and">
-				<TargetFilename condition="end with">.exe</TargetFilename>
-				<TargetFilename condition="begin with">C:\Windows\SysWow64\</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=New theme: Credential harvesting" groupRelation="and">
-				<TargetFilename condition="end with">.theme</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Interesting files: Microsoft Office Isolated Conversion Environment" groupRelation="and">
-				<TargetFilename condition="contains">\Packages\oice_</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Virtualbox VM Escape" groupRelation="and">
-				<Image condition="image">VirtualboxVM.exe</Image>
-			</Rule>
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Files edited with Notepad Plus Plus" condition="is">notepad++.exe</Image>
-			<TargetFilename name="Attack=T1023,Technique=Shortcut Modification,Tactic=Persistence,DS=File: File Creation,Level=4,Alert=Potential LNK Malware File Downloaded">.lnk:Zone.Identifier</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\msiexec.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Host Process" condition="end with">\regsvr32.exe.log</TargetFilename>
-			<TargetFilename name="Attack=T1059,Technique=Command and Scripting Interpreter,Tactic=Execution,DS=File: File Creation,Level=0,Desc=Execution: Susp ManagedCode Winrm Host Process" condition="end with">\UsageLogs\wsmprovhost.exe.log</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Link">.lnk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=URL">.url</TargetFilename>
-			<!--Drivers dropped-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver" condition="end with">.sys</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver INF" condition="end with">.inf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Driver File Dropped" condition="contains">\Drivers\</TargetFilename>
-			<TargetFilename condition="end with">.drv</TargetFilename> 
-			<!--Microsoft Office File Monitoring-->
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlam</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel Macro,Risk=30" condition="end with">.xlsm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xla</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xls</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlsb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlsx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlt</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xltm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Excel" condition="end with">.xlw</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Office Template created" condition="contains">\Microsoft\Templates\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook EML" condition="end with">.eml</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Outlook MSG" condition="end with">.msg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.potm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint Macro,Risk=30" condition="end with">.pptm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Powerpoint OpenXML Filetype" condition="end with">.sldm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Recent Office Files" condition="contains">\Microsoft\Office\Recent</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Office History" condition="contains">oleObject</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Forensic=Recent Jumplist Custom Destinations" condition="contains">\Recent\CustomDestinations\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Downloaded Files" condition="contains">\Downloads\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=User Outlook Attachments" condition="contains">\Content.Outlook\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.docb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Macro,Risk=30" condition="end with">.wbk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Perfect" condition="end with">.ped</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" condition="end with">.dot</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word Template" condition="end with">.dotx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.doc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.docm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Word" condition="end with">.docx</TargetFilename>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Legacy Office files" groupRelation="or">
-				<TargetFilename condition="end with">.accdb</TargetFilename>
-				<TargetFilename condition="end with">.accde</TargetFilename>
-				<TargetFilename condition="end with">.accdr</TargetFilename>
-				<TargetFilename condition="end with">.accdt</TargetFilename>
-				<TargetFilename condition="end with">.mdb</TargetFilename>
-				<TargetFilename condition="end with">.mde</TargetFilename>
-				<TargetFilename condition="end with">.msc</TargetFilename>
-				<TargetFilename condition="end with">.mst</TargetFilename>
-				<TargetFilename condition="end with">.potx</TargetFilename>
-				<TargetFilename condition="end with">.ppam</TargetFilename>
-				<TargetFilename condition="end with">.ppsm</TargetFilename>
-				<TargetFilename condition="end with">.ppsx</TargetFilename>
-				<TargetFilename condition="end with">.ppt</TargetFilename>
-				<TargetFilename condition="end with">.pptm</TargetFilename>
-				<TargetFilename condition="end with">.pptx</TargetFilename>
-				<TargetFilename condition="end with">.pub</TargetFilename>
-				<TargetFilename condition="end with">.sldm</TargetFilename>
-				<TargetFilename condition="end with">.sldx</TargetFilename>
-				<TargetFilename condition="end with">.xls</TargetFilename>
-				<TargetFilename condition="end with">.xps</TargetFilename>
-			</Rule>
-			<!--SECTION: Certificates -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Certificate" groupRelation="or">
-				<TargetFilename condition="end with">.pem</TargetFilename>
-				<TargetFilename condition="end with">.crt</TargetFilename>
-				<TargetFilename condition="end with">.ca-bundle</TargetFilename>
-				<TargetFilename condition="end with">.cer</TargetFilename>
-				<TargetFilename condition="end with">.csr</TargetFilename>
-				<TargetFilename condition="end with">.der</TargetFilename>
-				<TargetFilename condition="end with">.p7b</TargetFilename>
-				<TargetFilename condition="end with">.p7r</TargetFilename>
-				<TargetFilename condition="end with">.p7s</TargetFilename>
-				<TargetFilename condition="end with">.pfx</TargetFilename>
-				<TargetFilename condition="end with">.sto</TargetFilename>
-				<TargetFilename condition="end with">.p12</TargetFilename>
-				<TargetFilename condition="end with">.crl</TargetFilename>
-				<TargetFilename condition="end with">.sst</TargetFilename>
-				<TargetFilename condition="end with">.key</TargetFilename>
-			</Rule>
-			<!-- side loading -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Sideload Detection" groupRelation="or">
-				<TargetFilename condition="end with">.hlp</TargetFilename>
-				<TargetFilename condition="end with">ACLUI.DLL.UI</TargetFilename>
-				<TargetFilename condition="end with">ACLUI.DLL</TargetFilename>
-				<TargetFilename condition="end with">AFLogVw.exe</TargetFilename>
-				<TargetFilename condition="end with">AShld.exe</TargetFilename>
-				<TargetFilename condition="end with">AShldRes.DLL.asr</TargetFilename>
-				<TargetFilename condition="end with">AShldRes.DLL</TargetFilename>
-				<TargetFilename condition="end with">AhnI2.dll</TargetFilename>
-				<TargetFilename condition="end with">CamMute.exe</TargetFilename>
-				<TargetFilename condition="end with">CommFunc.dll</TargetFilename>
-				<TargetFilename condition="end with">CommFunc.jax</TargetFilename>
-				<TargetFilename condition="end with">DESqmWrapper.dll</TargetFilename>
-				<TargetFilename condition="end with">DESqmWrapper.wrapper</TargetFilename>
-				<TargetFilename condition="end with">FSPMAPI.dll.fsp</TargetFilename>
-				<TargetFilename condition="end with">FSPMAPI.dll</TargetFilename>
-				<TargetFilename condition="end with">Gadget.exe</TargetFilename>
-				<TargetFilename condition="end with">LoLTWLauncher.exe</TargetFilename>
-				<TargetFilename condition="end with">Mc.exe</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll.ping</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll.url</TargetFilename>
-				<TargetFilename condition="end with">McUtil.dll</TargetFilename>
-				<TargetFilename condition="end with">MpSvc.dll</TargetFilename>
-				<TargetFilename condition="end with">MsMpEng.exe</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dat</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
-				<TargetFilename condition="end with">NtUserEx.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmart.exe</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMax.dll</TargetFilename>
-				<TargetFilename condition="end with">NvSmartMaxapp.dll</TargetFilename>
-				<TargetFilename condition="end with">OInfo11.ISO</TargetFilename>
-				<TargetFilename condition="end with">OInfo11.ocx</TargetFilename>
-				<TargetFilename condition="end with">OInfoP11.exe</TargetFilename>
-				<TargetFilename condition="end with">OleView.exe</TargetFilename>
-				<TargetFilename condition="end with">OleView.exe</TargetFilename>
-				<TargetFilename condition="end with">POETWLauncher.exe</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll.config</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll.msc</TargetFilename>
-				<TargetFilename condition="end with">RasTls.dll</TargetFilename>
-				<TargetFilename condition="end with">RasTls.exe</TargetFilename>
-				<TargetFilename condition="end with">RunHelp.exe</TargetFilename>
-				<TargetFilename condition="end with">Sidebar.dll.doc</TargetFilename>
-				<TargetFilename condition="end with">Sidebar.dll</TargetFilename>
-				<TargetFilename condition="end with">Ushata.dll</TargetFilename>
-				<TargetFilename condition="end with">Ushata.exe</TargetFilename>
-				<TargetFilename condition="end with">Ushata.fox</TargetFilename>
-				<TargetFilename condition="end with">VeetlePlayer.exe</TargetFilename>
-				<TargetFilename condition="end with">boot.ldr</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.dll.rom</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.dll</TargetFilename>
-				<TargetFilename condition="end with">chrome_frame_helper.exe</TargetFilename>
-				<TargetFilename condition="end with">dvcemumanager.exe</TargetFilename>
-				<TargetFilename condition="end with">fsguidll.exe</TargetFilename>
-				<TargetFilename condition="end with">fslapi.dll.gui</TargetFilename>
-				<TargetFilename condition="end with">fslapi.dll</TargetFilename>
-				<TargetFilename condition="end with">fsstm.exe</TargetFilename>
-				<TargetFilename condition="end with">hccutils.dll.res</TargetFilename>
-				<TargetFilename condition="end with">hccutils.dll</TargetFilename>
-				<TargetFilename condition="end with">hha.dll.bak</TargetFilename>
-				<TargetFilename condition="end with">hha.dll</TargetFilename>
-				<TargetFilename condition="end with">hhc.exe</TargetFilename>
-				<TargetFilename condition="end with">hkcmd.exe</TargetFilename>
-				<TargetFilename condition="end with">iviewers.dll</TargetFilename>
-				<TargetFilename condition="end with">jli.dll</TargetFilename>
-				<TargetFilename condition="end with">libvlc.dll</TargetFilename>
-				<TargetFilename condition="end with">mPclient.dll</TargetFilename>
-				<TargetFilename condition="end with">mcf.ep</TargetFilename>
-				<TargetFilename condition="end with">mcf.exe</TargetFilename>
-				<TargetFilename condition="end with">mcupdui.exe</TargetFilename>
-				<TargetFilename condition="end with">mcut.exe</TargetFilename>
-				<TargetFilename condition="end with">mcutil.dll.bbc</TargetFilename>
-				<TargetFilename condition="end with">mcvsmap.exe</TargetFilename>
-				<TargetFilename condition="end with">msi.dll.dat</TargetFilename>
-				<TargetFilename condition="end with">msi.dll</TargetFilename>
-				<TargetFilename condition="end with">msseces.asm</TargetFilename>
-				<TargetFilename condition="end with">msseces.exe</TargetFilename>
-				<TargetFilename condition="end with">mtcReport.ktc</TargetFilename>
-				<TargetFilename condition="end with">rc.dll</TargetFilename>
-				<TargetFilename condition="end with">rc.exe</TargetFilename>
-				<TargetFilename condition="end with">rc.hlp</TargetFilename>
-				<TargetFilename condition="end with">sep_NE.exe</TargetFilename>
-				<TargetFilename condition="end with">sep_NE.slf</TargetFilename>
-				<TargetFilename condition="end with">tplcdclr.exe</TargetFilename>
-				<TargetFilename condition="end with">winmm.dll</TargetFilename>
-				<TargetFilename condition="end with">wts.chm</TargetFilename>
-				<TargetFilename condition="end with">credwiz.exe</TargetFilename>
-			</Rule>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Op cell phone: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" condition="end with">ssMUIDLL.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">aepic.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">ftllib.dll</TargetFilename>
-			<TargetFilename name="Attack=T1574.002,Technique=Hijack Execution Flow: DLL Side-Loading,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=Finfisher Sideload Detection" condition="end with">userenv.dll</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="contains">\Terminal Server Client\Cache\</TargetFilename>
-			<TargetFilename name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=File: File Creation,Forensic=Windows Prefetch Exec History" condition="begin with">C:\Windows\Prefetch</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Suspicious TSClient share file creation,Risk=30" condition="begin with">\\tsclient</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=WebDav Cache Files Created" condition="begin with">C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\</TargetFilename>
-			<TargetFilename name="Attack=T1087,Technique=Account Discovery,Tactic=Discovery,DS=File: File Creation,Level=4,Alert=SharpDump bin,Risk=100" condition="end with">\Temp\debug.bin</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=7zip Archive Extraction" condition="contains">Temp\7z</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Appcompat Shims" condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CHM Filetype" condition="end with">.chm</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: Control Panel Files https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="end with">.cpl</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=CIA Vault7: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome Extensions" condition="contains">\Chrome\User Data\Default\Extensions\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Chrome extension" condition="end with">.crx</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=ClickOnce extension" condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Desktop Gadget File" condition="end with">.gadget</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Encrypted JScript File type" condition="end with">.JSE</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Executable file" condition="end with">.exe</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Explorer Command" condition="end with">.scf</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to Exchange OWA: Webshell,Risk=70" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File Dropped to shadow copy" condition="begin with">\Device\HarddiskVolumeShadowCopy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=File created/accessed from Zip File" condition="contains">.zip\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" condition="end with">.FON</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Font File Type" condition="end with">.FOT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Group Policy Script File Dropped" condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=IQY file used to pull down dropper" condition="end with">.iqy</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Icon" condition="end with">.ico</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Internet settings" condition="end with">.isp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=MMC Snapin" condition="end with">.msc</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Manifest File Crated" condition="end with">.manifest</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Memory dump" condition="end with">MEMORY.dmp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft Installer" condition="end with">.msi</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.cs</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Microsoft:dotNet: Executed by cvtres.exe" condition="end with">.customDestinations-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Minidump Crash dump created" condition="begin with">C:\Windows\Minidump</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=PAF" condition="end with">.PAF</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP Bitmap Cache" condition="end with">.bmc</TargetFilename>
-			<TargetFilename name="Attack=T1021.001,Technique=Remote Services: Remote Desktop Protocol,Tactic=Lateral Movement,DS=File: File Creation,Level=0,Desc=RDP" condition="end with">.rdp</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=RTF files often 0day malware vectors when opened by Office,Risk=20" condition="end with">.rtf</TargetFilename> 
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Registry file" condition="end with">.reg</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SHS Office File for copy pastes" condition="end with">.SHS</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SLK file used for command execution" condition="end with">.slk</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver" condition="end with">.SCR</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Set" condition="end with">.set</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=SettingContent-ms" condition="end with">.SettingContent-ms</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" condition="end with">.SHD</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Spooled Print Job" condition="end with">.SPL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Screensaver file created" condition="end with">.scr</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Vault7 file" condition="end with">HammerDrillStatus.dll</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Error Dumps" condition="contains">Microsoft\Windows\WER\</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Icon" condition="end with">.ICL</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Registry Database" condition="end with">.sdb</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Script File Component File" condition="end with">.SCT</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Windows Shell Scrap Object Handler File" condition="end with">.SHB</TargetFilename>
-			<TargetFilename name="Attack=None,Technique=None,Tactic=None,DS=File: File Creation,Level=0,Desc=Zip File Extraction from explorer" condition="contains">Temp\Temp1_</TargetFilename>
-			<!--Uncategorized-->
-			<TargetFilename condition="contains all">\Microsoft\;CLR_v;\UsageLogs\</TargetFilename>
-			<TargetFilename condition="end with">.ade</TargetFilename>
-			<TargetFilename condition="end with">.adp</TargetFilename>
-			<TargetFilename condition="end with">.application</TargetFilename>
-			<TargetFilename condition="end with">.appref-ms</TargetFilename>
-			<TargetFilename condition="end with">.asc</TargetFilename>
-			<TargetFilename condition="end with">.bmf</TargetFilename>
-			<TargetFilename condition="end with">.cer</TargetFilename>
-			<TargetFilename condition="end with">.dmp</TargetFilename>
-			<TargetFilename condition="end with">.gpg</TargetFilename>
-			<TargetFilename condition="end with">.htm</TargetFilename>
-			<TargetFilename condition="end with">.html</TargetFilename>
-			<TargetFilename condition="end with">.json</TargetFilename>
-			<TargetFilename condition="end with">.jsp</TargetFilename>
-			<TargetFilename condition="end with">.key</TargetFilename>
-			<TargetFilename condition="end with">.mof</TargetFilename>
-			<TargetFilename condition="end with">.ocx</TargetFilename>
-			<TargetFilename condition="end with">.p7b</TargetFilename>
-			<TargetFilename condition="end with">.p12</TargetFilename>
-			<TargetFilename condition="end with">.pem</TargetFilename>
-			<TargetFilename condition="end with">.pfx</TargetFilename>
-			<TargetFilename condition="end with">.pgp</TargetFilename>
-			<TargetFilename condition="end with">.php</TargetFilename>
-			<TargetFilename condition="end with">.ppk</TargetFilename>
-			<TargetFilename condition="end with">.war</TargetFilename>
-			<TargetFilename condition="end with">.xml</TargetFilename>
-		</FileCreate>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
-	<RuleGroup name="RG=RegistryEvent Include Group" groupRelation="or">
-		<RegistryEvent onmatch="include">
-			<!--MITRE ATT&CK TACTIC: Reconnaissance-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<Rule name="ttack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=indows Registry: Windows Registry Key Modification,Level=4,Alert=Advanced IP Scanner Scan Detected" groupRelation="and">
-				<TargetObject condition="contains">Software\Famatech\advanced_ip_scanner\State</TargetObject>
-				<TargetObject condition="end with">LastRangeUsed</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Host Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Identity Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Network Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Gather Victim Org Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Phishing for Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Closed Sources-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Technical Databases-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Open Websites/Domains-->
-			<!--MITRE ATT&CK TECHNIQUE: Search Victim-Owned Websites-->
-
-			<!--MITRE ATT&CK TACTIC: Resource Development-->
-			<!--MITRE ATT&CK TECHNIQUE: Acquire Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Develop Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Establish Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Obtain Capabilities-->
-			<!--MITRE ATT&CK TECHNIQUE: Stage Capabilities-->
-
-			<!--MITRE ATT&CK TACTIC: Initial Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Drive-by Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploit Public-Facing Application-->
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=RDP Connection History Tracking" groupRelation="and">
-				<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
-				<TargetObject condition="excludes">DefaultPrinter</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hardware Additions-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Keyloggers and new Keyboards" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect USB Input Devices" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Mice" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Composite Device" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Bluetooth Device" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Disk Drive" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New WPD Devices" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<Rule name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect New Biometric Devices" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=Virtual DVD-ROM Drive Mounted,Forensic=Virtual DVD-ROM Drive Mounted" groupRelation="and">
-				<TargetObject condition="contains all">Root\InventoryDevicePnp;prod_virtual_dvd-rom</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mounted Device Detection" condition="contains">MountedDevices</TargetObject>
-			<TargetObject name="T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Mountpoints2 Mounted Device Detection" condition="contains">Mountpoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Active Setup Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Phishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Supply Chain Compromise-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Relationship-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts -->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Interactive Logon Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\</TargetObject>
-				<TargetObject condition="end with">LoggedOnUser</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on User modification" condition="contains">LastLoggedOnUser</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Logged on Provider modification" condition="contains">LastLoggedOnProvider</TargetObject>
-			<!--MITRE ATT&CK TACTIC: Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Command and Scripting Interpreter-->
-			<!--MITRE ATT&CK TECHNIQUE: Container Administration Command-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Client Execution-->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Suspicious Set Value of MSDT in Registry: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\ms-msdt\</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Scripted Diagnostics Turn Off Check Enabled: Dogwalk/follina,Risk=100,CVE=CVE-2022-30190" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Inter-Process Communication-->
-			<!--MITRE ATT&CK TECHNIQUE: Native API-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Shared Modules-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: System Services-->
-			<Rule name="Attack=T1543.003,Tactic=Persistence,Technique=Create Windows Service,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=New SVCHost service,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</TargetObject>
-				<TargetObject condition="excludes">\print\</TargetObject>
-				<TargetObject condition="excludes">\AzureAttestService\CoInitializeSecurityParam</TargetObject>
-				<Image condition="excludes">C:\$WINDOWS.~BT\</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution-->
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project Object Model Macro Settings,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\AccessVBOM</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
-				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VBA Project VBA Warnings Macro Setting Change,Risk=40" groupRelation="and">
-				<TargetObject condition="end with">Security\VBAWarnings</TargetObject>
-				<Image condition="excludes any">C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204,Technique=User Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Potential Office Macro Execution Detected" groupRelation="and">
-				<Image condition="contains any">EXCEL.exe;WINWORD.exe</Image>
-				<TargetObject condition="contains any">{8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B}</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: User Execution: Malicious File-->
-			<Rule name="Attack=T0000,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=NJRAT Detection,Risk=100" groupRelation="and">
-				<TargetObject condition="is">HKCU\di</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lokibot Detection" groupRelation="and">
-				<TargetObject condition="contains">HKCU\�</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AMSI Tamper Detection" groupRelation="or">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\AMSI\Providers\</TargetObject>
-				<TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject>
-				<TargetObject condition="begin with">hkcu\software\microsoft\windows script\settings\amsienable</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Windows Management Instrumentation-->
-
-			<!--MITRE ATT&CK TACTIC: Persistence-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Chrome Extension auditing" groupRelation="and">
-				<TargetObject condition="contains">Google\Chrome\Extensions</TargetObject>
-				<TargetObject condition="end with">update_url</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Account Manipulation-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Forced password reset detected" groupRelation="and">
-				<TargetObject condition="contains">ForcePasswordReset</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Machine Password Change Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Last Password Changed" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Last Password Change</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Account Expiration" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Account Expiration</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Last Failed Logon" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\</TargetObject>
-				<TargetObject condition="end with">Last Failed Logon</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Account Added to Local Admin" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Account Added to Remote Desktop User Group" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Process Injection: injecting a 64-bit DLL into a 32-bit process" condition="contains">SOFTWARE\Microsoft\Wow64\x86\</TargetObject>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Alert=AutoRun Reg Keys,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\CurrentVersion\Run\</TargetObject>
-				<Image condition="excludes">Add_exclusions_here</Image>
-			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Microsoft\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Command Line parameters" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: Boot" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: System" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Start Mode Changed to: Automatic" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000002)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Service Start Mode Changed to: Manual" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000003)</Details>
-			</Rule>
-			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Service Start Mode Changed to: Disabled" groupRelation="and">
-				<TargetObject condition="end with">\Start</TargetObject>
-				<Details condition="contains">DWORD (0x00000004)</Details>
-			</Rule>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Services: Services and autoruns imagepath" condition="end with">\ImagePath</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Service DLL changes" condition="end with">\ServiceDll</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows nt\currentversion\windows\run\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Run Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Print Processors-->
-			<TargetObject name="Attack=T1013,Technique=Port Monitors,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification" condition="contains">\Print\Monitors</TargetObject>
-			<!--<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Printers\Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\Environments\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Servers\Printers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">\Print\V4 Connections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">CurrentVersion\PrinterPorts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Printer Registry Locations" condition="contains">SWD\PRINTENUM</TargetObject>-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Extensions-->
-			<!--MITRE ATT&CK TECHNIQUE: Compromise Client Software Binary-->
-			<!--MITRE ATT&CK TECHNIQUE: Create Account-->
-			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=New user created,Risk=40" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<TargetObject condition="excludes">$</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<Rule name="Attack=T1136,Technique=Create Account,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Creation,Level=0,Desc=Hidden New user created,Risk=40" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<TargetObject condition="contains">$</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Sysmon Manifest change detected,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
-				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Endpoint Protocol Handlers" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\</TargetObject>
-				<TargetObject condition="end with">(Default)</TargetObject>
-				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
-				<Details condition="begin with">URL:</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor User Protocol Handlers" groupRelation="and">
-				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
-				<TargetObject condition="end with">(Default)</TargetObject>
-				<TargetObject condition="excludes">\shell\open\command\(Default)</TargetObject>
-				<Details condition="begin with">URL:</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Endpoint File Associations" groupRelation="and">
-				<TargetObject condition="begin with">HKCR\</TargetObject>
-				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
-				<Details condition="contains">%1</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor User Default File Associations" groupRelation="and">
-				<TargetObject condition="begin with">HKCU\Software\Classes\</TargetObject>
-				<TargetObject condition="end with">\shell\open\command\(Default)</TargetObject>
-				<Details condition="contains">%1</Details>
-			</Rule>
-			<Rule name="Attack=T1546.001,Technique=Event Triggered Execution: Change Default File Association,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor COM Hijacking" groupRelation="and">
-				<TargetObject condition="end with">\shell\open\command\DelegateExecute</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Accessibility Features-->
-			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Utilman Priv Escalation,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=sethc.exe Priv Escalation,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: External Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=KnownDLLs" condition="contains">Session Manager\KnownDlls</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Implant Internal Image-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Office Application Startup-->
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Outlook Addins" groupRelation="and">
-				<TargetObject condition="contains">Outlook\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Word Addins" groupRelation="and">
-				<TargetObject condition="contains">Word\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Excel Addins" groupRelation="and">
-				<TargetObject condition="contains">Excel\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft Powerpoint Addins" groupRelation="and">
-				<TargetObject condition="contains">Powerpoint\Addins</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft VSTO Inclusions" groupRelation="and">
-				<TargetObject condition="contains">Software\Microsoft\VSTO\Security\Inclusion\</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft VSTO Solution Metadata" groupRelation="and">
-				<TargetObject condition="contains">Software\Microsoft\VSTO\SolutionMetadata\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<!--MITRE ATT&CK TECHNIQUE: Server Software Component-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<Rule name="Attack=T1548,Tactic=Defense Evasion,Technique=Abuse Elevation Control Mechanism,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CMSTPLUA UAC Bypass" groupRelation="and">
-				<TargetObject condition="contains any">cmmgr32.exe</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=AutoRun Keys,Risk=70" condition="contains">UserInitMprLogonScript</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=BootVerificationProgram Autorun" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Autostart Execution: Security Support Provider-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Authentication Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Notification Packages" condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor OS Config LSA Security Packages" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Boot or Logon Initialization Scripts-->
-			<!--MITRE ATT&CK TECHNIQUE: Create or Modify System Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Escape to Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution-->
-			<!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Suspicious Com Object Hijacking Locations,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
-				<Details condition="contains any">C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\</Details>
-				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
-			</Rule>
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Com Object Hijacking Locations,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)</TargetObject>
-				<Details condition="excludes">C:\WINDOWS\SYSTEM32\UpdateDeploy.dll</Details>
-			</Rule>
-			<Rule name="Attack=T1546.015,Technique=Event Triggered Execution,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=TreatAs/ProgID Friendly Name Com Hijacking Evasion - check for following rundll32 -sta,Risk=30" groupRelation="and">
-				<TargetObject condition="contains any">\ProgID\(Default);\TreatAs\(Default)</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Event Triggered Execution: Image File Execution Options Injection-->
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Image File Execution Options,Risk=30" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
-				<TargetObject condition="contains any">Debugger;ReportingMode;MonitorProcess</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Globalflag Set,Risk=75" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject>
-				<TargetObject condition="contains">GlobalFlag</TargetObject>
-				<Details condition="contains">DWORD (0x00000200)</Details> <!--SilentProcessExit Dword Value-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Process Execution entry,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
-				<TargetObject condition="contains">MonitorProcess</TargetObject> <!--SilentProcessExit Monitor Process from werfault-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Reporting Mode Enabled,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject>
-				<TargetObject condition="contains">ReportingMode</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details> <!--SilentProcessExit Reporting Mode Enabled-->
-			</Rule>
-			<Rule name="Attack=T1183,Technique=Image File Execution Options Injection,Tactic=Privilege Escalation/Persistence/Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=SilentProcessExit Process Added,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject>
-				<EventType condition="is">CreateKey</EventType>
-			</Rule>
-			<Rule name="Attack=T1546,Technique=Event Triggered Execution,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Monitor Runtime Exception Handler execution on crash,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\</TargetObject>
-				<Image condition="excludes all">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe</Image>
-				<Image condition="excludes">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image>
-				<Image condition="excludes">C:\Program Files\Microsoft Office\root\integration\integrator.exe</Image>
-				<Image condition="excludes all">C:\Program Files\Google\Chrome Beta\Application\;\Installer\setup.exe</Image>
-				<Image condition="excludes all">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\;\OfficeClickToRun.exe</Image>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Privilege Escalation-->
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Task/Job-->
-			<Rule name="Attack=T1053,Technique=Scheduled Task,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=New Scheduled Task Created,Risk=80" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
-				<TargetObject condition="end with">SD</TargetObject>
-				<TargetObject condition="is not">Microsoft\Windows\UpdateOrchestrator</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SD</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Per-Machine Standalone Update Task\SD</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates\SD</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates Logon\SD</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor\SD</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
-				<TargetObject condition="excludes">Microsoft\Windows\UpdateOrchestrator</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation ID Key" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject>
-				<TargetObject condition="end with">ID</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Author Key" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Author</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Path Key" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Path</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Creation Date Key" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject>
-				<TargetObject condition="end with">Date</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Added to Logon" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Scheduled Task Added to Boot Time" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-
-			<!--MITRE ATT&CK TACTIC: Defense Evasion-->
-			<Rule name="Attack=T0000,Technique=Environment Value Modification,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Environment Value Modification" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism-->
-			<!--MITRE ATT&CK TECHNIQUE: Abuse Elevation Control Mechanism: Bypass User Account Control-->
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=ConsentPromptBehaviorAdmin Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=PromptOnSecureDesktop Disablement Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect UAC Tampering" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
-			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>
-			<TargetObject name="Attack=T1548.002,Technique=Abuse Elevation Control Mechanism: Bypass User Account Control,Tactic=Defense Evasion/Privilege Escalation,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=UAC Bypass,Risk=70" condition="end with">exefile\shell\runas\command\isolatedCommand</TargetObject>			
-			<!--MITRE ATT&CK TECHNIQUE: Access Token Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: BITS Jobs-->
-			<!--MITRE ATT&CK TECHNIQUE: Build Image on Host-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Deobfuscate/Decode Files or Information-->
-			<!--MITRE ATT&CK TECHNIQUE: Deploy Container-->
-			<!--MITRE ATT&CK TECHNIQUE: Direct Volume Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Policy Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Execution Guardrails-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Defense Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Permissions Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Hide Artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
-			<Rule name="Attack=T1564.002,Technique=Hide Artifacts: Hidden Users,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=User Account Hidden From Logon Screen,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\</TargetObject>
-				<TargetObject condition="end with">$</TargetObject>
- 				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Hijack Execution Flow-->
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses-->
-			<Rule name="Attack=T1562,Technique=Impair Defenses,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Stealth Sysmon Change Detected,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\sysmon.exe</Image>
-				<Image condition="excludes">C:\Programdata\sysmon\sysmon64.exe</Image>
-				<!--Customize: Add your configuration directory above-->
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Modification to System Exploit Protection,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Modification to Per-Process Exploit Protection,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions</TargetObject>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmwp.exe\0\MitigationOptions</TargetObject>
-				<Image condition="excludes">msiexec.exe</Image>
-				<Image condition="excludes">TiWorker.exe</Image>
-			</Rule>
-			<Rule name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Modification to WOW64 Per-Process Exploit Protection Mitigation Options,Risk=30" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
-				<TargetObject condition="contains any">MitigationOptions;MitigationAuditOptions</TargetObject>
-				<Image condition="excludes">C:\Program Files\Microsoft Office 15\root\integration\integrator.exe</Image>
-				<TargetObject condition="excludes">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Task Manager Disablement Detection" groupRelation="and">
-				<TargetObject condition="end with">DisableTaskMgr</TargetObject>
-				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
-				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Driver Altitude Change Detected - Causes Driver load failure on boot" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\</TargetObject>
-				<TargetObject condition="contains all">\Instances\;Altitude</TargetObject>
-				<TargetObject condition="is not">HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude</TargetObject>
-				<EventType condition="is">SetValue</EventType>
-			</Rule>
-			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=All Office Macros Enabled!,Risk=100" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Notifications for all macros,Risk=50" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000002)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Notifications for digitally signed macros - all other macros disabled,Risk=0" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000003)</Details>
-			</Rule>
-			<Rule name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=All Office Macros Disabled without notification,Risk=0" groupRelation="and">
-				<TargetObject condition="contains">\Security\Level</TargetObject>
-				<Details condition="contains">DWORD (0x00000004)</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Outlook Security Changes" groupRelation="and">
-				<TargetObject condition="contains">\Outlook\Security</TargetObject>
-				<!--Allow Outlook Details rules to fire-->
-				<TargetObject condition="excludes">\Security\Level</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Word Security Changes" condition="contains">\Word\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Excel Security Changes" condition="contains">\Excel\Security</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Unauthorized changes to Office Security" condition="contains">\Security\Level1Remove</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Microsoft:Windows:Security Center: HideSCAHealth" condition="end with">\HideSCAHealth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center AV Disabled Notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disable UAC Notify Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disabled Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Disablement of Update notifications" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Firewall Override Monitoring" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Security Center Tampering: All Alerts Disabled" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detected disablement of System Restore,Risk=70" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency</TargetObject>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected disablement of machine password,Risk=70" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Secure Channel Protection changes,Risk=30" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Refuse PW Change for workstations" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender AntiSpyware Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Behavior Monitoring Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Real Time Protection Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Defender Spynet Reporting Disablement Detection" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable Windows Event Logging-->
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Windows Event Log Source,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="end with">\Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enabling of Windows Event Log Source" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="end with">\Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Event log system integrity and ACL Modifications" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-				<TargetObject condition="excludes">\Enabled</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Change Winevt Event Access Permission Via Registry,Author=frack113" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\</TargetObject>
-				<TargetObject condition="end with">\ChannelAccess</TargetObject>
-				<Details condition="contains any">(A;;0x1;;;SY);(A;;0x5;;;BA);(A;;0x1;;;LA)</Details>
-				<Image condition="excludes any">C:\Windows\servicing\TrustedInstaller.exe;\TiWorker.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
-				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
-				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
-				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
-				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of cmdline Event Logging,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">hklm\software\microsoft\windows\currentversion\policies\system\audit</TargetObject>
-				<TargetObject condition="end with">\ProcessCreationIncludeCmdLine_Enabled</TargetObject>
-				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Eventlog Security Descriptor Modification,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
-				<TargetObject condition="end with">\CustomSD</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Eventlog Size Modification,Risk=100" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Eventlog</TargetObject>
-				<TargetObject condition="end with">\MaxSize</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify System Firewall-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Globally Opened Firewall port exceptions" groupRelation="and">
-				<TargetObject condition="contains">globallyopenports</TargetObject>
-			</Rule>
-			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,Attack=1089,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Firewall Enablement or Disablement" condition="end with">EnableFirewall</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=App added to Firewall Auth list" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
-
-			<!--MITRE ATT&CK TECHNIQUE: Indicator Removal on Host-->
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=ETWEnabled Env Tampering,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\.NETFramework\ETWEnabled</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Usagelog Tampering,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Microsoft\.NETFramework\NGenAssemblyUsageLog</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Usagelog Env Tampering,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\NGenAssemblyUsageLog</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1070,Technique=Impair Defenses: Indicator Removal on Host,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=COMPlus_ETWEnabled Env Tampering,Risk=70" groupRelation="and">
-				<EventType condition="is">SetValue</EventType>
-				<TargetObject condition="contains">\Environment\COMPlus_ETWEnabled</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Indirect Command Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Masquerading-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Cloud Compute Infrastructure-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Registry-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\LastKey</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Symbolic Registry Link Created" groupRelation="and">
-				<TargetObject condition="contains">SymbolicLinkValue</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Location Registry Change Detected" groupRelation="and">
-				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer</TargetObject>
-				<Image condition="contains any">\AppData\;\ProgramData\;\Temp\;C:\users</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Right to Left hidden Registry key,Risk=40" groupRelation="and">
-				<TargetObject condition="contains">&#x202e;</TargetObject>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Remote Registry Setting Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg</TargetObject>
-
-			<!--MITRE ATT&CK TECHNIQUE: Modify System Image-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Certificate Modifications" groupRelation="and">
-				<TargetObject condition="contains any">\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
-				<EventType condition="is not">CreateKey</EventType>
-				<Image condition="excludes">C:\WINDOWS\Sysmon64.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\Sysmon.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\certsrv.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\CompatTelRunner.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\system32\svchost.exe</Image>
-				<Image condition="excludes">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-				<Image condition="excludes">C:\Windows\system32\SearchProtocolHost.exe</Image>
-				<Image condition="excludes">C:\Windows\system32\taskhost.exe</Image>
-				<Image condition="excludes">C:\windows\SysWOW64\svchost.exe</Image>
-				<Image condition="excludes">C:\WINDOWS\System32\DriverStore\FileRepository\asus</Image>
-				<Image condition="excludes">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
-				<Image condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</Image>
-				<Image condition="excludes">C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe</Image>
-			</Rule>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop fDenyTSConnections modification" condition="contains">fDenyTSConnections</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop Settings keys" condition="contains">Terminal Server\WinStations\RDP-Tcp</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Remote Desktop port modification" condition="end with">RDP-tcp\PortNumber</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Enablement of Multiple RDP Sessions" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Network Boundary Bridging-->
-			<!--MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Unicode Replacement Character in Registry key,Risk=20" groupRelation="and">
-				<TargetObject condition="contains">&#xfffd;</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryillic Character in Registry key,Risk=100" groupRelation="and">
-				<TargetObject condition="contains any">Й;ќ;Л;я;К</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Plist File Modification-->
-			<!--MITRE ATT&CK TECHNIQUE: Pre-OS Boot-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Reflective Code Loading-->
-			<!--MITRE ATT&CK TECHNIQUE: Rogue Domain Controller-->
-			<!--MITRE ATT&CK TECHNIQUE: Rootkit-->
-			<TargetObject name="Attack=T1109,Technique=Component Firmware,Tactic=Defense Escalation/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ACPI Rootkits" condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject>
-			<!--MITRE ATT&CK TECHNIQUE: Subvert Trust Controls-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: Regsvr32-->
-			<!--MITRE ATT&CK TECHNIQUE: System Binary Proxy Execution: MsiExec-->
-			<!--MITRE ATT&CK TECHNIQUE: System Script Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Template Injection-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Trusted Developer Utilities Proxy Execution-->
-			<!--MITRE ATT&CK TECHNIQUE: Unused/Unsupported Cloud Regions-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-			<!--MITRE ATT&CK TECHNIQUE: Valid Accounts-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Weaken Encryption-->
-			<!--MITRE ATT&CK TECHNIQUE: XSL Script Processing-->
-
-			<!--MITRE ATT&CK TACTIC: Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Brute Force-->
-			<!--MITRE ATT&CK TECHNIQUE: Credentials from Password Stores-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation for Credential Access-->
-			<!--MITRE ATT&CK TECHNIQUE: Forced Authentication-->
-			<!--MITRE ATT&CK TECHNIQUE: Forge Web Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Modify Authentication Process-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Interception-->
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Factor Authentication Request Generation-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: OS Credential Dumping-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Application Access Token-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal or Forge Kerberos Tickets-->
-			<!--MITRE ATT&CK TECHNIQUE: Steal Web Session Cookie-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials-->
-			<!--MITRE ATT&CK TECHNIQUE: Unsecured Credentials: Credentials in Registry-->
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject>
-			<TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Risk=100" condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Domain" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,Desc=Credentials in Registry,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Credentials in Registry: Username" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 1,Risk=70" condition="contains">SecurityPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 2,Risk=70" condition="contains">OptionsPasswordAES</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 3,Risk=70" condition="contains">SecurityPasswordExported</TargetObject>
-			<TargetObject name="Attack=T1214,Technique=Credentials in Registry,Tactic=Credential Access,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer Password Exposed in Plain Text 4,Risk=70" condition="contains">PermanentPassword</TargetObject>
-			<!--MITRE ATT&CK TACTIC: Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Discovery -->
-			<!--MITRE ATT&CK TECHNIQUE: Application Window Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Bookmark Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Infrastructure Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Dashboard-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Cloud Storage Object Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Container and Resource Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Debugger Evasion-->
-			<!--MITRE ATT&CK TECHNIQUE: Domain Trust Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: File and Directory Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Group Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Share Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Network Sniffing-->
-			<!--MITRE ATT&CK TECHNIQUE: Password Policy Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Peripheral Device Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Permission Groups Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Process Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Query Registry-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote System Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Information Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Location Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Configuration Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Network Connections Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Owner/User Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Service Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: System Time Discovery-->
-			<!--MITRE ATT&CK TECHNIQUE: Virtualization/Sandbox Evasion-->
-
-			<!--MITRE ATT&CK TACTIC: Lateral Movement-->
-			<!--MITRE ATT&CK TECHNIQUE: Exploitation of Remote Services-->
-			<!--MITRE ATT&CK TECHNIQUE: Internal Spearphishing-->
-			<!--MITRE ATT&CK TECHNIQUE: Lateral Tool Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Service Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Services-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Replication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Software Deployment Tools-->
-			<!--MITRE ATT&CK TECHNIQUE: Taint Shared Content-->
-			<!--MITRE ATT&CK TECHNIQUE: Use Alternate Authentication Material-->
-
-			<!--MITRE ATT&CK TACTIC: Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Adversary-in-the-Middle-->
-			<!--MITRE ATT&CK TECHNIQUE: Archive Collected Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Audio Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Automated Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Browser Session Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Clipboard Data-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Cloud Storage Object-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Configuration Repository-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Information Repositories-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Local System-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Network Shared Drive-->
-			<!--MITRE ATT&CK TECHNIQUE: Data from Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Staged-->
-			<!--MITRE ATT&CK TECHNIQUE: Email Collection-->
-			<!--MITRE ATT&CK TECHNIQUE: Input Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Screen Capture-->
-			<!--MITRE ATT&CK TECHNIQUE: Video Capture-->
-
-			<!--MITRE ATT&CK TACTIC: Command and Control-->
-			<!--MITRE ATT&CK TECHNIQUE: Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Communication Through Removable Media-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Encoding-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Obfuscation-->
-			<!--MITRE ATT&CK TECHNIQUE: Dynamic Resolution-->
-			<!--MITRE ATT&CK TECHNIQUE: Encrypted Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Fallback Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Ingress Tool Transfer-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Git For Windows Detection: Revil: Sodinokibi,Risk=50" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\GitForWindows</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Non-Standard Port-->
-			<!--MITRE ATT&CK TECHNIQUE: Protocol Tunneling-->
-			<!--MITRE ATT&CK TECHNIQUE: Proxy-->
-			<!--MITRE ATT&CK TECHNIQUE: Remote Access Software-->
-			<!--MITRE ATT&CK TECHNIQUE: Traffic Signaling-->
-			<!--MITRE ATT&CK TECHNIQUE: Web Service-->
-
-			<!--MITRE ATT&CK TACTIC: Exfiltration-->
-
-			<!--MITRE ATT&CK TECHNIQUE: Automated Exfiltration-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Transfer Size Limits-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Alternative Protocol-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over C2 Channel-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Other Network Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Physical Medium-->
-			<!--MITRE ATT&CK TECHNIQUE: Exfiltration Over Web Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Scheduled Transfer-->
-			<!--MITRE ATT&CK TECHNIQUE: Transfer Data to Cloud Account-->
-			<!--MITRE ATT&CK TACTIC: Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Account Access Removal-->
-			<Rule name="Attack=T1531,Technique=Account Access Removal,Tactic=Impact,DS=Windows Registry: Windows Registry Key Deletion,Level=1,Desc=User Account Deleted" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SAM\SAM\DOMAINS\Account\Users\Names\</TargetObject>
-				<EventType condition="is">DeleteKey</EventType>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Destruction-->
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Desc=Bitlocker Drive Encryption Enabled on System Drive" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=0,Alert=Bitlocker Drive Encryption Disabled on System Drive" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus</TargetObject>
-				<Details condition="contains">DWORD (0x00000000)</Details>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Data Encrypted for Impact-->
-			<!--MITRE ATT&CK TECHNIQUE: Data Manipulation-->
-			<!--MITRE ATT&CK TECHNIQUE: Defacement-->
-			<!--MITRE ATT&CK TECHNIQUE: Disk Wipe-->
-			<!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Firmware Corruption-->
-			<!--MITRE ATT&CK TECHNIQUE: Inhibit System Recovery-->
-			<Rule name="Attack=T1485,Technique=Inhibit System Recovery,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=VSS Disablement Detection,Risk=70" groupRelation="and">
-				<TargetObject condition="contains">\Services\VSS\Diag\(Default)</TargetObject>
-			</Rule>
-			<!--MITRE ATT&CK TECHNIQUE: Network Denial of Service-->
-			<!--MITRE ATT&CK TECHNIQUE: Resource Hijacking-->
-			<!--MITRE ATT&CK TECHNIQUE: Service Stop-->
-			<!--MITRE ATT&CK TECHNIQUE: System Shutdown/Reboot-->
-			<!-- UEBA/Uncategorized Detections-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lanmanserver Parameters Registry Change Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lanmanworkstation Parameters Registry Change Detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Regedit history Detection,Risk=30" groupRelation="and">
-				<TargetObject condition="end with">\LastKey</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Disable RDP Detection" groupRelation="and">
-				<TargetObject condition="end with">\WinStationsDisabled</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=TS Farm Drain Mode Modification Detection" groupRelation="and">
-				<TargetObject condition="end with">\TSServerDrainMode</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=IE history Detection" groupRelation="and">
-				<TargetObject condition="end with">\TypedURLs</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected: Disabled Components" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IPv6 Changes detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind</TargetObject>
-				<Details condition="excludes">Binary Data</Details>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Network Card Changes detected" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Service Listening Ports with URL ACL INFO" groupRelation="and">
-				<TargetObject condition="contains">services\http\parameters\urlaclinf</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Adobe Recent File List History" groupRelation="and">
-				<TargetObject condition="contains">cRecentFiles\c1\</TargetObject>
-				<TargetObject condition="end with">tDIText</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History MRU" groupRelation="and">
-				<TargetObject condition="end with">\File MRU\Item 1</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Sysmon Config Hash Modification Monitoring" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash</TargetObject>
-			</Rule>
-			<!--Common Malware Persistence locations-->
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Windows\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Registry AutoRun Keys,Risk=70" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
-			<TargetObject name="Attack=T1562.006,Technique=Impair Defenses: Indicator Blocking,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ETW Tampering,Risk=70" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
-			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
-			<TargetObject name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=2,Alert=AutoRun Keys,Risk=70" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternate Shell AvailableShells Hijack" condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Alternative Shell Policy" condition="contains">Policies\System\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Connect" condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AutoStart on Disconnect" condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Chrome Extensions" condition="contains">PreferenceMACs\Default\extensions.settings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion URL Key" condition="contains">CurrentVersion\URL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Font Drivers" condition="end with">\CurrentVersion\Font Drivers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy Shutdown scripts" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Icon Service Lib" condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installed Components" condition="contains">Active Setup\Installed Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="contains">NullSessionShares</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Lateral Movement: New Named Pipe added to NullSession" condition="end with">NullSessionPipes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Password Expiry Info" condition="contains">PasswordExpiryNotification</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Safeboot Alternative Shell hijack" condition="contains">SafeBoot\AlternateShell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Screen Save on Desktop" condition="contains">Desktop\Scrnsave.exe</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or DisplayVersion modified" condition="end with">\DisplayVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Modify String modified" condition="end with">\ModifyPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" condition="contains">\Microsoft\Windows\CurrentVersion\Uninstall\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Software Installed or Uninstall String modified" condition="end with">\UninstallString</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Terminal Services Initial Program Key" condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Winlogon Taskman Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
-			<!--CLSID launch commands and file association changes-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=File Extension Mapping" condition="contains">\Explorer\FileExts\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Command Shell install Key" condition="contains">\shell\install\command\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=User SID History for Forensics" condition="end with">\ProfileImagePath</TargetObject>
-			<!--Windows shell hijack-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AllFileSystemObjects Classes" condition="contains">\Classes\AllFilesystemObjects\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Asterisk Classes" condition="contains">\Classes\*\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CFT LangBarAddin" condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ContextMenuHandlers" condition="contains">\ContextMenuHandlers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=CurrentVersion Shell Keys" condition="contains">\CurrentVersion\Shell</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect ShellExecuteHooks" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Directory Classes" condition="contains">\Classes\Directory\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Drive Classes" condition="contains">\Classes\Drive\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Explorer Shell Execute Hooks" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Folder Classes" condition="contains">\Classes\Folder\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Explorer Setting modification" condition="end with">\Hidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Hidden File Extensions Explorer Setting modification" condition="end with">\HideFileExt</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Internet Explorer Desktop Components" condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Filter Classes" condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Protocol Handler Classes" condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=SharedTaskScheduler" condition="contains">\SharedTaskScheduler</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Super Hidden File Explorer Setting modification" condition="end with">\ShowSuperHidden</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ColumnHandlers" condition="contains">\ColumnHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: CopyHookHandlers" condition="contains">\CopyHookHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ExtShellFolderView" condition="contains">\ExtShellFolderViews</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: PropertySheetHandlers" condition="contains">\PropertySheetHandlers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjectDelayLoad" condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Shell Hijack: ShellServiceObjects" condition="contains">\ShellServiceObjects</TargetObject>
-			<!--AppPaths hijacking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AppPaths Hijacking,Author=Hexacorn" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject>
-			<!--Terminal service boobytraps-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Terminal Services BoobyTraps" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-			<!--Group Policy interity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Group Policy interity Detection" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
-			<!--Winsock and Winsock2-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Popup Blocker Changes" condition="end with">\3\1809</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Protected Mode Changes" condition="end with">\3\2500</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Scripting Mode in Internet Zone Changes" condition="end with">\3\1206</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect IE Security Setting Check Warning Changes" condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Catalog Changes" condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Winsock Proxy Server Changes" condition="end with">\ProxyServer</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Legacy setting modifications" condition="end with">SavedLegacySettings</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected IE Proxy setting modifications" condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of Console Tracing" condition="end with">EnableConsoleTracing</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detected Modifications of File Tracing" condition="end with">EnableFileTracing</TargetObject>
-			<!--Credential providers-->
-			<TargetObject name="Attack=T1177,Tactic=Execution/Persistence,Technique=LSASS Driver,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Detection of Modification of LSASS Protection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication PLAP Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Authentication Provider Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Credential provider Filter Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect LSA Credential Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect NETSH Helper DLL Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Security Provider Changes" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\</TargetObject>
-			<!--Networking-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor Network Interface Priority ordering" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Monitor Network History" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<!--DLLs that get injected into every process launch-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=AppInitDLL Moninitoring: DLLs that get injected into every process launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
-			<!--Office-->
-			<!--Microsoft Office-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Test Autorun Location Monitoring,Risk=40,Author=Hexacorn" condition="contains">Office Test\</TargetObject>
-			<!--IE-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Toolbars" condition="contains">\Internet Explorer\Toolbar\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Internet Explorer Extensions" condition="contains">\Internet Explorer\Extensions\</TargetObject>
-			<!--Magic registry keys-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Browser Helper Object Modifications" condition="contains">\Browser Helper Objects\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Changes to Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject>
-			<!--Infection artifacts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=ClickOnce URL Update Artifact" condition="end with">\UrlUpdateInfo</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Installer Source Artifact" condition="end with">\InstallSource</TargetObject>
-			<!--Windows internals integrity monitoring-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Legacy Drivers Loaded" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect System Policy Changes" condition="contains">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Policy Changes" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
-			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Path Changes,Risk=100" condition="contains">\Exclusions\Paths</TargetObject>
-			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Extension Changes,Risk=100" condition="contains">\Exclusions\Extensions</TargetObject>
-			<TargetObject name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Detect Windows Defender Exclusion Processes Changes,Risk=100" condition="contains">\Exclusions\Processes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Windows Defender Tamper Protection Modifications" condition="begin with">TamperProtection</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect malware changes to UAC prompt level" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject>
-			<!--Group Policy Scripts-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logoff Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Logon Scripts" condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Shutdown Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Group Policy Startup Scripts" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
-			<!--Detect Network History-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect AD Domain Change" condition="end with">Domain</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Default Gateway" condition="end with">DHCPDefaultGateway</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP IP Address" condition="end with">DhcpIPAddress</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Name Server Changes" condition="end with">DhcpNameserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Server Change" condition="end with">Dhcpserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DHCP Subnet mask Change" condition="end with">DhcpSubnetMask</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect DNS Server Changes" condition="end with">Nameserver</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Default Gateway" condition="end with">\DefaultGateway</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Persistent Route Change" condition="end with">PersistentRoutes</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network Type Change" condition="end with">}\Category</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Network profile Changes" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect Subnet Mask Change" condition="end with">SubnetMask</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records,Risk=30" condition="contains">\Trusted Documents\TrustRecords</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro document to Trusted Records 2,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Common</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User added Macro trusted certificate,Risk=30" condition="contains">Software\Microsoft\VBA\7.1\Trusted</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Security Settings: Monitor changes of security prompts" condition="contains">\Security\DontTrustInstalledFiles</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Trusted Location Changes" condition="contains">\Security\Trusted Locations</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Internet files in Protected View" condition="end with">Security\ProtectedView\DisableInternetFilesInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of attackments in Protected View" condition="end with">Security\ProtectedView\DisableAttachmentsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Office Keys: Monitor Disabling of Unsafe Locations in Protected View" condition="end with">Security\ProtectedView\DisableUnsafeLocationsInPV</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=WinRAR History" condition="contains">Software\WinRAR\ArcHistory</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Winzip History" condition="contains">WinZip\mru\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Misc Recent File List History" condition="contains">Recent File List</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Inbox</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Homepage Attack,Risk=70" condition="contains">Outlook\Today\UserDefinedUrl</TargetObject>
-			<TargetObject name="Attack=T1203,Technique=Exploitation for Client Execution,Tactic=Execution,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=Office Calendar Homepage Attack,Risk=70" condition="contains">Outlook\WebView\Calendar</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Office History" condition="contains">\Place MRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Pub" condition="end with">\Publisher</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Store" condition="contains">Compatibility Assistant\Store\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Shortcuts" condition="contains">Root\InventoryApplicationShortcut\</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Binary Info" condition="contains">Root\InventoryDriverBinary</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Driver Package Info" condition="contains">Root\InventoryDriverPackage</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache PNP Device Info,Desc=Services: New or Updated Drivers" condition="contains">Root\InventoryDevicePnp</TargetObject>
-			<TargetObject name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Device Info" condition="contains">Root\InventoryDeviceContainer</TargetObject>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application Installation Info" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplication\</TargetObject>
-				<TargetObject condition="contains any">ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256</TargetObject>
-			</Rule>			
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Application File Info" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplicationFile\</TargetObject>
-				<TargetObject condition="contains any">ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache AppV Application Inventory" groupRelation="and">
-				<TargetObject condition="contains">Root\InventoryApplicationAppV\</TargetObject>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AmCache Office Information" groupRelation="and">
-				<TargetObject condition="contains any">Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=ISO Drive Mounted" groupRelation="and">
-				<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume</TargetObject>
-				<TargetObject condition="end with">Drive Type</TargetObject>
-				<Details condition="contains">DWORD (0x00000011)</Details>
-			</Rule>
-			<TargetObject name="Attack=T1200,Technique=Hardware Additions,Tactic=Initial Access,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=User Mount Points" condition="end with">\Explorer\MountPoints2</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Monitor DOS Devices Virtual Registry Paths" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices</TargetObject>
-			<Rule name="Attack=T1489,Technique=Service Stop,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Set for Deletion" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\DeleteFlag</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New Kernel Device Driver" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Type</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New File System Driver" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Type</TargetObject>
-				<Details condition="contains">DWORD (0x00000002)</Details>
-			</Rule>
-			<Rule name="Attack=Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: New Adapter Driver" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Type</TargetObject>
-				<Details condition="contains">DWORD (0x00000004)</Details>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Own Process" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Type</TargetObject>
-				<Details condition="contains">DWORD (0x00000020)</Details>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Share Process" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Type</TargetObject>
-				<Details condition="contains">DWORD (0x00000020)</Details>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Alert=Services: New System Service: Interactive" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Type</TargetObject>
-				<Details condition="contains">DWORD (0x00000100)</Details>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver Group" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Group</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DependOnService" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\DependOnService</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver BinaryPathName" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\BinaryPathName</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver RequiredPrivileges" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\RequiredPrivileges</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver Owners: Correlation to Amcache" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Owners</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ObjectName: User Service Runs as specified in ServiceStartName" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\ObjectName</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ObjectName: User Service Runs as" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\ServiceStartName</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver ErrorControl" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\ErrorControl</TargetObject>
-				<!--<Details name="Critical if lastknown good fails bugcheck" condition="contains">DWORD (0x00000003)</Details>
-				<Details name="Severe last known good" condition="contains">DWORD (0x00000002)</Details>
-				<Details name="Normal Boot on failure" condition="contains">DWORD (0x00000001)</Details>
-				<Details name="Ignore Failure"condition="contains">DWORD (0x00000000)</Details>
-				<Details condition="contains">DWORD (0x00000001)</Details>-->
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DependOnGroup" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\DependOnGroup</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Monitor Driver DisplayName" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\DisplayName</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Group Order Modifications" groupRelation="and">
-				<TargetObject condition="contains">HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder</TargetObject>
-				<TargetObject condition="end with">\List</TargetObject>
-			</Rule>
-			<Rule name="Attack=T1543.003,Technique=Create or Modify System Process: Windows Service,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=Services: Service Set for Deletion" groupRelation="and">
-				<TargetObject condition="contains">HKLM\System\CurrentControlSet\services\</TargetObject>
-				<TargetObject condition="end with">\Type</TargetObject>
-				<Details condition="contains">DWORD (0x00000001)</Details>
-			</Rule>
-			<!--Detect User Activity-->
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Bluetooth Audio Capture" condition="contains">\ConsentStore\bluetooth</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Contacts Accesses" condition="contains">\ConsentStore\contacts</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Input Capture Accesses/Keyloggers" condition="contains">\ConsentStore\hunmanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Location Accesses" condition="contains">\ConsentStore\location</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Microphone Accesses" condition="contains">\ConsentStore\microphone</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect USB Accesses" condition="contains">\ConsentStore\usb\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect Webcam Accesses" condition="contains">\ConsentStore\webcam</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Detect humanInterfaceDevice Accesses" condition="contains">\ConsentStore\humanInterfaceDevice</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Explorer Last Visited MRU" condition="contains">LastVisitedMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=Regedit Applets" condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Run MRU" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=USBStor USB Device History" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
-			<TargetObject name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Safeboot Service Added" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject>
-			<TargetObject name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Cryptography OID Key" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: Dns Server dll injection" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Detect: UAC Bypass" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=New Device Connected" condition="end with">\FriendlyName</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Providers notified by Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Proxy Autoconfig URL" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Shell Service Object Delay Load" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Windows Installer Engaged" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Forensic=AppCompat Shims" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Process Tracing Modifications,,Risk=30" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\</TargetObject>
-			<Rule name="Alert=Detect PoisonTap,FP=2,Comment=May be noisy" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
-				<Details condition="contains any">ndis;rndis</Details>
-			</Rule>
-			<TargetObject name="Attack=T1090,Technique=Connection Proxy,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=NetSH PortProxy Detected" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
-			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Alert=Possible Ursniff Malware Detected,FP=1" groupRelation="and">
-				<TargetObject condition="contains">\Software\AppDataLow\Software\Microsoft\</TargetObject>
-				<Details condition="contains any">.exe;.dll;powershell;wmic</Details>
-			</Rule>
-			<Rule name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=0,Alert=NetNTLM downgrade attack" groupRelation="and">
-				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject>
-				<Details name="You should have this set to 5" condition="excludes">DWORD (0x00000005)</Details>
-			</Rule>
-			<TargetObject name="Attack=T1137,Technique=Office Application Startup,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Office Persistence Location,Risk=70" condition="end with">Software\Microsoft\Office test\Special\Perf</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\CurrentControlSet\Services\NTDS\LsaDbExtPt</TargetObject>
-			<TargetObject name="Attack=T1177,Technique=LSASS Driver,Tactic=Execution/Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Undocumented LSASS DLL Loading" condition="contains">\Services\NTDS\DirectoryServiceExtPt</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC File Transfer History,Risk=70" condition="contains">GoToMyPc\FileTransfer\history</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=GoToMyPC Guest Invite,Risk=70" condition="contains">GoToMyPc\GuestInvite</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn File Transfer Recipient" condition="contains">Filesharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=LogMeIn Guest Recipient" condition="contains">DesktopSharing</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogIncomingConnections Registry Key modification" condition="contains">LogIncomingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer LogOutgoingConnection Registry Key modification" condition="contains">LogOutgoingConnections</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Forensic=Teamviewer Password Registry Key date" condition="contains">PermanentPasswordDate</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Teamviewer adminrights Key modification,Risk=70" condition="contains">Security_Adminrights</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=3,Alert=VNC Incoming Connection History,Risk=70" condition="contains">vncviewer\MRU</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Autostart Key modification" condition="contains">Autostart_GUI</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Meeting Username Registry Key modification" condition="end with">Meeting_UserName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Login Name" condition="end with">BuddyLoginName</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer Persistence Token ID modification" condition="end with">BuddyLoginTokenID</TargetObject>
-			<TargetObject name="Attack=T1219,Technique=Remote Access Tools,Tactic=Command And Control,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Teamviewer persistence Key modification" condition="contains">Always_Online</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: EnableLinkedConnections Registry key,Risk=100" condition="begin with">HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections</TargetObject>
-			<TargetObject name="Attack=T1486,Technique=Data Encrypted for Impact,Tactic=Impact,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Potential Ransomware Indicator: REvil Sodinokibi Sodin Ransomware,Risk=100" condition="contains">Software\recfg</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Preload\</TargetObject>
-			<TargetObject name="Attack=T0000,Technique=Keyboard Layout,Tactic=N/A,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Suspicious Keyboard Layout Load" condition="contains">\Keyboard Layout\Substitutes\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\</TargetObject> 
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Client\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=IIS Crypto Keys" condition="end with">\Server\Enabled</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Kitty Sessions,Risk=30" condition="contains">Kitty\Sessions</TargetObject>
-			<TargetObject name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject>
-			<TargetObject name="Attack=T1562.010,Technique=Impair Defenses: Downgrade Attack,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=1,Desc=NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Forensic=Putty Sessions,Risk=30" condition="contains">PuTTY\Sessions</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=RDP History,Risk=10" condition="contains">Terminal Server Client\Servers</TargetObject>
-			<TargetObject name="Attack=None,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=WINSCP Sessions,Risk=30" condition="contains">WinSCP 2\Sessions</TargetObject>
-			<Rule name="Antivirus" groupRelation="or">
-				<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image> 
-				<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
-				<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
-				<Image condition="begin with">C:\Program Files\ESET</Image>
-			</Rule>
-		</RegistryEvent>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
-	<!--EVENT 15: "File stream created"-->
-	<RuleGroup name="RG=ADS Include Group" groupRelation="or">
-		<FileCreateStreamHash onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Metadata,Level=0,Desc=Interesting Files temp locations,Risk=10" groupRelation="and">
-				<TargetFilename condition="contains any">Content.IE5;INetCache</TargetFilename>
-				<TargetFilename condition="contains any">.exe;.zip;.ps1;.bat;.rar;.vbs;.hta</TargetFilename>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=File: File Metadata,Level=4,Alert=HTML_Smuggling,Risk=50" groupRelation="and">
-				<TargetFilename condition="end with">:Zone.Identifier</TargetFilename>
-				<Contents condition="contains any">blob:;about:internet</Contents>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Metadata,Level=4,Alert=FireEye sunburst file hashes,Risk=100" groupRelation="and">
-				<Hash condition="contains any">56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e</Hash><!-- exclude non executable files -->
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=File: File Metadata,Level=4,Alert=Sept 2022 Exchange 0day DLL detection,Risk=100" groupRelation="or">
-				<Hash condition="contains">SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82</Hash><!--Exchange Zero Day Dropped DLL-->
-				<Hash condition="contains">SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9</Hash><!--Exchange Zero Day Dropped DLL-->
-				<Hash condition="contains">SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0</Hash><!--Exchange Zero Day Dropped DLL-->
-				<Hash condition="contains">SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3</Hash><!--Exchange Zero Day Dropped DLL-->
-				<Hash condition="contains">SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2</Hash><!--Exchange Zero Day Dropped DLL-->
-				<Hash condition="contains">SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e</Hash><!--Exchange Zero Day Dropped DLL-->
-			</Rule>
-			<Rule name="Attack=T1096,Technique=Alternate Data Streams,Tactic=Defense Evasion,DS=File: File Metadata,Level=0,Desc=Alternate Data Streams,Risk=10" groupRelation="and">
-				<TargetFilename condition="contains any">Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonEnte Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hash>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SysmonQuiet Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hash>
-			</Rule>
-			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=File: File Metadata,Level=4,Alert=SharpEvtMute Detection,DS=File: File Metadata,Level=4,Risk=100" groupRelation="and">
-				<Hash condition="contains">IMPHASH=330768a4f172e10acb6287b87289d83b</Hash>
-			</Rule>
-		</FileCreateStreamHash>
-	</RuleGroup>
-	<RuleGroup name="RG=ADS Exclude Group" groupRelation="or">
-		<FileCreateStreamHash onmatch="exclude">
-			<Hash condition="contains">IMPHASH=00000000000000000000000000000000</Hash>
-			<TargetFilename condition="contains">AppData\Local\Microsoft\Windows\AppCache\</TargetFilename>
-			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename>
-			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> 
-			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
-			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename>
-			<TargetFilename condition="end with">Microsoft\Windows\Start Menu\Programs\Startup</TargetFilename>
-		</FileCreateStreamHash>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
-	<!--EVENT 16: "Sysmon config state changed"-->
-	<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
-	<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
-	<!--Cannot be filtered.-->
-
-	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
-	<!--EVENT 17: "Pipe Created"-->
-	<!--EVENT 18: "Pipe Connected"-->
-	<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
-	<RuleGroup name="RG=PipeEvent Include Group" groupRelation="or">
-		<PipeEvent onmatch="include">
-			<Rule name="Attack=T1071,Technique=Application Layer Protocol,Tactic=Command and Control,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike named pipe detected,Risk=100" groupRelation="and">
-				<PipeName condition="contains any">msagent_;\MSSE-;postex;\status_</PipeName>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=NA,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Turla Advanced Persistent Threat Named Pipe Detection,Risk=100" groupRelation="and">
-				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
-			</Rule>
-			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lateral movement: psexec named pipe detected" groupRelation="or">
-				<PipeName condition="contains">\PSEXESVC</PipeName>
-				<PipeName condition="end with">-stdin</PipeName>
-				<PipeName condition="end with">-stdout</PipeName>
-			</Rule>
-			<Rule name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Impacket PSExec.py Named Pipe Detected" groupRelation="and">
-				<PipeName condition="contains">RemCom_</PipeName>
-				<PipeName condition="contains any">stdin;stdout;stderr;communication</PipeName>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=3,Alert=MS-SCMR Execution" groupRelation="or">
-				<PipeName condition="contains">\svcctl</PipeName>
-			</Rule>
-			<Rule name="Attack=T1021,Technique=Remote Services,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Level=3,Alert=NTSVCS Execution" groupRelation="or">
-				<PipeName condition="contains">\ntsvcs</PipeName>
-				<EventType condition="is">ConnectPipe</EventType>
-			</Rule>
-			<PipeName name="Attack=T1003,Technique=OS Credential Dumping,Tactic=Credential Access,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Credential Dumping Command Mimikatz,Risk=100" condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=9f81f59bc58452127884ce513865ed20 Named Pipe Detection,Risk=100" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=46a676ab7f179e511e30dd2dc41bd388 Named Pipe Detection,Risk=100" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Kekeo Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">tssmp_endpoint</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=NamePipe_MoreWindows Named Pipe Detection,Risk=100,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\NamePipe_MoreWindows</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=WCEServicePipe detected,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\WCEServicePipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=ahexec Named Pipe Detection,Risk=,Author=@Cyb3rops/@olafhartong" condition="contains">\ahexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=cachedump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\cachedumppipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=csexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\csexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=e710f28d59aa529d6792ca6ff0ca1b34 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_dg2 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_dg</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=isapi_http Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\isapi_http</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsadump detected,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\lsadump</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=lsassw Named Pipe Detectio,Risk=10,Author=@Cyb3rops/@olafhartong" condition="contains">\lsassw</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=paexec Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\paexec</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=pcheap_reuse Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\pcheap_reuse</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Covanant C2 Named Pipe Detection,Author=@Cyb3rops/@olafhartong" condition="contains">\gruntsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=remcom Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\remcom</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=rpchlp_3 Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\rpchlp_3</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=sdlrpc Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\sdlrpc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=winsession Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="contains">\winsession</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Turla HyperStack Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\adschemerpc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Hidden Cobra Hoplight Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\AnonymousPipe</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc367</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Pacifier Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\bc31a7</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Emissary Panda Hyerbri Named Pipe Detection,Risk=100,Author=@Cyb3rops/@olafhartong" condition="begin with">\testPipe</PipeName>
-			<PipeName name="Attack=T1077,Technique=Windows Admin Shares,Tactic=Lateral Movement,DS=Named Pipe: Named Pipe Metadata,Alert=lateral movement -meterpreter named pipe detected,Risk=100" condition="contains">msf-pipe</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=LM or EXEC over atsvc named pipe" condition="contains">\atsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 1" condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
-			<PipeName name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Malicious Named Pipe Detection 2" condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike Named Pipe Detection 1" groupRelation="and">
-				<PipeName condition="contains any">\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester;demoagent_</PipeName>
-				<PipeName condition="is not">\wkssvc</PipeName>
-				<PipeName condition="is not">\spoolss</PipeName>
-				<PipeName condition="is not">\scerpc</PipeName>
-				<PipeName condition="is not">\ntsvcs</PipeName>
-				<PipeName condition="is not">\SearchTextHarvester</PipeName>
-				<PipeName condition="is not">\PGMessagePipe</PipeName>
-				<PipeName condition="is not">\MsFteWds</PipeName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=4,Forensic=Detect suspicious named pipe connections to an AD FS WID,Author=Florian Roth" groupRelation="and"> 
-				<EventType condition="is">ConnectPipe</EventType>
-				<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=Cobalt Strike Named Pipe Detection 2" groupRelation="and">
-				<PipeName condition="begin with">\Winsock2\CatalogChangeListener-</PipeName>
-				<PipeName condition="end with">-0,</PipeName>
-			</Rule>
-			<Rule name="Attack=T1055,Technique=Process Injection,Tactic=Defense Evasion/Privilege Escalation,DS=Named Pipe: Named Pipe Metadata,Level=4,Alert=EFSPotato Named Pipe Detection" groupRelation="and">
-				<PipeName condition="contains any">\pipe\</PipeName>
-				<PipeName condition="excludes">CtxSharefilepipe0</PipeName>
-			</Rule>
-			<!-- Noisy
-			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=SMB Session Enumeration" condition="contains">\srvsvc</PipeName>
-			-->
-			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Remote Registry access and enumeration" condition="contains">\winreg</PipeName>
-			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Anonymous Named Pipe Detected" condition="contains">Anonymous Pipe</PipeName>
-			<!--Include Everything else to mark above rules-->
-			<!-- Disabled for now
-			<PipeName name="Attack=None,Technique=None,Tactic=None,DS=Named Pipe: Named Pipe Metadata,Level=0,Desc=Uncategorized Events" condition="contains">\</PipeName>
-			-->
-		</PipeEvent>
-	</RuleGroup>
-	<RuleGroup name="RG=PipeEvent Exclude Group" groupRelation="or">
-		<PipeEvent onmatch="exclude">
-		<EventType name="Exclude ConnectPipe for noise reduction" condition="is">ConnectPipe</EventType>
-		<!--COMMENT: Exclude known-good pipe users-->
-				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
-				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
-			<!--SECTION: Microsoft-->
-			<PipeName condition="contains">lsass</PipeName>
-			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
-			<PipeName condition="is">\spoolss</PipeName>
-			<Image name="This is noisy" condition="image">C:\Windows\system32\wbem\wmiprvse.exe</Image>
-			<Image name="WSL" condition="image">C:\Windows\System32\LxRun.exe</Image>
-			<Image condition="image">C:\Windows\System32\SearchIndexer.exe</Image>
-			<Image condition="image">C:\Windows\System32\smss.exe</Image>
-			<Image condition="image">C:\Windows\System32\spoolsv.exe</Image>
-			<Image condition="image">C:\Windows\System32\wininit.exe</Image>
-			<Image condition="image">C:\Windows\system32\DFSRs.exe</Image>
-			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
-			<Rule name="ngen excludes" groupRelation="and">
-				<Image condition="begin with">C:\Windows\Microsoft.NET\Framework</Image>
-				<Image condition="image">ngen.exe</Image>
-			</Rule>
-			<Rule name="ShellExperienceHost excludes" groupRelation="and">
-				<Image condition="begin with">C:\Windows\SystemApps\ShellExperienceHost_</Image>
-				<Image condition="image">ShellExperienceHost.exe</Image>
-			</Rule>
-			<Image condition="image">C:\Windows\system32\SearchProtocolHost.exe</Image>
-			<Image condition="image">\System</Image>
-			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
-			<!--SECTION: Microsoft Exchange Server -->
-			<Image condition="contains">Exchange Server</Image>
-			<!--SECTION: Microsoft IIS -->
-			<Image condition="image">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
-			<Image condition="image">C:\Windows\syswow64\snmp.exe</Image>
-			<Image condition="image">c:\windows\system32\inetsrv\w3wp.exe</Image>
-			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
-			<!--SECTION: Microsoft DNS Server -->
-			<Image condition="image">C:\Windows\system32\dns.exe</Image>
-			<!--SECTION: Microsoft SQL Server -->
-			<PipeName condition="is">\sql\query</PipeName>
-			<Image condition="image">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
-			<PipeName condition="contains">\TDLN-</PipeName>
-			<PipeName condition="contains">vmware-</PipeName>
-			<PipeName condition="is">\InitShutdown</PipeName>
-			<PipeName condition="is">\MsFteWds</PipeName>
-			<PipeName condition="is">\W32TIME_ALT</PipeName>
-			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
-			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
-			<PipeName condition="is">\browser</PipeName>
-			<PipeName condition="is">\epmapper</PipeName>
-			<PipeName condition="is">\eventlog</PipeName>
-			<PipeName condition="is">\scerpc</PipeName>
-			<PipeName condition="is">\wkssvc</PipeName>
-			<PipeName condition="is">\ntapvsrq</PipeName>
-			<PipeName condition="contains">Anonymous Pipe</PipeName>
-		</PipeEvent>
-	</RuleGroup>
-	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
-	<!--EVENT 19: "WmiEventFilter activity detected"-->
-	<!--EVENT 20: "WmiEventConsumer activity detected"-->
-	<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
-	<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
-	<RuleGroup name="RG=WmiEvent Include Group" groupRelation="or">
-		<WmiEvent onmatch="include">
-			<Operation name="Attack=T1047,Technique=Windows Management Instrumentation,Tactic=Execution,DS=WMI: WMI Creation" condition="is">Created</Operation>
-		</WmiEvent>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 22 : DNS Queries-->
-	<RuleGroup name="RG=DNS Query Includes" groupRelation="or">
-		<DnsQuery onmatch="include">
-			<Rule name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Powershell TXT Record exfiltration" groupRelation="and">
-				<QueryResults condition="contains any">type: 16;type:  16</QueryResults>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059,Technique=Powershell,Tactic=Execution,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Powershell Connection to github" groupRelation="and">
-				<QueryName condition="contains">github</QueryName>
-				<Image condition="image">powershell.exe</Image>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious DNS Requests" groupRelation="and">
-				<Image condition="contains any">powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe</Image>
-				<QueryName condition="contains">.</QueryName>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="end with">dropboxapi.com</QueryName>
-				<Image condition="excludes any">\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\</Image>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains">1drv</QueryName>
-				<Image condition="excludes any">\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Box.com Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains all">.box.com;upload</QueryName>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Mega.co.nz Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains any">mega.nz;mega.co.nz</QueryName>
-			</Rule>
-			<Rule name="Attack=T1567.002,Technique=Exfiltration Over Web Service: Exfiltration to Cloud Storage,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Privatlab Cloud Exfiltration" groupRelation="and">
-				<QueryName condition="contains any">privatlab.com</QueryName>
-			</Rule>
-			<Rule name="Attack=T1195,Technique=Supply Chain Compromise,Tactic=Initial Access,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Solarwinds/FireEye sunburst domains,Risk=100" groupRelation="or">
-				<QueryName condition="contains any">thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Social Networking" groupRelation="or">
-				<QueryName condition="contains any">tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Internet Relay Chat,Risk=70" groupRelation="or">
-				<QueryName condition="contains any">efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet</QueryName>
-			</Rule>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Internet Chat,Risk=20" groupRelation="and">
-				<QueryName condition="contains any">.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com</QueryName>
-			</Rule>
-			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Advanced IP scanner Detected,Risk=90"  groupRelation="or">
-				<QueryName condition="contains any">advanced-ip-scanner.com</QueryName>
-			</Rule>
-			<Rule name="Attack=T1595,Technique=Active Scanning,Tactic=Reconnaissance,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Kali Linux Distribution Download/Apt URL,Risk=90"  groupRelation="or">
-				<QueryName condition="contains any">kali.download</QueryName>
-			</Rule>
-			<!--Crypto Currency Mining pools-->
-			<Rule name="Attack=T1496,Technique=Resource Hijacking,Tactic=Impact,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Crypto Currency Miner Detected,Risk=85"  groupRelation="or">
-				<QueryName condition="contains any">0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to</QueryName>
-			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Microsoft Graph API Lookup" condition="is">graph.microsoft.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Dropbox Download Detected" condition="is">dl.dropboxusercontent.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=OneDrive API Lookup" condition="is">api.onedrive.com</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Zoom Hostname Lookup" condition="contains">zoom.us</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Teamviewer Hostname Lookup" condition="contains">teamviewer</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Screenconnect Hostname Lookup" condition="contains">Screenconnect</QueryName>
-			<!--Public Port Scan Detection-->
-			<!--MITRE ATT&CK TECHNIQUE: Active Scanning-->
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content" condition="contains">census</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ResearchScan DNS Query" condition="contains">researchscan</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=ScanHub DNS Query" condition="contains">scanhub</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shadow DNS Query,Risk=20" condition="contains">shadow</QueryName>
-			<QueryName name="Attack=T1595,Technique=Active Scanning,Tactic=Discovery,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Shodan.IO DNS Query,Risk=20" condition="contains">shodan</QueryName>
-			<!--Domain TLD's to log-->
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Download TLD DNS Query" condition="end with">.download</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=North Korea TLD DNS Query" condition="end with">.kp</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Soviet Union TLD DNS Query" condition="end with">.su</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Sudan TLD DNS Query" condition="end with">.ss</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .xn DNS Query" condition="end with">.xn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Syria TLD DNS Query" condition="end with">.sy</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Venezuela TLD DNS Query" condition="end with">.ve</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XXX TLD DNS Query" condition="end with">.xxx</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=China TLD DNS Query" condition="end with">.cn</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Click TLD DNS Query" condition="end with">.click</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Club TLD DNS Query" condition="end with">.club</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=IRAN TLD DNS Query" condition="end with">.ir</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Russian TLD DNS Query" condition="end with">.ru</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .Host DNS Query" condition="end with">.host</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ICU DNS Query" condition="end with">.icu</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .PW DNS Query" condition="end with">.pw</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .WEBSITE DNS Query" condition="end with">.website</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .ninja DNS Query" condition="end with">.ninja</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious TLD .rocks DNS Query" condition="end with">.rocks</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Top TLD DNS Query" condition="end with">.top</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Ukraine TLD DNS Query" condition="end with">.ua</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=XYZ TLD DNS Query" condition="end with">.xyz</QueryName>
-			<!--Malware Domains-->
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Suspicious Domain,Risk=20" groupRelation="and">
-				<QueryName condition="contains any">kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines</QueryName>
-			</Rule>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Query to Github,Risk=20" condition="contains any">githubusercontent.com;github.com</QueryName> 
-			<!--Common Suspicious destinations-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Malware IP Check,Risk=30" condition="contains any">api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com</QueryName> <!--Malware uses to get external IP address-->
-			<!-- Malicious/Suspicious hosting domains-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Common Malware Hosting Domain: Tiny-share.com,Risk=30" condition="contains any">tiny-share.com;paste.ee;pastebin.com</QueryName>
-			<!--Dynamic DNS Lookups-->
-			<QueryName name="Attack=T1311,Technique=Dynamic DNS,Tactic=Adversary Opsec,DS=Network Traffic: Network Traffic Content,Level=3,Alert=Dynamic DNS Query" condition="contains any">afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com</QueryName>
-			<QueryName name="Attack=T1188,Technique=Multi-hop Proxy,Tactic=Command And Control,DS=Network Traffic: Network Traffic Content,Level=4,Alert=Tor2Web,Risk=100" condition="contains any">darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org</QueryName>
-			<QueryName name="Attack=T1048,Technique=Exfiltration Over Alternative Protocol,Tactic=Exfiltration,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DNS Over HTTPS Detected" condition="contains any">adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=DC Global Catalog Lookup" condition="begin with">gc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._tcp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Kerberos Server Lookup" condition="begin with">_kerberos._udp.dc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Primary DC Lookup" condition="begin with">_ldap._tcp.pdc._msdcs.</QueryName>
-			<QueryName name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Web Proxy Auto-Discovery Protocol Lookup" condition="begin with">wpad</QueryName>
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=3,Desc=Suspicious LDAP Lookup - Useful for identifying tools like sharphound,Risk=90" groupRelation="and">
-				<QueryName condition="begin with">_ldap.</QueryName>
-				<Image condition="excludes">C:\Windows\</Image>
-				<Image condition="excludes">unknown process</Image>
-				<Image condition="excludes all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\Windows Defender\MsMpEng.exe;C:\Windows\</Image>
-			</Rule>
-			<!--
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=AAAA Lookup" condition="begin with">type:  28</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=CNAME Lookup" condition="begin with">type:  5</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=MX Lookup" condition="begin with">type:  15</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Name Server" condition="begin with">type:  2</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=PTR Lookup" condition="begin with">type:  12</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SOA Lookup" condition="begin with">type:  6</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SPF Lookup" condition="begin with">type:  99</QueryResults>
-			<QueryResults name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=SRV Lookup" condition="begin with">type:  33</QueryResults>
-			-->
-			<Image name="Attack=None,Technique=None,Tactic=None,DS=None,Information=Uncategorized Events" condition="contains any">System;svchost.exe;services.exe;unknown process;\;;</Image>
-		</DnsQuery>
-	</RuleGroup>
-	<RuleGroup name="RG=DNS Query Excludes" groupRelation="or">
-		<DnsQuery onmatch="exclude">
-			<!-- Image Exclusions -->
-			<Image condition="begin with">C:\Program Files (x86)\Admin Arsenal\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\CheckPoint\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Fortinet\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\OpenDNS\OpenDNS Connector</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Razer\Razer Services\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image>
-			<Image condition="begin with">C:\Program Files (x86)\VMware</Image>
-			<Image condition="begin with">C:\Program Files (x86)\Veeam\</Image>
-			<Image condition="begin with">C:\Program Files\CheckPoint\</Image>
-			<Image condition="begin with">C:\Program Files\Trend Micro\</Image>
-			<Image condition="image">Slack.exe</Image>
-			<Image condition="image">ConnectWise.exe</Image>
-			<Image condition="image">git-remote-https.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
-			<Image condition="image">C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe</Image>
-			<Image condition="image">C:\Program Files\VMware\vCenter Server\jre\bin\java.exe</Image>
-			<Image condition="image">C:\Program Files\VMware\vCenter Server\python\python.exe</Image>
-			<Image condition="image">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
-			<Image condition="image">C:\Windows\System32\dsregcmd.exe</Image>
-			<Image condition="image">C:\Windows\sysmon64.exe</Image>
-			<Image condition="image">C:\Windows\sysmon.exe</Image>
-			<QueryName condition="begin with">brave-sync.s3.dualstack.</QueryName>
-			<QueryName condition="end with">.salesforceliveagent.com</QueryName>
-			<QueryName condition="is">ads-serve.brave.com</QueryName>
-			<!--Network noise-->
-			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
-			<QueryName condition="is">..localmachine</QueryName>
-			<!--Microsoft-->
-			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
-			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
-			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
-			<!--Microsoft:Office365/AzureAD-->
-			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
-			<QueryName condition="end with">.msauth.net</QueryName>
-			<QueryName condition="end with">.msftauth.net</QueryName>
-			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
-			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
-			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
-			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
-			<!--3rd-party applications-->
-			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
-			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
-			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
-			<QueryName condition="end with">googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">cloudsearch.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">id.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">www.googleapis.com</QueryName> <!--Google-->
-			<!--Goodlist CDN-->
-			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.netflix.com</QueryName>
-			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
-			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
-			<QueryName condition="is">ajax.googleapis.com</QueryName>
-			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
-			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
-			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
-			<!--Personal-->
-			<QueryName condition="end with">.steamcontent.com</QueryName> <!--If you seriously host malware C2 in game binaries in Steam, I give up-->
-			<!--Web resources-->
-			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
-			<QueryName condition="end with">.fontawesome.com</QueryName>
-			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
-			<!--Ads-->
-			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
-			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
-			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
-			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
-			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
-			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
-			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
-			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
-			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
-			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
-			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
-			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
-			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
-			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
-			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.domdex.com</QueryName> 
-			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
-			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
-			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
-			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
-			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
-			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
-			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
-			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
-			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
-			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.quantcount.com</QueryName>
-			<QueryName condition="end with">.quantserve.com</QueryName>
-			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
-			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
-			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
-			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
-			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
-			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.simpli.fi</QueryName>
-			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">.tapad.com</QueryName>
-			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
-			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
-			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
-			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
-			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
-			<QueryName condition="end with">ads.yahoo.com</QueryName> <!--Ads: Yahoo-->
-			<QueryName condition="is">1rx.io</QueryName>
-			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
-			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
-			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
-			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
-			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">www.googletagservices.com</QueryName>
-			<!--SocialNet-->
-			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
-			<!--OSCP/CRL Common-->
-			<QueryName condition="contains">adsniper.ru</QueryName>
-			<QueryName condition="contains">cdnvideo.ru</QueryName>
-			<QueryName condition="contains">chat.minergate.com</QueryName>
-			<QueryName condition="contains">cwsa.minergate.com</QueryName>
-			<QueryName condition="contains">forum.minergate.com</QueryName>
-			<QueryName condition="contains">leadlab.click</QueryName>
-			<QueryName condition="contains">mc.yandex.ru</QueryName>
-			<QueryName condition="contains">pool.ntp.org</QueryName>
-			<QueryName condition="contains">vmg.host</QueryName>
-			<QueryName condition="contains">yandex.ru</QueryName>
-			<QueryName condition="end with">.adobe.com</QueryName>
-			<QueryName condition="end with">.autodesk.com</QueryName>
-			<QueryName condition="end with">.avast.com</QueryName>
-			<QueryName condition="end with">.avcdn.net</QueryName>
-			<QueryName condition="end with">.cdn.bitdefender.net</QueryName>
-			<QueryName condition="end with">.digicert.com</QueryName>
-			<QueryName condition="end with">.eset.com</QueryName>
-			<QueryName condition="end with">.globalsign.com</QueryName>
-			<QueryName condition="end with">.globalsign.net</QueryName>
-			<QueryName condition="end with">.intuit.com</QueryName>
-			<QueryName condition="end with">.java.com</QueryName>
-			<QueryName condition="end with">.macromedia.com</QueryName>
-			<QueryName condition="end with">.oracle.com</QueryName>
-			<QueryName condition="end with">.quickbooks.com</QueryName>
-			<QueryName condition="end with">.usertrust.com</QueryName>
-			<QueryName condition="end with">amazontrust.com</QueryName>
-			<QueryName condition="end with">ocsp.identrust.com</QueryName>
-			<QueryName condition="end with">pki.goog</QueryName>
-			<QueryName condition="is">ads.playground.xyz</QueryName>
-			<QueryName condition="is">citrixupdates.cloud.com</QueryName>
-			<QueryName condition="is">forticlient.fortinet.net</QueryName>
-			<QueryName condition="is">mft10.onbaseonline.com</QueryName>
-			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
-			<QueryName condition="is">ocsp.comodoca.com</QueryName>
-			<QueryName condition="is">ocsp.cybertrust.ne.jp</QueryName>
-			<QueryName condition="is">ocsp.entrust.net</QueryName>
-			<QueryName condition="is">ocsp.entrust.net</QueryName>
-			<QueryName condition="is">ocsp.godaddy.com</QueryName>
-			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
-			<QueryName condition="is">ocsp.intel.com</QueryName>
-			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
-			<QueryName condition="is">ocsp.quovadisglobal.com</QueryName>
-			<QueryName condition="is">ocsp.quovadisoffshore.com</QueryName>
-			<QueryName condition="is">ocsp.sectigo.com</QueryName>
-			<QueryName condition="is">ocsp.starfieldtech.com</QueryName>
-			<QueryName condition="is">ocsp.thawte.com</QueryName>
-			<QueryName condition="is">ocsp.trustwave.com</QueryName>
-			<QueryName condition="is">ocsp.verisign.com</QueryName>
-			<QueryName condition="is">pki-goog.l.google.com</QueryName>
-			<QueryName condition="is">pki.intel.com</QueryName>
-			<QueryName condition="is">scrootca1.ocsp.secomtrust.net</QueryName>
-			<QueryName condition="is">scrootca2.ocsp.secomtrust.net</QueryName>
-			<QueryName condition="is">stats.anchor.host</QueryName>
-			<QueryName condition="is">status.rapidssl.com</QueryName>
-			<QueryName condition="is">status.thawte.com</QueryName>
-			<QueryName condition="is">ts-ocsp.ws.symantec.com</QueryName>
-			<QueryName condition="is">upgrade.bitdefender.com</QueryName>
-		</DnsQuery>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 23 : File Delete and overwrite events which saves a copy to the archivedir: Includes -->
-	<!-- Default set to disabled due to disk space implications, enable with care!-->
-	<RuleGroup groupRelation="or">
-	  <FileDelete onmatch="include" />
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 24 : Clipboard change events, only captures text, not files: Includes -->
-	<!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
-	<RuleGroup groupRelation="or">
-	  <ClipboardChange onmatch="include" />
-	</RuleGroup>
-	<!--SYSMON EVENT ID 25 : Process tampering events-->
-	<RuleGroup name="RG=Process Tampering Includes" groupRelation="or">
-		<ProcessTampering onmatch="include">
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=Process Tampering Detected" groupRelation="and">
-				<Image condition="contains any">.;&gt;;unknown;anonymous</Image>
-				<Image condition="excludes">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-				<Image condition="excludes">C:\Program Files (x86)\Symantec\</Image>
-				<Image condition="excludes">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
-				<Image condition="excludes">C:\Program Files\Symantec\</Image>
-			</Rule>
-		</ProcessTampering>
-	</RuleGroup>
-	<RuleGroup name="RG=Process Tampering Excludes" groupRelation="or">
-		<ProcessTampering onmatch="exclude">
-			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Network Traffic: Network Traffic Content,Level=0,Desc=exclude common noise" groupRelation="and">
-				<Image condition="contains any">\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\</Image>
-			</Rule>
-		</ProcessTampering>
-	</RuleGroup>
-	<!-- SYSMON EVENT ID 26 : File Delete and overwrite events, does NOT save the file: Includes -->
-	<RuleGroup groupRelation="or">
-		<FileDeleteDetected onmatch="include">
-		</FileDeleteDetected>
-	</RuleGroup>
-	<RuleGroup groupRelation="or">
-		<FileDeleteDetected onmatch="exclude">
-			<Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
-			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
-			<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
-		</FileDeleteDetected>
-	</RuleGroup>
-	</EventFiltering>
-</Sysmon>
\ No newline at end of file

From 98409cddd7f6ddb8bee609ce0276d8ffa1f20025 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 15:01:22 -0400
Subject: [PATCH 467/471] Add files via upload

---
 LICENSE.txt | 504 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 504 insertions(+)
 create mode 100644 LICENSE.txt

diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 00000000..8000a6fa
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,504 @@
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL.  It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+  This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it.  You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+  When we speak of free software, we are referring to freedom of use,
+not price.  Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+  To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights.  These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+  For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you.  You must make sure that they, too, receive or can get the source
+code.  If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it.  And you must show them these terms so they know their rights.
+
+  We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+  To protect each distributor, we want to make it very clear that
+there is no warranty for the free library.  Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+  Finally, software patents pose a constant threat to the existence of
+any free program.  We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder.  Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+  Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License.  This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License.  We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+  When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library.  The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom.  The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+  We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License.  It also provides other free software developers Less
+of an advantage over competing non-free programs.  These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries.  However, the Lesser license provides advantages in certain
+special circumstances.
+
+  For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard.  To achieve this, non-free programs must be
+allowed to use the library.  A more frequent case is that a free
+library does the same job as widely used non-free libraries.  In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+  In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software.  For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+  Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.  Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library".  The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+                  GNU LESSER GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+  A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+  The "Library", below, refers to any such software library or work
+which has been distributed under these terms.  A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language.  (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+  "Source code" for a work means the preferred form of the work for
+making modifications to it.  For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+  Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it).  Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+  1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+  You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+  2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) The modified work must itself be a software library.
+
+    b) You must cause the files modified to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    c) You must cause the whole of the work to be licensed at no
+    charge to all third parties under the terms of this License.
+
+    d) If a facility in the modified Library refers to a function or a
+    table of data to be supplied by an application program that uses
+    the facility, other than as an argument passed when the facility
+    is invoked, then you must make a good faith effort to ensure that,
+    in the event an application does not supply such function or
+    table, the facility still operates, and performs whatever part of
+    its purpose remains meaningful.
+
+    (For example, a function in a library to compute square roots has
+    a purpose that is entirely well-defined independent of the
+    application.  Therefore, Subsection 2d requires that any
+    application-supplied function or table used by this function must
+    be optional: if the application does not supply it, the square
+    root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library.  To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License.  (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.)  Do not make any other change in
+these notices.
+
+  Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+  This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+  4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+  If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library".  Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+  However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library".  The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+  When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library.  The
+threshold for this to be true is not precisely defined by law.
+
+  If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work.  (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+  Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+  6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+  You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License.  You must supply a copy of this License.  If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License.  Also, you must do one
+of these things:
+
+    a) Accompany the work with the complete corresponding
+    machine-readable source code for the Library including whatever
+    changes were used in the work (which must be distributed under
+    Sections 1 and 2 above); and, if the work is an executable linked
+    with the Library, with the complete machine-readable "work that
+    uses the Library", as object code and/or source code, so that the
+    user can modify the Library and then relink to produce a modified
+    executable containing the modified Library.  (It is understood
+    that the user who changes the contents of definitions files in the
+    Library will not necessarily be able to recompile the application
+    to use the modified definitions.)
+
+    b) Use a suitable shared library mechanism for linking with the
+    Library.  A suitable mechanism is one that (1) uses at run time a
+    copy of the library already present on the user's computer system,
+    rather than copying library functions into the executable, and (2)
+    will operate properly with a modified version of the library, if
+    the user installs one, as long as the modified version is
+    interface-compatible with the version that the work was made with.
+
+    c) Accompany the work with a written offer, valid for at
+    least three years, to give the same user the materials
+    specified in Subsection 6a, above, for a charge no more
+    than the cost of performing this distribution.
+
+    d) If distribution of the work is made by offering access to copy
+    from a designated place, offer equivalent access to copy the above
+    specified materials from the same place.
+
+    e) Verify that the user has already received a copy of these
+    materials or that you have already sent this user a copy.
+
+  For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it.  However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+  It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system.  Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+  7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+    a) Accompany the combined library with a copy of the same work
+    based on the Library, uncombined with any other library
+    facilities.  This must be distributed under the terms of the
+    Sections above.
+
+    b) Give prominent notice with the combined library of the fact
+    that part of it is a work based on the Library, and explaining
+    where to find the accompanying uncombined form of the same work.
+
+  8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License.  Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License.  However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+  9. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Library or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+  10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+  11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded.  In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+  13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation.  If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+  14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission.  For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this.  Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+                            NO WARRANTY
+
+  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+           How to Apply These Terms to Your New Libraries
+
+  If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change.  You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
+
+  To apply these terms, attach the following notices to the library.  It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the library's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+    License as published by the Free Software Foundation; either
+    version 2.1 of the License, or (at your option) any later version.
+
+    This library is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+    Lesser General Public License for more details.
+
+    You should have received a copy of the GNU Lesser General Public
+    License along with this library; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+    USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the library, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the
+  library `Frob' (a library for tweaking knobs) written by James Random
+  Hacker.
+
+  <signature of Ty Coon>, 1 April 1990
+  Ty Coon, President of Vice
+
+That's all there is to it!

From 6d3dedcceab6fd29b61a72f092ab457573d328ee Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 16:15:37 -0400
Subject: [PATCH 468/471] Changed links Install.ps1

---
 Sysmon Install.ps1 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Sysmon Install.ps1 b/Sysmon Install.ps1
index 48ae560a..fb3df6d2 100644
--- a/Sysmon Install.ps1	
+++ b/Sysmon Install.ps1	
@@ -3,8 +3,8 @@
 
 # Define Sysmon URLs
 $sysmonURL = "https://live.sysinternals.com/sysmon.exe"
-$sysmonConfigURL = "https://raw.githubusercontent.com/NerbalOne/sysmon-config/master/sysmonconfig-export.xml"
-$sysmonUpdateConfig = "https://raw.githubusercontent.com/NerbalOne/sysmon-config/master/SysmonUpdateConfig.ps1"
+$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
+$sysmonUpdateConfig = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/SysmonUpdateConfig.ps1"
 
 # Define Local Path for Sysmon File and Sysmon Config
 $sysmonPath = "C:\Programdata\Sysmon\sysmon.exe"

From c2220ef83343265fcc3a61f5ab9ef6dc62eaf8be Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 16:16:04 -0400
Subject: [PATCH 469/471] Update SysmonUpdateConfig.ps1

---
 SysmonUpdateConfig.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SysmonUpdateConfig.ps1 b/SysmonUpdateConfig.ps1
index c01ae1e5..57bde492 100644
--- a/SysmonUpdateConfig.ps1
+++ b/SysmonUpdateConfig.ps1
@@ -6,7 +6,7 @@ $sysmonPath = "C:\ProgramData\Sysmon\sysmon.exe"
 $sysmonConfigPath = "C:\ProgramData\Sysmon\sysmonconfig-export.xml"
 
 # Define Sysmon Config URL
-$sysmonConfigURL = "https://raw.githubusercontent.com/NerbalOne/sysmon-config/master/sysmonconfig-export.xml"
+$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
 
 # Download the Latest Sysmon Config
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

From b87e261677ce3bd857346d2ec9ae1de6dfc6fcdb Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Fri, 8 Sep 2023 16:16:41 -0400
Subject: [PATCH 470/471] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b0bab9fc..3e63f089 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # Sysmon ATT&CK Configuration #
 The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Please beware that you may need to fine tune and add exclusions depending on your environment. High CPU usage may be seen if exclusions are not added and one or more rules are firing off multiple times every second. 
 
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/NerbalOne/sysmon-config/blob/master/sysmonconfig-export.xml)**
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**[sysmonconfig-export.xml](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)**
 
 Pull requests and issue tickets are welcomed. Any new additions will be credited in-line or on Git. Tag your name with Author=YourName within the rulename field.
 

From a656aef0d882fbcb4ca928e657d261aa207caf49 Mon Sep 17 00:00:00 2001
From: NerbalOne <nerbalone@gmail.com>
Date: Mon, 11 Sep 2023 09:40:42 -0400
Subject: [PATCH 471/471] Updated rules and added exclusions.

---
 sysmonconfig-export.xml | 1032 +--------------------------------------
 1 file changed, 13 insertions(+), 1019 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index edfa00f1..35ce7b98 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -683,6 +683,8 @@
 				<CommandLine condition="contains any">..\;\..</CommandLine>
 				<ParentImage condition="excludes all">C:\Program Files;\Razer\Synapse3\Service\Razer Synapse Service.exe</ParentImage>
 				<Image condition="excludes all">C:\Program Files;\Razer\;\UserProcess\Razer Synapse Service Process.exe</Image>
+				<ParentImage condition="excludes all">C:\ProgramData\MspPlatform\N-central Agent\PME\PMESetup.exe;C:\Program Files (x86)\MspPlatform\PME\Installers\FileCacheServiceAgentSetup.exe;C:\Program Files (x86)\MspPlatform\PME\Installers\RequestHandlerAgentSetup.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage> <!-- NCentral RMM Exclusions -->
+				<Image condition="excludes all">C:\ProgramData\MspPlatform\N-central Agent\PME\PMESetup.exe;C:\Program Files (x86)\MspPlatform\PME\Installers\FileCacheServiceAgentSetup.exe;C:\Program Files (x86)\MspPlatform\PME\Installers\RequestHandlerAgentSetup.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</Image> <!-- NCentral RMM Exclusions -->
 			</Rule>
 			<Rule name="Attack=T1027,Technique=Obfuscated Files or Information,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=Formbook detections" groupRelation="and">
 				<CommandLine condition="contains any">\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe</CommandLine>
@@ -923,6 +925,7 @@
 			<Rule name="Attack=T1562.001,Technique=Disabling Security Tools,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=Windows Defender tampering,Risk=50" groupRelation="and">
 				<Image condition="image">MpCmdRun.exe</Image>
 				<CommandLine condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
+				<ParentImage condition="excludes">C:\Program Files (x86)\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe</ParentImage> <!-- NCentral RMM Exclusions -->
 			</Rule>
 			<!--MITRE ATT&CK TECHNIQUE: Impair Defenses: Disable or Modify Tools:  Disable Windows Event Logging-->
 			<Rule name="Attack=T1562.002,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=SysmonEnte Detection,DS=Process: Process Creation,Level=4,Risk=100" groupRelation="and">
@@ -956,11 +959,13 @@
 				<CommandLine condition="contains">firewall delete</CommandLine>
 				<ParentCommandLine condition="excludes all">ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe</ParentCommandLine>
 				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
+				<ParentImage condition="excludes">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage> <!-- NCentral RMM Exclusions -->
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=2,Alert=netsh Firewall Rule Creation,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall add</CommandLine>
 				<ParentCommandLine condition="excludes all">cmd.exe;ROGLiveService;C:\Program Files\ASUS\ROG Live Service\ROGLiveService.exe;enable=yes</ParentCommandLine>
 				<ParentImage condition="excludes">C:\Program Files\ASUS\ROG Live Service\RLSInstallAction.exe</ParentImage>
+				<ParentImage condition="excludes">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage> <!-- NCentral RMM Exclusions -->
 			</Rule>
 			<Rule name="Attack=T1562.004,Technique=Disable or Modify System Firewall,Tactic=Defense Evasion,DS=Process: Process Creation,Level=4,Alert=netsh firewall disablement,Risk=40" groupRelation="and">
 				<CommandLine condition="contains">firewall set opmode disable</CommandLine>
@@ -3952,7 +3957,7 @@
 		<ProcessTerminate onmatch="include">
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in Windows Directory" groupRelation="and">
 				<Image condition="begin with">C:\Windows\</Image>
-				<Image condition="excludes">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
+				<Image condition="excludes any">\System32\;Syswow64;sysmon.exe;sysmon64.exe</Image>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Termination,Level=0,Desc=Process Termination Events in System32" groupRelation="and">
 				<Image condition="begin with">C:\Windows\system32\</Image>
@@ -4601,6 +4606,7 @@
 				<ImageLoaded condition="contains any">ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll</ImageLoaded>
 				<Image condition="contains any">\wscript.exe;\cscript.exe;\powershell.exe;\powershell_ise.exe;\rundll32.exe;\msbuild.exe;\csc.exe</Image>
 				<FileVersion condition="excludes">6.3.9600.20566 (winblue_ltsb_escrow.220812-1741)</FileVersion>
+				<FileVersion condition="excludes">winblue</FileVersion>
 			</Rule>
 			<Rule name="Attack=None,Technique=None,Tactic=None,DS=Module: Module Load,Level=0,Desc=VBE6 Macro Image Loads with wshom,Risk=40" groupRelation="and">
 				<Image condition="contains any">WINWORD.exe;EXCEL.EXE</Image>
@@ -5134,6 +5140,7 @@
 				<GrantedAccess condition="contains any">0x1028;0x1fffff</GrantedAccess>
 				<SourceImage condition="excludes any">C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe;C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\;C:\Program Files (x86)\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe;C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\ProgramData\Cavelo\jre\bin\java.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files\Cavelo\Cavelo Agent\parser.exe</SourceImage>
 				<SourceImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe</SourceImage>
+				<SourceImage condition="excludes">C:\Program Files (x86)\Duo Device Health\Duo Device Health.exe</SourceImage> <!-- DUO Exclusion -->
 				<TargetImage condition="excludes any">\Intel\Driver and Support Assistant\</TargetImage>
 				<TargetImage condition="excludes any">C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe;C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.UserSessionHelper.exe</TargetImage>
 				<TargetImage condition="excludes all">C:\Windows\Microsoft.NET\Framework\;\ngen.exe</TargetImage>
@@ -7167,6 +7174,8 @@
 				<Details condition="excludes all">C:\Program Files\Google\Drive File Stream;\GoogleDriveFS.exe;startup_mode</Details>
 				<Details condition="excludes all">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;no-startup-window;win-session-start;prefetch</Details>
 				<Details condition="excludes all">\Application\chrome.exe;no-startup-window;win-session-start;prefetch</Details>
+				<Details condition="excludes">\SentinelUI.exe" /minimized</Details> <!-- SentinelOne Exclusion -->
+				<Details condition="excludes">C:\Program Files (x86)\Duo Device Health\Duo Device Health.exe</Details><!-- DUO Exclusion -->
 			</Rule>
 			<Rule name="Attack=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Logon Logoff Shutdown Scripts" groupRelation="and">
 				<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject>
@@ -7458,8 +7467,6 @@
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD</TargetObject>
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD</TargetObject>
-				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
-
 				<TargetObject condition="is not">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD</TargetObject>
 				<TargetObject condition="excludes any">Microsoft\Windows\UpdateOrchestrator;\AMDInstallLauncher\SD;\SD;ASUS Switch;\PowerToys\Autorun for </TargetObject>
 			</Rule>
@@ -7687,7 +7694,7 @@
 				<Details condition="contains">DWORD (0x00000000)</Details>
 				<Image condition="excludes">C:\Program Files (x86)\N-able Technologies\AutomationManagerAgent\AutomationManager.AgentService.exe</Image>
 			</Rule>
-			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Disabling of Powershell Event Logging,Risk=100" groupRelation="and">
+			<Rule name="Attack=T1070.001,Technique=Impair Defenses: Disable Windows Event Logging,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Desc=Disabling of Powershell Event Logging,Risk=100" groupRelation="and"> <!-- This is not an alert due to SIEM Auditing GPO causing this rule to fire whenever the GPO is applied/enforced.. -->
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging</TargetObject>
 				<TargetObject condition="end with">\EnableScriptBlockLogging</TargetObject>
 				<EventType condition="is any">DeleteKey;DeleteValue</EventType>
@@ -8688,6 +8695,7 @@
 			</Rule>
 			<Rule name="Attack=T1112,Technique=Modify Registry,Tactic=Defense Evasion,DS=Windows Registry: Windows Registry Key Modification,Level=4,Alert=Safeboot Service Added" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
+				<Image condition="excludes all">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe;C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe;C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe</Image> <!-- NCentral RMM Exclusions -->
 			</Rule>
 			<Rule name="Attack=T1198,Technique=None,Tactic=None,DS=Windows Registry: Windows Registry Key Modification,Level=0,Desc=Crypto Trust Providers" groupRelation="and">
 				<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
@@ -9701,6 +9709,7 @@
 				<TargetFilename condition="not end with">.mui</TargetFilename>
 				<TargetFilename condition="not end with">.ime</TargetFilename>
 				<TargetFilename condition="not end with">.tsp</TargetFilename>
+				<TargetFilename condition="not end with">.tmp</TargetFilename>
 				<TargetFilename condition="not end with">.ico</TargetFilename> <!-- Seen used by Fortinet Forticlient -->
 				<Image condition="excludes">C:\Windows\system32\MpSigStub.exe</Image> <!-- 	Related to Microsoft Windows Defender Virus Definition Module -->
 			</Rule>
@@ -10717,1021 +10726,6 @@
                 <Hashes condition="contains">SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df</Hashes>
                 <Hashes condition="contains">SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25</Hashes>
                 <Hashes condition="contains">SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212</Hashes>
-                <Hashes condition="contains">SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a</Hashes>
-			</Rule>
-			<Rule name="Attack=T1059.001,Technique=Command and Scripting Interpreter: PowerShell,Tactic=Execution,DS=File: File Creation,Level=0,Desc=,Risk=10,Alert=Powershell Creating Executables" groupRelation="and">
-				<Image condition="is any">powershell.exe;powershell_ise.exe;pwsh.exe;Sqlps.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1059.003,Technique=Command and Scripting Interpreter: Windows Command Shell,Tactic=Execution,DS=File: File Creation,Level=0,Alert=Command or consolehost Anomaly,Risk=10" groupRelation="and">
-				<Image condition="is any">cmd.exe;conhost.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1036,Technique=Masquerading,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected within Unusual Location,Risk=10,Author=Florian Roth" groupRelation="or">
-				<TargetFilename condition="begin with">C:\Users\Public\</TargetFilename> <!-- often used staging directories; could cause false positives --> 
-				<TargetFilename condition="begin with">C:\Perflogs\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\Fonts\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\debug\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\tracing\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\Logs\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\System32\spool\SERVERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
-				<TargetFilename condition="begin with">C:\Windows\System32\spool\PRINTERS\</TargetFilename> <!-- often used in exploits against print spooler --> 
-				<TargetFilename condition="begin with">C:\Windows\Help\</TargetFilename> <!-- often used staging directories --> 
-				<TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Intel</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Mozilla</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\chocolatey\</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\DeviceSync</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\PlayReady</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\User Account Pictures</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Office\Heartbeat</TargetFilename>
-				<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER</TargetFilename>
-				<TargetFilename condition="contains all">C:\Users\All Users\</TargetFilename> <!-- often used staging directories in User folders --> 
-				<TargetFilename condition="contains all">C:\Users\;\Music\</TargetFilename> <!-- often used staging directories in User folders --> 
-				<TargetFilename condition="contains all">C:\Users\;\Pictures\</TargetFilename> <!-- often used staging directories in User folders --> 
-				<TargetFilename condition="contains all">C:\Users\;\Videos\</TargetFilename> <!-- often used staging directories in User folders --> 
-				<TargetFilename condition="contains all">C:\Users\;\Contacts\</TargetFilename> <!-- often used staging directories in User folders -->
-			</Rule>
-			<Rule name="Attack=T1036.007,Technique=Masquerading: Double File Extension,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Double File Extension Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-				<TargetFilename condition="end with">.7z.exe</TargetFilename>
-				<TargetFilename condition="end with">.doc.exe</TargetFilename>
-				<TargetFilename condition="end with">.docm.exe</TargetFilename>
-				<TargetFilename condition="end with">.docx.exe</TargetFilename>
-				<TargetFilename condition="end with">.htm.exe</TargetFilename>
-				<TargetFilename condition="end with">.html.exe</TargetFilename>
-				<TargetFilename condition="end with">.iso.exe</TargetFilename>
-				<TargetFilename condition="end with">.lnk.exe</TargetFilename>				
-				<TargetFilename condition="end with">.pdf.exe</TargetFilename>
-				<TargetFilename condition="end with">.ppt.exe</TargetFilename>
-				<TargetFilename condition="end with">.pptx.exe</TargetFilename>
-				<TargetFilename condition="end with">.rar.exe</TargetFilename>
-				<TargetFilename condition="end with">.rtf.exe</TargetFilename>
-				<TargetFilename condition="end with">.txt.exe</TargetFilename>
-				<TargetFilename condition="end with">.xls.exe</TargetFilename>
-				<TargetFilename condition="end with">.xlsm.exe</TargetFilename>
-				<TargetFilename condition="end with">.xlsx.exe</TargetFilename>
-				<TargetFilename condition="end with">.zip.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1562.001,Technique=Impair Defenses: Disable or Modify Tools,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-				<TargetFilename condition="end with">\EntenLoader.exe</TargetFilename>
-				<TargetFilename condition="end with">\SysmonQuiet.exe</TargetFilename>
-				<TargetFilename condition="end with">\SharpEvtMute.exe</TargetFilename>
-				<TargetFilename condition="end with">\EvtMuteHook.dll</TargetFilename>
-				<TargetFilename condition="end with">\SysmonEOP.exe</TargetFilename>
-			</Rule>
-			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Sysmon Tampering Tools Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-				<Hashes condition="contains">IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=3A19059BD7688CB88E70005F18EFC439</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=bf6223a49e45d99094406777eb6004ba</Hashes> <!-- PetitPotam -->
-				<Hashes condition="contains">IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4C1B52A19748428E51B14C278D0F58E3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=672B13F4A0B6F27D29065123FE882DFC</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9528A0E91E28FBB88AD433FEABCA2456</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=D21BBC50DCC169D7B4D0F01962793154</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6</Hashes> <!-- Mimikatz -->
-				<Hashes condition="contains">IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC</Hashes> <!-- JuicyPotato  -->
-				<Hashes condition="contains">IMPHASH=F9A28C458284584A93B14216308D31BD</Hashes> <!-- JuicyPotatoNG -->
-				<Hashes condition="contains">IMPHASH=6118619783FC175BC7EBECFF0769B46E</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=563233BFA169ACC7892451F71AD5850A</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=87575CB7A0E0700EB37F2E3668671A08</Hashes> <!-- RoguePotato -->
-				<Hashes condition="contains">IMPHASH=13F08707F759AF6003837A150A371BA1</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=1781F06048A7E58B323F0B9259BE798B</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=713C29B396B907ED71A72482759ED757</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=8B114550386E31895DFAB371E741123D</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793</Hashes> <!-- PwDumpX -->
-				<Hashes condition="contains">IMPHASH=9D68781980370E00E0BD939EE5E6C141</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=B18A1401FF8F444056D29450FBC0A6CE</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=CB567F9498452721D77A451374955F5F</Hashes> <!-- Pwdump -->
-				<Hashes condition="contains">IMPHASH=730073214094CD328547BF1F72289752</Hashes> <!-- Htran -->
-				<Hashes condition="contains">IMPHASH=17B461A082950FC6332228572138B80C</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=819B19D53CA6736448F9325A85736792</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E</Hashes> <!-- Cobalt Strike beacons -->
-				<Hashes condition="contains">IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0588081AB0E63BA785938467E1B10CCA</Hashes> <!-- PPLDump -->
-				<Hashes condition="contains">IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=4DA924CF622D039D58BCE71CDF05D242</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E7A3A5C377E2D29324093377D7DB1C66</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=E6F9D5152DA699934B30DAAB206471F6</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=3AD59991CCF1D67339B319B15A41B35D</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=FFDD59E0318B85A3E480874D9796D872</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=0CF479628D7CC1EA25EC7998A92F5051</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=D6D0F80386E1380D05CB78E871BC72B1</Hashes> <!-- NanoDump -->
-				<Hashes condition="contains">IMPHASH=38D9E015591BBFD4929E0D0F47FA0055</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=0E2216679CA6E1094D63322E3412D650</Hashes> <!-- HandleKatz -->
-				<Hashes condition="contains">IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=11083E75553BAAE21DC89CE8F9A195E4</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80</Hashes> <!-- DripLoader -->
-				<Hashes condition="contains">IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F</Hashes> <!-- CreateMiniDump -->
-				<Hashes condition="contains">IMPHASH=767637C23BB42CD5D7397CF58B0BE688</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=14C4E4C72BA075E9069EE67F39188AD8</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=7D010C6BB6A3726F327F7E239166D127</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=89159BA4DD04E4CE5559F132A9964EB3</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5834ED4291BDEB928270428EBBAF7604</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=3DE09703C8E79ED2CA3F01074719906B</Hashes> <!-- UACMe Akagi -->
-				<Hashes condition="contains">IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=E96A73C7BF33A464C510EDE582318BF2</Hashes> <!-- WCE -->
-				<Hashes condition="contains">IMPHASH=32089B8851BBF8BC2D014E9F37288C83</Hashes> <!-- Sliver Stagers -->
-				<Hashes condition="contains">IMPHASH=09D278F9DE118EF09163C6140255C690</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=03866661686829d806989e2fc5a72606</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d</Hashes> <!-- Dumpert -->
-				<Hashes condition="contains">IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE</Hashes> <!-- SysmonEnte -->
-				<Hashes condition="contains">IMPHASH=19584675D94829987952432E018D5056</Hashes> <!-- SysmonQuiet -->
-				<Hashes condition="contains">IMPHASH=330768A4F172E10ACB6287B87289D83B</Hashes> <!-- ShaprEvtMute Hook -->
-				<Hashes condition="contains">IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313</Hashes> <!-- Forkatz -->
-				<Hashes condition="contains">IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC</Hashes> <!-- PPLKiller -->
-				<Hashes condition="contains">IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28</Hashes> <!-- PPLKiller -->
-				<Hashes condition="contains">IMPHASH=96DF3A3731912449521F6F8D183279B1</Hashes> <!-- Backstab -->
-				<Hashes condition="contains">IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46</Hashes> <!-- Backstab -->
-				<Hashes condition="contains">IMPHASH=51791678F351C03A0EB4E2A7B05C6E17</Hashes> <!-- Backstab -->
-				<Hashes condition="contains">IMPHASH=25CE42B079282632708FC846129E98A5</Hashes> <!-- Forensia -->
-				<Hashes condition="contains">MD5=7B17F15713FCF13C764535AA2BDF52AA</Hashes>													<!-- ShaprEvtMute -->
-				<Hashes condition="contains">SHA1=4E18320493042BCD7D21B53E258974BC460ACC78</Hashes>										<!-- ShaprEvtMute -->
-				<Hashes condition="contains">SHA256=477DFE485F5BD9540CC83E88FC04AAFB6DE49CF1ADC6BD857D5D6F4C1730A6D1</Hashes>	<!-- ShaprEvtMute -->
-			</Rule>
-			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Microsoft Office Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
-				<Image condition="image">winword.exe</Image>
-				<Image condition="image">excel.exe</Image>
-				<Image condition="image">powerpnt.exe</Image>
-				<Image condition="image">msaccess.exe</Image>
-				<Image condition="image">mspub.exe</Image>
-				<Image condition="image">eqnedt32.exe</Image>
-				<Image condition="image">visio.exe</Image>
-				<Image condition="image">wordpad.exe</Image>
-				<Image condition="image">wordview.exe</Image>
-				<Image condition="image">msohtmed.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=OneNote Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
-				<Image condition="image">onenote.exe</Image>
-				<Image condition="image">onenotem.exe</Image>
-				<Image condition="image">onenoteim.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=LOLBin Dropping Executables,Risk=10,Author=Florian Roth" groupRelation="or">
-				<!-- LOLBINs that can be used to download executables -->
-				<Image condition="image">certutil.exe</Image>
-				<Image condition="image">certoc.exe</Image>
-				<Image condition="image">CertReq.exe</Image>
-				<!-- <Image condition="image">bitsadmin.exe</Image> (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) -->
-				<Image condition="image">Desktopimgdownldr.exe</Image>
-				<Image condition="image">esentutl.exe</Image>
-				<!-- <Image condition="image">expand.exe</Image> (depends on the environment; comment in if you're sure that expand doesn't do that in your env) -->
-				<Image condition="image">finger.exe</Image>
-				<!-- Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)-->
-				<Image condition="image">notepad.exe</Image>
-				<Image condition="image">AcroRd32.exe</Image>
-				<Image condition="image">RdrCEF.exe</Image> <!-- RdrCEF was seen dropping a DLL in temp (Example: \AppData\Local\Temp\acrocef_low\4616_1623006624_platform_specific\win_x86\widevinecdm.dll). Comment out this entry if you experience issues (https://github.com/Neo23x0/sysmon-config/issues/43) -->
-				<Image condition="image">calc.exe</Image>
-				<Image condition="image">mspaint.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.01,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Compiled HTML File Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">hh.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.002,Technique=System Binary Proxy Execution: Control Panel,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Control Panel Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">control.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.003,Technique=System Binary Proxy Execution: CMSTP,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=CMSTP Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">CMSTP.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.004,Technique=System Binary Proxy Execution: InstallUtil,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=InstallUtil Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">installutil.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.005,Technique=System Binary Proxy Execution: Mshta,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MSHTA Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">mshta.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.007,Technique=System Binary Proxy Execution: MSIExec,Tactic=Defense Evasion,DS=File: File Creation,Level=0,Desc=MSIExec Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">msiexec.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.008,Technique=System Binary Proxy Execution: Odbcconf,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Odbcconf Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">Odbcconf.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.009,Technique=System Binary Proxy Execution: Regsvcs/Regasm,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvcs/Regasm Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="contains any">Regsvcs.exe;Regasm.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.010,Technique=System Binary Proxy Execution: Regsvr32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Regsvr32 Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">regsvr32.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.011,Technique=System Binary Proxy Execution: Rundll32,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Rundll32 Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">Rundll32.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.012,Technique=System Binary Proxy Execution: Verclsid,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Verclsid Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">Verclsid.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.013,Technique=System Binary Proxy Execution: mavinject,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Mavinject Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="contains any">mavinject.exe;mavinject64.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218.014,Technique=System Binary Proxy Execution: MMC,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=MMC Dropping Executables,Risk=10" groupRelation="and">
-				<Image condition="image">mmc.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1218,Technique=System Binary Proxy Execution,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Other LOLBins Dropping Executables,Risk=10" groupRelation="or">
-				<Image condition="contains any">Appvlp.exe;InfDefaultInstall.EXE;PresentationHost.exe;Register-cimprovider.exe;RegisterCimProvider2.exe;RegisterCimProvider.exe;ScriptRunner.exe;appcmd.exe;csi.exe;devtoolslauncher.exe;diskshadow.exe;extexport.exe;jjs.exe;msconfig.EXE;msdt.exe;rasautou.exe;rasdlui.exe;replace.exe;tttracer.exe;wab.exe;wsreset.exe</Image>
-			</Rule>
-			<Rule name="Attack=T1068,Technique=Exploitation for Privilege Escalation,Tactic=Privilege Escalation,DS=File: File Creation,Level=4,Alert=Vulnerable Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-			    <Hashes condition="contains">SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed</Hashes>
-                <Hashes condition="contains">SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb</Hashes>
-                <Hashes condition="contains">SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db</Hashes>
-                <Hashes condition="contains">SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05</Hashes>
-                <Hashes condition="contains">SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d</Hashes>
-                <Hashes condition="contains">SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917</Hashes>
-                <Hashes condition="contains">SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135</Hashes>
-                <Hashes condition="contains">SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1</Hashes>
-                <Hashes condition="contains">SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467</Hashes>
-                <Hashes condition="contains">SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c</Hashes>
-                <Hashes condition="contains">SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c</Hashes>
-                <Hashes condition="contains">SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3</Hashes>
-                <Hashes condition="contains">SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f</Hashes>
-                <Hashes condition="contains">SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c</Hashes>
-                <Hashes condition="contains">SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8</Hashes>
-                <Hashes condition="contains">SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b</Hashes>
-                <Hashes condition="contains">SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff</Hashes>
-                <Hashes condition="contains">SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6</Hashes>
-                <Hashes condition="contains">SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8</Hashes>
-                <Hashes condition="contains">SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf</Hashes>
-                <Hashes condition="contains">SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff</Hashes>
-                <Hashes condition="contains">SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670</Hashes>
-                <Hashes condition="contains">SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd</Hashes>
-                <Hashes condition="contains">SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece</Hashes>
-                <Hashes condition="contains">SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5</Hashes>
-                <Hashes condition="contains">SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0</Hashes>
-                <Hashes condition="contains">SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c</Hashes>
-                <Hashes condition="contains">SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b</Hashes>
-                <Hashes condition="contains">SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a</Hashes>
-                <Hashes condition="contains">SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e</Hashes>
-                <Hashes condition="contains">SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa</Hashes>
-                <Hashes condition="contains">SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a</Hashes>
-                <Hashes condition="contains">SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687</Hashes>
-                <Hashes condition="contains">SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8</Hashes>
-                <Hashes condition="contains">SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219</Hashes>
-                <Hashes condition="contains">SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe</Hashes>
-                <Hashes condition="contains">SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee</Hashes>
-                <Hashes condition="contains">SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961</Hashes>
-                <Hashes condition="contains">SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512</Hashes>
-                <Hashes condition="contains">SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c</Hashes>
-                <Hashes condition="contains">SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501</Hashes>
-                <Hashes condition="contains">SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486</Hashes>
-                <Hashes condition="contains">SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e</Hashes>
-                <Hashes condition="contains">SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a</Hashes>
-                <Hashes condition="contains">SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8</Hashes>
-                <Hashes condition="contains">SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4</Hashes>
-                <Hashes condition="contains">SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30</Hashes>
-                <Hashes condition="contains">SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a</Hashes>
-                <Hashes condition="contains">SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797</Hashes>
-                <Hashes condition="contains">SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d</Hashes>
-                <Hashes condition="contains">SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1</Hashes>
-                <Hashes condition="contains">SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250</Hashes>
-                <Hashes condition="contains">SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14</Hashes>
-                <Hashes condition="contains">SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1</Hashes>
-                <Hashes condition="contains">SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b</Hashes>
-                <Hashes condition="contains">SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d</Hashes>
-                <Hashes condition="contains">SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396</Hashes>
-                <Hashes condition="contains">SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e</Hashes>
-                <Hashes condition="contains">SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8</Hashes>
-                <Hashes condition="contains">SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0</Hashes>
-                <Hashes condition="contains">SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e</Hashes>
-                <Hashes condition="contains">SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae</Hashes>
-                <Hashes condition="contains">SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445</Hashes>
-                <Hashes condition="contains">SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9</Hashes>
-                <Hashes condition="contains">SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25</Hashes>
-                <Hashes condition="contains">SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0</Hashes>
-                <Hashes condition="contains">SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e</Hashes>
-                <Hashes condition="contains">SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46</Hashes>
-                <Hashes condition="contains">SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b</Hashes>
-                <Hashes condition="contains">SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c</Hashes>
-                <Hashes condition="contains">SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5</Hashes>
-                <Hashes condition="contains">SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc</Hashes>
-                <Hashes condition="contains">SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b</Hashes>
-                <Hashes condition="contains">SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f</Hashes>
-                <Hashes condition="contains">SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134</Hashes>
-                <Hashes condition="contains">SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3</Hashes>
-                <Hashes condition="contains">SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4</Hashes>
-                <Hashes condition="contains">SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272</Hashes>
-                <Hashes condition="contains">SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf</Hashes>
-                <Hashes condition="contains">SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c</Hashes>
-                <Hashes condition="contains">SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75</Hashes>
-                <Hashes condition="contains">SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8</Hashes>
-                <Hashes condition="contains">SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5</Hashes>
-                <Hashes condition="contains">SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa</Hashes>
-                <Hashes condition="contains">SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e</Hashes>
-                <Hashes condition="contains">SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6</Hashes>
-                <Hashes condition="contains">SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa</Hashes>
-                <Hashes condition="contains">SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162</Hashes>
-                <Hashes condition="contains">SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2</Hashes>
-                <Hashes condition="contains">SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe</Hashes>
-                <Hashes condition="contains">SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7</Hashes>
-                <Hashes condition="contains">SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae</Hashes>
-                <Hashes condition="contains">SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1</Hashes>
-                <Hashes condition="contains">SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4</Hashes>
-                <Hashes condition="contains">SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e</Hashes>
-                <Hashes condition="contains">SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036</Hashes>
-                <Hashes condition="contains">SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee</Hashes>
-                <Hashes condition="contains">SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba</Hashes>
-                <Hashes condition="contains">SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80</Hashes>
-                <Hashes condition="contains">SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69</Hashes>
-                <Hashes condition="contains">SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748</Hashes>
-                <Hashes condition="contains">SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a</Hashes>
-                <Hashes condition="contains">SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a</Hashes>
-                <Hashes condition="contains">SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe</Hashes>
-                <Hashes condition="contains">SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a</Hashes>
-                <Hashes condition="contains">SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c</Hashes>
-                <Hashes condition="contains">SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921</Hashes>
-                <Hashes condition="contains">SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a</Hashes>
-                <Hashes condition="contains">SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185</Hashes>
-                <Hashes condition="contains">SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3</Hashes>
-                <Hashes condition="contains">SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92</Hashes>
-                <Hashes condition="contains">SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be</Hashes>
-                <Hashes condition="contains">SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3</Hashes>
-                <Hashes condition="contains">SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683</Hashes>
-                <Hashes condition="contains">SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0</Hashes>
-                <Hashes condition="contains">SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2</Hashes>
-                <Hashes condition="contains">SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa</Hashes>
-                <Hashes condition="contains">SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36</Hashes>
-                <Hashes condition="contains">SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50</Hashes>
-                <Hashes condition="contains">SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5</Hashes>
-                <Hashes condition="contains">SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74</Hashes>
-                <Hashes condition="contains">SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63</Hashes>
-                <Hashes condition="contains">SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e</Hashes>
-                <Hashes condition="contains">SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44</Hashes>
-                <Hashes condition="contains">SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a</Hashes>
-                <Hashes condition="contains">SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293</Hashes>
-                <Hashes condition="contains">SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc</Hashes>
-                <Hashes condition="contains">SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492</Hashes>
-                <Hashes condition="contains">SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf</Hashes>
-                <Hashes condition="contains">SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7</Hashes>
-                <Hashes condition="contains">SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7</Hashes>
-                <Hashes condition="contains">SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38</Hashes>
-                <Hashes condition="contains">SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4</Hashes>
-                <Hashes condition="contains">SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c</Hashes>
-                <Hashes condition="contains">SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d</Hashes>
-                <Hashes condition="contains">SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc</Hashes>
-                <Hashes condition="contains">SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357</Hashes>
-                <Hashes condition="contains">SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf</Hashes>
-                <Hashes condition="contains">SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853</Hashes>
-                <Hashes condition="contains">SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7</Hashes>
-                <Hashes condition="contains">SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b</Hashes>
-                <Hashes condition="contains">SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7</Hashes>
-                <Hashes condition="contains">SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21</Hashes>
-                <Hashes condition="contains">SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4</Hashes>
-                <Hashes condition="contains">SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c</Hashes>
-                <Hashes condition="contains">SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f</Hashes>
-                <Hashes condition="contains">SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea</Hashes>
-                <Hashes condition="contains">SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd</Hashes>
-                <Hashes condition="contains">SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd</Hashes>
-                <Hashes condition="contains">SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456</Hashes>
-                <Hashes condition="contains">SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d</Hashes>
-                <Hashes condition="contains">SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7</Hashes>
-                <Hashes condition="contains">SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d</Hashes>
-                <Hashes condition="contains">SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35</Hashes>
-                <Hashes condition="contains">SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457</Hashes>
-                <Hashes condition="contains">SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa</Hashes>
-                <Hashes condition="contains">SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6</Hashes>
-                <Hashes condition="contains">SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2</Hashes>
-                <Hashes condition="contains">SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59</Hashes>
-                <Hashes condition="contains">SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6</Hashes>
-                <Hashes condition="contains">SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9</Hashes>
-                <Hashes condition="contains">SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f</Hashes>
-                <Hashes condition="contains">SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775</Hashes>
-                <Hashes condition="contains">SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9</Hashes>
-                <Hashes condition="contains">SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2</Hashes>
-                <Hashes condition="contains">SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126</Hashes>
-                <Hashes condition="contains">SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c</Hashes>
-                <Hashes condition="contains">SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f</Hashes>
-                <Hashes condition="contains">SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f</Hashes>
-                <Hashes condition="contains">SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00</Hashes>
-                <Hashes condition="contains">SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2</Hashes>
-                <Hashes condition="contains">SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a</Hashes>
-                <Hashes condition="contains">SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184</Hashes>
-                <Hashes condition="contains">SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1</Hashes>
-                <Hashes condition="contains">SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e</Hashes>
-                <Hashes condition="contains">SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7</Hashes>
-                <Hashes condition="contains">SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba</Hashes>
-                <Hashes condition="contains">SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c</Hashes>
-                <Hashes condition="contains">SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c</Hashes>
-                <Hashes condition="contains">SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194</Hashes>
-                <Hashes condition="contains">SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285</Hashes>
-                <Hashes condition="contains">SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4</Hashes>
-                <Hashes condition="contains">SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449</Hashes>
-                <Hashes condition="contains">SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2</Hashes>
-                <Hashes condition="contains">SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395</Hashes>
-                <Hashes condition="contains">SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4</Hashes>
-                <Hashes condition="contains">SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3</Hashes>
-                <Hashes condition="contains">SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5</Hashes>
-                <Hashes condition="contains">SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33</Hashes>
-                <Hashes condition="contains">SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def</Hashes>
-                <Hashes condition="contains">SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374</Hashes>
-                <Hashes condition="contains">SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5</Hashes>
-                <Hashes condition="contains">SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b</Hashes>
-                <Hashes condition="contains">SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56</Hashes>
-                <Hashes condition="contains">SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8</Hashes>
-                <Hashes condition="contains">SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229</Hashes>
-                <Hashes condition="contains">SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9</Hashes>
-                <Hashes condition="contains">SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1</Hashes>
-                <Hashes condition="contains">SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506</Hashes>
-                <Hashes condition="contains">SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6</Hashes>
-                <Hashes condition="contains">SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0</Hashes>
-                <Hashes condition="contains">SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775</Hashes>
-                <Hashes condition="contains">SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0</Hashes>
-                <Hashes condition="contains">SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb</Hashes>
-                <Hashes condition="contains">SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21</Hashes>
-                <Hashes condition="contains">SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c</Hashes>
-                <Hashes condition="contains">SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade</Hashes>
-                <Hashes condition="contains">SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4</Hashes>
-                <Hashes condition="contains">SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097</Hashes>
-                <Hashes condition="contains">SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43</Hashes>
-                <Hashes condition="contains">SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712</Hashes>
-                <Hashes condition="contains">SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970</Hashes>
-                <Hashes condition="contains">SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6</Hashes>
-                <Hashes condition="contains">SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94</Hashes>
-                <Hashes condition="contains">SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb</Hashes>
-                <Hashes condition="contains">SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a</Hashes>
-                <Hashes condition="contains">SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427</Hashes>
-                <Hashes condition="contains">SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192</Hashes>
-                <Hashes condition="contains">SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351</Hashes>
-                <Hashes condition="contains">SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993</Hashes>
-                <Hashes condition="contains">SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3</Hashes>
-                <Hashes condition="contains">SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf</Hashes>
-                <Hashes condition="contains">SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d</Hashes>
-                <Hashes condition="contains">SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb</Hashes>
-                <Hashes condition="contains">SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289</Hashes>
-                <Hashes condition="contains">SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9</Hashes>
-                <Hashes condition="contains">SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e</Hashes>
-                <Hashes condition="contains">SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305</Hashes>
-                <Hashes condition="contains">SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7</Hashes>
-                <Hashes condition="contains">SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0</Hashes>
-                <Hashes condition="contains">SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20</Hashes>
-                <Hashes condition="contains">SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a</Hashes>
-                <Hashes condition="contains">SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e</Hashes>
-                <Hashes condition="contains">SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb</Hashes>
-                <Hashes condition="contains">SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f</Hashes>
-                <Hashes condition="contains">SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89</Hashes>
-                <Hashes condition="contains">SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0</Hashes>
-                <Hashes condition="contains">SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a</Hashes>
-                <Hashes condition="contains">SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26</Hashes>
-                <Hashes condition="contains">SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef</Hashes>
-                <Hashes condition="contains">SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84</Hashes>
-                <Hashes condition="contains">SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005</Hashes>
-                <Hashes condition="contains">SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc</Hashes>
-                <Hashes condition="contains">SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810</Hashes>
-                <Hashes condition="contains">SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba</Hashes>
-                <Hashes condition="contains">SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793</Hashes>
-                <Hashes condition="contains">SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f</Hashes>
-                <Hashes condition="contains">SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5</Hashes>
-                <Hashes condition="contains">SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e</Hashes>
-                <Hashes condition="contains">SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9</Hashes>
-                <Hashes condition="contains">SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a</Hashes>
-                <Hashes condition="contains">SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7</Hashes>
-                <Hashes condition="contains">SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572</Hashes>
-                <Hashes condition="contains">SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495</Hashes>
-                <Hashes condition="contains">SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59</Hashes>
-                <Hashes condition="contains">SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879</Hashes>
-                <Hashes condition="contains">SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289</Hashes>
-                <Hashes condition="contains">SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813</Hashes>
-                <Hashes condition="contains">SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0</Hashes>
-                <Hashes condition="contains">SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf</Hashes>
-                <Hashes condition="contains">SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8</Hashes>
-                <Hashes condition="contains">SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0</Hashes>
-                <Hashes condition="contains">SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57</Hashes>
-                <Hashes condition="contains">SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9</Hashes>
-                <Hashes condition="contains">SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890</Hashes>
-                <Hashes condition="contains">SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2</Hashes>
-                <Hashes condition="contains">SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009</Hashes>
-                <Hashes condition="contains">SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d</Hashes>
-                <Hashes condition="contains">SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1</Hashes>
-                <Hashes condition="contains">SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1</Hashes>
-                <Hashes condition="contains">SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761</Hashes>
-                <Hashes condition="contains">SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4</Hashes>
-                <Hashes condition="contains">SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85</Hashes>
-                <Hashes condition="contains">SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184</Hashes>
-                <Hashes condition="contains">SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524</Hashes>
-                <Hashes condition="contains">SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303</Hashes>
-                <Hashes condition="contains">SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356</Hashes>
-                <Hashes condition="contains">SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9</Hashes>
-                <Hashes condition="contains">SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57</Hashes>
-                <Hashes condition="contains">SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463</Hashes>
-                <Hashes condition="contains">SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085</Hashes>
-                <Hashes condition="contains">SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3</Hashes>
-                <Hashes condition="contains">SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1</Hashes>
-                <Hashes condition="contains">SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0</Hashes>
-                <Hashes condition="contains">SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d</Hashes>
-                <Hashes condition="contains">SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989</Hashes>
-                <Hashes condition="contains">SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a</Hashes>
-                <Hashes condition="contains">SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4</Hashes>
-                <Hashes condition="contains">SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4</Hashes>
-                <Hashes condition="contains">SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882</Hashes>
-                <Hashes condition="contains">SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219</Hashes>
-                <Hashes condition="contains">SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9</Hashes>
-                <Hashes condition="contains">SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc</Hashes>
-                <Hashes condition="contains">SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be</Hashes>
-                <Hashes condition="contains">SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7</Hashes>
-                <Hashes condition="contains">SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0</Hashes>
-                <Hashes condition="contains">SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131</Hashes>
-                <Hashes condition="contains">SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63</Hashes>
-                <Hashes condition="contains">SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e</Hashes>
-                <Hashes condition="contains">SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3</Hashes>
-                <Hashes condition="contains">SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd</Hashes>
-                <Hashes condition="contains">SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb</Hashes>
-                <Hashes condition="contains">SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8</Hashes>
-                <Hashes condition="contains">SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1</Hashes>
-                <Hashes condition="contains">SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280</Hashes>
-                <Hashes condition="contains">SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6</Hashes>
-                <Hashes condition="contains">SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743</Hashes>
-                <Hashes condition="contains">SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88</Hashes>
-                <Hashes condition="contains">SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980</Hashes>
-                <Hashes condition="contains">SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347</Hashes>
-                <Hashes condition="contains">SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9</Hashes>
-                <Hashes condition="contains">SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24</Hashes>
-                <Hashes condition="contains">SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5</Hashes>
-                <Hashes condition="contains">SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d</Hashes>
-                <Hashes condition="contains">SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69</Hashes>
-                <Hashes condition="contains">SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc</Hashes>
-                <Hashes condition="contains">SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa</Hashes>
-                <Hashes condition="contains">SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7</Hashes>
-                <Hashes condition="contains">SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233</Hashes>
-                <Hashes condition="contains">SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b</Hashes>
-                <Hashes condition="contains">SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8</Hashes>
-                <Hashes condition="contains">SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a</Hashes>
-                <Hashes condition="contains">SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0</Hashes>
-                <Hashes condition="contains">SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b</Hashes>
-                <Hashes condition="contains">SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28</Hashes>
-                <Hashes condition="contains">SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba</Hashes>
-                <Hashes condition="contains">SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd</Hashes>
-                <Hashes condition="contains">SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9</Hashes>
-                <Hashes condition="contains">SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52</Hashes>
-                <Hashes condition="contains">SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c</Hashes>
-                <Hashes condition="contains">SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0</Hashes>
-                <Hashes condition="contains">SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c</Hashes>
-                <Hashes condition="contains">SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763</Hashes>
-                <Hashes condition="contains">SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad</Hashes>
-                <Hashes condition="contains">SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92</Hashes>
-                <Hashes condition="contains">SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b</Hashes>
-                <Hashes condition="contains">SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf</Hashes>
-                <Hashes condition="contains">SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af</Hashes>
-                <Hashes condition="contains">SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd</Hashes>
-                <Hashes condition="contains">SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01</Hashes>
-                <Hashes condition="contains">SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba</Hashes>
-                <Hashes condition="contains">SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a</Hashes>
-                <Hashes condition="contains">SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015</Hashes>
-                <Hashes condition="contains">SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461</Hashes>
-                <Hashes condition="contains">SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88</Hashes>
-                <Hashes condition="contains">SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a</Hashes>
-                <Hashes condition="contains">SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880</Hashes>
-                <Hashes condition="contains">SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c</Hashes>
-                <Hashes condition="contains">SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677</Hashes>
-                <Hashes condition="contains">SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782</Hashes>
-                <Hashes condition="contains">SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a</Hashes>
-                <Hashes condition="contains">SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9</Hashes>
-                <Hashes condition="contains">SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad</Hashes>
-                <Hashes condition="contains">SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7</Hashes>
-                <Hashes condition="contains">SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4</Hashes>
-                <Hashes condition="contains">SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c</Hashes>
-                <Hashes condition="contains">SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1</Hashes>
-                <Hashes condition="contains">SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb</Hashes>
-                <Hashes condition="contains">SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52</Hashes>
-                <Hashes condition="contains">SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d</Hashes>
-                <Hashes condition="contains">SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22</Hashes>
-                <Hashes condition="contains">SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109</Hashes>
-                <Hashes condition="contains">SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6</Hashes>
-                <Hashes condition="contains">SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f</Hashes>
-                <Hashes condition="contains">SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2</Hashes>
-                <Hashes condition="contains">SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5</Hashes>
-                <Hashes condition="contains">SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099</Hashes>
-                <Hashes condition="contains">SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5</Hashes>
-                <Hashes condition="contains">SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de</Hashes>
-                <Hashes condition="contains">SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a</Hashes>
-                <Hashes condition="contains">SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b</Hashes>
-                <Hashes condition="contains">SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3</Hashes>
-                <Hashes condition="contains">SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838</Hashes>
-                <Hashes condition="contains">SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca</Hashes>
-                <Hashes condition="contains">SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8</Hashes>
-                <Hashes condition="contains">SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b</Hashes>
-                <Hashes condition="contains">SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6</Hashes>
-                <Hashes condition="contains">SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8</Hashes>
-                <Hashes condition="contains">SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8</Hashes>
-                <Hashes condition="contains">SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48</Hashes>
-                <Hashes condition="contains">SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02</Hashes>
-                <Hashes condition="contains">SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b</Hashes>
-                <Hashes condition="contains">SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c</Hashes>
-                <Hashes condition="contains">SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8</Hashes>
-                <Hashes condition="contains">SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc</Hashes>
-                <Hashes condition="contains">SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf</Hashes>
-                <Hashes condition="contains">SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb</Hashes>
-                <Hashes condition="contains">SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129</Hashes>
-                <Hashes condition="contains">SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8</Hashes>
-                <Hashes condition="contains">SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408</Hashes>
-                <Hashes condition="contains">SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca</Hashes>
-                <Hashes condition="contains">SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60</Hashes>
-                <Hashes condition="contains">SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38</Hashes>
-                <Hashes condition="contains">SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b</Hashes>
-                <Hashes condition="contains">SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d</Hashes>
-                <Hashes condition="contains">SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9</Hashes>
-                <Hashes condition="contains">SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b</Hashes>
-                <Hashes condition="contains">SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6</Hashes>
-                <Hashes condition="contains">SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b</Hashes>
-                <Hashes condition="contains">SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca</Hashes>
-                <Hashes condition="contains">SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229</Hashes>
-                <Hashes condition="contains">SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c</Hashes>
-                <Hashes condition="contains">SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758</Hashes>
-                <Hashes condition="contains">SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40</Hashes>
-                <Hashes condition="contains">SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7</Hashes>
-                <Hashes condition="contains">SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab</Hashes>
-                <Hashes condition="contains">SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba</Hashes>
-                <Hashes condition="contains">SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1</Hashes>
-                <Hashes condition="contains">SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00</Hashes>
-                <Hashes condition="contains">SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0</Hashes>
-                <Hashes condition="contains">SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668</Hashes>
-                <Hashes condition="contains">SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57</Hashes>
-                <Hashes condition="contains">SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347</Hashes>
-                <Hashes condition="contains">SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd</Hashes>
-                <Hashes condition="contains">SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc</Hashes>
-                <Hashes condition="contains">SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4</Hashes>
-                <Hashes condition="contains">SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb</Hashes>
-                <Hashes condition="contains">SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de</Hashes>
-                <Hashes condition="contains">SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a</Hashes>
-                <Hashes condition="contains">SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22</Hashes>
-                <Hashes condition="contains">SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c</Hashes>
-                <Hashes condition="contains">SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f</Hashes>
-                <Hashes condition="contains">SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469</Hashes>
-                <Hashes condition="contains">SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94</Hashes>
-                <Hashes condition="contains">SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675</Hashes>
-                <Hashes condition="contains">SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10</Hashes>
-                <Hashes condition="contains">SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0</Hashes>
-                <Hashes condition="contains">SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5</Hashes>
-                <Hashes condition="contains">SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558</Hashes>
-                <Hashes condition="contains">SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4</Hashes>
-                <Hashes condition="contains">SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79</Hashes>
-                <Hashes condition="contains">SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073</Hashes>
-                <Hashes condition="contains">SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039</Hashes>
-                <Hashes condition="contains">SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659</Hashes>
-                <Hashes condition="contains">SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c</Hashes>
-                <Hashes condition="contains">SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6</Hashes>
-                <Hashes condition="contains">SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91</Hashes>
-                <Hashes condition="contains">SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b</Hashes>
-                <Hashes condition="contains">SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965</Hashes>
-                <Hashes condition="contains">SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c</Hashes>
-                <Hashes condition="contains">SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3</Hashes>
-                <Hashes condition="contains">SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b</Hashes>
-                <Hashes condition="contains">SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06</Hashes>
-                <Hashes condition="contains">SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4</Hashes>
-                <Hashes condition="contains">SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c</Hashes>
-                <Hashes condition="contains">SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf</Hashes>
-                <Hashes condition="contains">SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd</Hashes>
-                <Hashes condition="contains">SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9</Hashes>
-                <Hashes condition="contains">SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d</Hashes>
-                <Hashes condition="contains">SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c</Hashes>
-                <Hashes condition="contains">SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504</Hashes>
-                <Hashes condition="contains">SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587</Hashes>
-                <Hashes condition="contains">SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f</Hashes>
-                <Hashes condition="contains">SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354</Hashes>
-                <Hashes condition="contains">SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805</Hashes>
-                <Hashes condition="contains">SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a</Hashes>
-                <Hashes condition="contains">SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10</Hashes>
-                <Hashes condition="contains">SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a</Hashes>
-                <Hashes condition="contains">SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3</Hashes>
-                <Hashes condition="contains">SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa</Hashes>
-                <Hashes condition="contains">SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3</Hashes>
-                <Hashes condition="contains">SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75</Hashes>
-                <Hashes condition="contains">SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c</Hashes>
-                <Hashes condition="contains">SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82</Hashes>
-                <Hashes condition="contains">SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a</Hashes>
-                <Hashes condition="contains">SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135</Hashes>
-                <Hashes condition="contains">SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f</Hashes>
-                <Hashes condition="contains">SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d</Hashes>
-                <Hashes condition="contains">SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7</Hashes>
-                <Hashes condition="contains">SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9</Hashes>
-                <Hashes condition="contains">SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa</Hashes>
-                <Hashes condition="contains">SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1</Hashes>
-                <Hashes condition="contains">SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8</Hashes>
-                <Hashes condition="contains">SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad</Hashes>
-                <Hashes condition="contains">SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062</Hashes>
-                <Hashes condition="contains">SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc</Hashes>
-                <Hashes condition="contains">SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200</Hashes>
-                <Hashes condition="contains">SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8</Hashes>
-                <Hashes condition="contains">SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df</Hashes>
-                <Hashes condition="contains">SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d</Hashes>
-                <Hashes condition="contains">SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5</Hashes>
-                <Hashes condition="contains">SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3</Hashes>
-                <Hashes condition="contains">SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e</Hashes>
-                <Hashes condition="contains">SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499</Hashes>
-                <Hashes condition="contains">SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9</Hashes>
-                <Hashes condition="contains">SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6</Hashes>
-                <Hashes condition="contains">SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e</Hashes>
-                <Hashes condition="contains">SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526</Hashes>
-                <Hashes condition="contains">SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433</Hashes>
-                <Hashes condition="contains">SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48</Hashes>
-                <Hashes condition="contains">SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4</Hashes>
-                <Hashes condition="contains">SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608</Hashes>
-                <Hashes condition="contains">SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c</Hashes>
-                <Hashes condition="contains">SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b</Hashes>
-                <Hashes condition="contains">SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89</Hashes>
-                <Hashes condition="contains">SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd</Hashes>
-                <Hashes condition="contains">SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a</Hashes>
-                <Hashes condition="contains">SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165</Hashes>
-                <Hashes condition="contains">SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25</Hashes>
-                <Hashes condition="contains">SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833</Hashes>
-                <Hashes condition="contains">SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b</Hashes>
-                <Hashes condition="contains">SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173</Hashes>
-                <Hashes condition="contains">SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058</Hashes>
-                <Hashes condition="contains">SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47</Hashes>
-                <Hashes condition="contains">SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee</Hashes>
-                <Hashes condition="contains">SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa</Hashes>
-                <Hashes condition="contains">SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471</Hashes>
-                <Hashes condition="contains">SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2</Hashes>
-                <Hashes condition="contains">SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399</Hashes>
-                <Hashes condition="contains">SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685</Hashes>
-                <Hashes condition="contains">SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a</Hashes>
-                <Hashes condition="contains">SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508</Hashes>
-                <Hashes condition="contains">SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414</Hashes>
-                <Hashes condition="contains">SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1</Hashes>
-                <Hashes condition="contains">SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29</Hashes>
-                <Hashes condition="contains">SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602</Hashes>
-                <Hashes condition="contains">SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df</Hashes>
-                <Hashes condition="contains">SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d</Hashes>
-                <Hashes condition="contains">SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418</Hashes>
-                <Hashes condition="contains">SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf</Hashes>
-                <Hashes condition="contains">SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c</Hashes>
-                <Hashes condition="contains">SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a</Hashes>
-                <Hashes condition="contains">SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b</Hashes>
-                <Hashes condition="contains">SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a</Hashes>
-                <Hashes condition="contains">SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a</Hashes>
-                <Hashes condition="contains">SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e</Hashes>
-                <Hashes condition="contains">SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5</Hashes>
-                <Hashes condition="contains">SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441</Hashes>
-                <Hashes condition="contains">SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de</Hashes>
-                <Hashes condition="contains">SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e</Hashes>
-                <Hashes condition="contains">SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47</Hashes>
-                <Hashes condition="contains">SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0</Hashes>
-                <Hashes condition="contains">SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867</Hashes>
-                <Hashes condition="contains">SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704</Hashes>
-                <Hashes condition="contains">SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3</Hashes>
-                <Hashes condition="contains">SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa</Hashes>
-                <Hashes condition="contains">SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc</Hashes>
-                <Hashes condition="contains">SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955</Hashes>
-                <Hashes condition="contains">SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3</Hashes>
-                <Hashes condition="contains">SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248</Hashes>
-                <Hashes condition="contains">SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63</Hashes>
-                <Hashes condition="contains">SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f</Hashes>
-                <Hashes condition="contains">SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f</Hashes>
-                <Hashes condition="contains">SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961</Hashes>
-                <Hashes condition="contains">SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c</Hashes>
-                <Hashes condition="contains">SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0</Hashes>
-                <Hashes condition="contains">SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100</Hashes>
-                <Hashes condition="contains">SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2</Hashes>
-                <Hashes condition="contains">SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57</Hashes>
-                <Hashes condition="contains">SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8</Hashes>
-                <Hashes condition="contains">SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8</Hashes>
-                <Hashes condition="contains">SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247</Hashes>
-                <Hashes condition="contains">SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e</Hashes>
-                <Hashes condition="contains">SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9</Hashes>
-                <Hashes condition="contains">SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e</Hashes>
-                <Hashes condition="contains">SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8</Hashes>
-                <Hashes condition="contains">SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924</Hashes>
-                <Hashes condition="contains">SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26</Hashes>
-                <Hashes condition="contains">SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a</Hashes>
-                <Hashes condition="contains">SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc</Hashes>
-                <Hashes condition="contains">SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa</Hashes>
-                <Hashes condition="contains">SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646</Hashes>
-                <Hashes condition="contains">SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2</Hashes>
-                <Hashes condition="contains">SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2</Hashes>
-                <Hashes condition="contains">SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5</Hashes>
-                <Hashes condition="contains">SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada</Hashes>
-                <Hashes condition="contains">SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c</Hashes>
-                <Hashes condition="contains">SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d</Hashes>
-                <Hashes condition="contains">SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c</Hashes>
-                <Hashes condition="contains">SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd</Hashes>
-                <Hashes condition="contains">SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab</Hashes>
-                <Hashes condition="contains">SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612</Hashes>
-                <Hashes condition="contains">SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec</Hashes>
-                <Hashes condition="contains">SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6</Hashes>
-                <Hashes condition="contains">SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8</Hashes>
-                <Hashes condition="contains">SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64</Hashes>
-                <Hashes condition="contains">SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b</Hashes>
-                <Hashes condition="contains">SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb</Hashes>
-                <Hashes condition="contains">SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812</Hashes>
-                <Hashes condition="contains">SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc</Hashes>
-                <Hashes condition="contains">SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2</Hashes>
-                <Hashes condition="contains">SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986</Hashes>
-                <Hashes condition="contains">SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b</Hashes>
-                <Hashes condition="contains">SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190</Hashes>
-                <Hashes condition="contains">SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb</Hashes>
-                <Hashes condition="contains">SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40</Hashes>
-                <Hashes condition="contains">SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b</Hashes>
-                <Hashes condition="contains">SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab</Hashes>
-                <Hashes condition="contains">SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c</Hashes>
-                <Hashes condition="contains">SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889</Hashes>
-                <Hashes condition="contains">SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605</Hashes>
-                <Hashes condition="contains">SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f</Hashes>
-                <Hashes condition="contains">SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9</Hashes>
-                <Hashes condition="contains">SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102</Hashes>
-                <Hashes condition="contains">SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d</Hashes>
-                <Hashes condition="contains">SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0</Hashes>
-                <Hashes condition="contains">SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530</Hashes>
-                <Hashes condition="contains">SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482</Hashes>
-                <Hashes condition="contains">SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2</Hashes>
-                <Hashes condition="contains">SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f</Hashes>
-                <Hashes condition="contains">SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3</Hashes>
-                <Hashes condition="contains">SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3</Hashes>
-                <Hashes condition="contains">SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71</Hashes>
-                <Hashes condition="contains">SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476</Hashes>
-                <Hashes condition="contains">SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2</Hashes>
-                <Hashes condition="contains">SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26</Hashes>
-                <Hashes condition="contains">SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e</Hashes>
-                <Hashes condition="contains">SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d</Hashes>
-                <Hashes condition="contains">SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1</Hashes>
-                <Hashes condition="contains">SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24</Hashes>
-                <Hashes condition="contains">SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d</Hashes>
-                <Hashes condition="contains">SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004</Hashes>
-                <Hashes condition="contains">SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653</Hashes>
-                <Hashes condition="contains">SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98</Hashes>
-                <Hashes condition="contains">SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed</Hashes>
-                <Hashes condition="contains">SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef</Hashes>
-                <Hashes condition="contains">SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258</Hashes>
-                <Hashes condition="contains">SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097</Hashes>
-                <Hashes condition="contains">SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094</Hashes>
-                <Hashes condition="contains">SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8</Hashes>
-                <Hashes condition="contains">SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa</Hashes>
-                <Hashes condition="contains">SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c</Hashes>
-                <Hashes condition="contains">SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5</Hashes>
-                <Hashes condition="contains">SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc</Hashes>
-                <Hashes condition="contains">SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d</Hashes>
-                <Hashes condition="contains">SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578</Hashes>
-                <Hashes condition="contains">SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6</Hashes>
-                <Hashes condition="contains">SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15</Hashes>
-                <Hashes condition="contains">SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22</Hashes>
-                <Hashes condition="contains">SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b</Hashes>
-                <Hashes condition="contains">SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f</Hashes>
-                <Hashes condition="contains">SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6</Hashes>
-                <Hashes condition="contains">SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac</Hashes>
-                <Hashes condition="contains">SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918</Hashes>
-                <Hashes condition="contains">SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd</Hashes>
-                <Hashes condition="contains">SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb</Hashes>
-                <Hashes condition="contains">SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc</Hashes>
-                <Hashes condition="contains">SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036</Hashes>
-                <Hashes condition="contains">SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148</Hashes>
-                <Hashes condition="contains">SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1</Hashes>
-                <Hashes condition="contains">SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53</Hashes>
-                <Hashes condition="contains">SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8</Hashes>
-                <Hashes condition="contains">SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f</Hashes>
-                <Hashes condition="contains">SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48</Hashes>
-                <Hashes condition="contains">SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f</Hashes>
-                <Hashes condition="contains">SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae</Hashes>
-                <Hashes condition="contains">SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90</Hashes>
-                <Hashes condition="contains">SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028</Hashes>
-                <Hashes condition="contains">SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a</Hashes>
-                <Hashes condition="contains">SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4</Hashes>
-                <Hashes condition="contains">SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f</Hashes>
-                <Hashes condition="contains">SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf</Hashes>
-                <Hashes condition="contains">SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2</Hashes>
-                <Hashes condition="contains">SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9</Hashes>
-                <Hashes condition="contains">SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf</Hashes>
-                <Hashes condition="contains">SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa</Hashes>
-                <Hashes condition="contains">SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06</Hashes>
-                <Hashes condition="contains">SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790</Hashes>
-                <Hashes condition="contains">SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293</Hashes>
-                <Hashes condition="contains">SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3</Hashes>
-                <Hashes condition="contains">SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41</Hashes>
-                <Hashes condition="contains">SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3</Hashes>
-                <Hashes condition="contains">SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5</Hashes>
-                <Hashes condition="contains">SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566</Hashes>
-                <Hashes condition="contains">SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c</Hashes>
-                <Hashes condition="contains">SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282</Hashes>
-                <Hashes condition="contains">SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39</Hashes>
-                <Hashes condition="contains">SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7</Hashes>
-                <Hashes condition="contains">SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe</Hashes>
-                <Hashes condition="contains">SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b</Hashes>
-                <Hashes condition="contains">SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850</Hashes>
-                <Hashes condition="contains">SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0</Hashes>
-                <Hashes condition="contains">SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3</Hashes>
-                <Hashes condition="contains">SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b</Hashes>
-                <Hashes condition="contains">SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe</Hashes>
-                <Hashes condition="contains">SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f</Hashes>
-                <Hashes condition="contains">SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1</Hashes>
-                <Hashes condition="contains">SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc</Hashes>
-                <Hashes condition="contains">SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960</Hashes>
-                <Hashes condition="contains">SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c</Hashes>
-                <Hashes condition="contains">SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496</Hashes>
-                <Hashes condition="contains">SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004</Hashes>
-                <Hashes condition="contains">SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439</Hashes>
-                <Hashes condition="contains">SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d</Hashes>
-                <Hashes condition="contains">SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57</Hashes>
-                <Hashes condition="contains">SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af</Hashes>
-                <Hashes condition="contains">SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960</Hashes>
-                <Hashes condition="contains">SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008</Hashes>
-                <Hashes condition="contains">SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145</Hashes>
-                <Hashes condition="contains">SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65</Hashes>
-                <Hashes condition="contains">SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35</Hashes>
-                <Hashes condition="contains">SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13</Hashes>
-                <Hashes condition="contains">SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b</Hashes>
-                <Hashes condition="contains">SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478</Hashes>
-                <Hashes condition="contains">SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573</Hashes>
-                <Hashes condition="contains">SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54</Hashes>
-                <Hashes condition="contains">SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298</Hashes>
-                <Hashes condition="contains">SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b</Hashes>
-                <Hashes condition="contains">SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91</Hashes>
-                <Hashes condition="contains">SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566</Hashes>
-                <Hashes condition="contains">SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22</Hashes>
-                <Hashes condition="contains">SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f</Hashes>
-                <Hashes condition="contains">SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2</Hashes>
-                <Hashes condition="contains">SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c</Hashes>
-                <Hashes condition="contains">SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1</Hashes>
-                <Hashes condition="contains">SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533</Hashes>
-                <Hashes condition="contains">SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c</Hashes>
-                <Hashes condition="contains">SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03</Hashes>
-                <Hashes condition="contains">SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280</Hashes>
-                <Hashes condition="contains">SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7</Hashes>
-                <Hashes condition="contains">SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339</Hashes>
-                <Hashes condition="contains">SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5</Hashes>
-                <Hashes condition="contains">SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f</Hashes>
-			</Rule>
-			<Rule name="Attack=T1204.002,Technique=User Execution: Malicious File,Tactic=Execution,DS=File: File Creation,Level=4,Alert=Malicious Driver Detected,Risk=10,Author=Florian Roth" groupRelation="or">
-                <Hashes condition="contains">SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c</Hashes>
-                <Hashes condition="contains">SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4</Hashes>
-                <Hashes condition="contains">SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62</Hashes>
-                <Hashes condition="contains">SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f</Hashes>
-                <Hashes condition="contains">SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e</Hashes>
-                <Hashes condition="contains">SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1</Hashes>
-                <Hashes condition="contains">SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724</Hashes>
-                <Hashes condition="contains">SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620</Hashes>
-                <Hashes condition="contains">SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc</Hashes>
-                <Hashes condition="contains">SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c</Hashes>
-                <Hashes condition="contains">SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d</Hashes>
-                <Hashes condition="contains">SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7</Hashes>
-                <Hashes condition="contains">SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988</Hashes>
-                <Hashes condition="contains">SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427</Hashes>
-                <Hashes condition="contains">SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e</Hashes>
-                <Hashes condition="contains">SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421</Hashes>
-                <Hashes condition="contains">SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99</Hashes>
-                <Hashes condition="contains">SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a</Hashes>
-                <Hashes condition="contains">SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3</Hashes>
-                <Hashes condition="contains">SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b</Hashes>
-                <Hashes condition="contains">SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5</Hashes>
-                <Hashes condition="contains">SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4</Hashes>
-                <Hashes condition="contains">SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77</Hashes>
-                <Hashes condition="contains">SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f</Hashes>
-                <Hashes condition="contains">SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d</Hashes>
-                <Hashes condition="contains">SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8</Hashes>
-                <Hashes condition="contains">SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1</Hashes>
-                <Hashes condition="contains">SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a</Hashes>
-                <Hashes condition="contains">SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376</Hashes>
-                <Hashes condition="contains">SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc</Hashes>
-                <Hashes condition="contains">SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3</Hashes>
-                <Hashes condition="contains">SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217</Hashes>
-                <Hashes condition="contains">SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a</Hashes>
-                <Hashes condition="contains">SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce</Hashes>
-                <Hashes condition="contains">SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497</Hashes>
-                <Hashes condition="contains">SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931</Hashes>
-                <Hashes condition="contains">SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316</Hashes>
-                <Hashes condition="contains">SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d</Hashes>
-                <Hashes condition="contains">SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12</Hashes>
-                <Hashes condition="contains">SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87</Hashes>
-                <Hashes condition="contains">SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae</Hashes>
-                <Hashes condition="contains">SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e</Hashes>
-                <Hashes condition="contains">SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c</Hashes>
-                <Hashes condition="contains">SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280</Hashes>
-                <Hashes condition="contains">SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51</Hashes>
-                <Hashes condition="contains">SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c</Hashes>
-                <Hashes condition="contains">SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76</Hashes>
-                <Hashes condition="contains">SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677</Hashes>
-                <Hashes condition="contains">SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6</Hashes>
-                <Hashes condition="contains">SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104</Hashes>
-                <Hashes condition="contains">SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330</Hashes>
-                <Hashes condition="contains">SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4</Hashes>
-                <Hashes condition="contains">SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463</Hashes>
-                <Hashes condition="contains">SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c</Hashes>
-                <Hashes condition="contains">SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530</Hashes>
-                <Hashes condition="contains">SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c</Hashes>
-                <Hashes condition="contains">SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d</Hashes>
-                <Hashes condition="contains">SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a</Hashes>
-                <Hashes condition="contains">SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae</Hashes>
-                <Hashes condition="contains">SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df</Hashes>
-                <Hashes condition="contains">SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25</Hashes>
-                <Hashes condition="contains">SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212</Hashes>
                 <Hashes condition="contains">SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a</Hashes>
 			</Rule>
 		</FileExecutableDetected>